diff --git a/backend/internal/bootstrap/bootstrap.go b/backend/internal/bootstrap/bootstrap.go
index 8acb7e32..2a4ab92a 100644
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -36,6 +36,7 @@ func migrateSchemas(db *gorm.DB) error {
 		&domain.User{},
 		&domain.ApiKey{},
 		&domain.IdentityProviderConfig{},
+		&domain.ClientSecret{},
 		&domain.RelyingParty{},
 		// &domain.UserConsent{},  // TODO: Uncomment when model is ready
 	)
diff --git a/backend/internal/domain/client_secret.go b/backend/internal/domain/client_secret.go
new file mode 100644
index 00000000..704ac1a0
--- /dev/null
+++ b/backend/internal/domain/client_secret.go
@@ -0,0 +1,21 @@
+package domain
+
+import (
+	"context"
+	"time"
+)
+
+// ClientSecret represents the stored client secret for OIDC clients.
+// Since Hydra only returns the secret once during creation, we store it here.
+type ClientSecret struct {
+	ClientID     string    `gorm:"primaryKey;column:client_id"`
+	ClientSecret string    `gorm:"column:client_secret;not null"`
+	CreatedAt    time.Time `gorm:"column:created_at"`
+	UpdatedAt    time.Time `gorm:"column:updated_at"`
+}
+
+type ClientSecretRepository interface {
+	Upsert(ctx context.Context, clientID, secret string) error
+	GetByID(ctx context.Context, clientID string) (string, error)
+	Delete(ctx context.Context, clientID string) error
+}
diff --git a/compose.infra.yaml b/compose.infra.yaml
index 368b8911..259bd68f 100644
--- a/compose.infra.yaml
+++ b/compose.infra.yaml
@@ -66,6 +66,15 @@ services:
             retries: 3
             start_period: 10s
 
+    adminer:
+        image: adminer
+        container_name: baron_adminer
+        restart: always
+        ports:
+            - "8080:8080"
+        networks:
+            - baron_net
+
 volumes:
     postgres_data:
     clickhouse_data: