diff --git a/app/controllers/link_checker_api_controller.rb b/app/controllers/link_checker_api_controller.rb
index 18f28cd21..c7c8d43b1 100644
--- a/app/controllers/link_checker_api_controller.rb
+++ b/app/controllers/link_checker_api_controller.rb
@@ -46,6 +46,6 @@ def verify_signature
   end
 
   def webhook_secret_token
-    Rails.application.secrets.link_checker_api_secret_token
+    Rails.application.credentials.link_checker_api_secret_token
   end
 end
diff --git a/app/services/link_check_report_creator.rb b/app/services/link_check_report_creator.rb
index 7201aacd0..3d5b7b2dc 100644
--- a/app/services/link_check_report_creator.rb
+++ b/app/services/link_check_report_creator.rb
@@ -48,7 +48,7 @@ def call_link_checker_api
     GdsApi.link_checker_api.create_batch(
       uris,
       webhook_uri: callback_url,
-      webhook_secret_token: Rails.application.secrets.link_checker_api_secret_token,
+      webhook_secret_token: Rails.application.credentials.link_checker_api_secret_token,
     )
   end
 
diff --git a/config/application.rb b/config/application.rb
index b4cf073bc..0874b680e 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -63,7 +63,7 @@ class Application < Rails::Application
     config.asset_host = ENV.fetch("ASSET_HOST", nil)
 
     config.action_mailer.notify_settings = {
-      api_key: Rails.application.secrets.notify_api_key || "fake-test-api-key",
+      api_key: Rails.application.credentials.notify_api_key || "fake-test-api-key",
     }
 
     config.generators do |g|
diff --git a/config/initializers/secrets_to_credentials.rb b/config/initializers/secrets_to_credentials.rb
new file mode 100644
index 000000000..562a393a9
--- /dev/null
+++ b/config/initializers/secrets_to_credentials.rb
@@ -0,0 +1,7 @@
+# Rails 7 has begun to deprecate Rails.application.secrets in favour
+# of Rails.application.credentials, but that adds the burden of master key
+# administration without giving us any benefit (because our production
+# secrets are handled as env vars, not committed to our repo. Here we
+# load the config/secrets.YML values into Rails.application.credentials,
+# retaining the existing behaviour while dropping deprecated references.
+Rails.application.credentials.merge!(Rails.application.config_for(:secrets))
diff --git a/test/functional/link_check_reports_controller_test.rb b/test/functional/link_check_reports_controller_test.rb
index 8310e9bb5..a175010ef 100644
--- a/test/functional/link_check_reports_controller_test.rb
+++ b/test/functional/link_check_reports_controller_test.rb
@@ -16,7 +16,7 @@ class LinkCheckReportsControllerTest < ActionController::TestCase
         uris: ["https://www.gov.uk"],
         id: 1234,
         webhook_uri: link_checker_api_callback_url(host: Plek.find("publisher")),
-        webhook_secret_token: Rails.application.secrets.link_checker_api_secret_token,
+        webhook_secret_token: Rails.application.credentials.link_checker_api_secret_token,
       )
     end
 
diff --git a/test/functional/link_checker_api_controller_test.rb b/test/functional/link_checker_api_controller_test.rb
index c968ec7fb..0d8395cbf 100644
--- a/test/functional/link_checker_api_controller_test.rb
+++ b/test/functional/link_checker_api_controller_test.rb
@@ -48,7 +48,7 @@ def campaign_edition_link_check_report
   def set_headers(post_body)
     headers = {
       "Content-Type": "application/json",
-      "X-LinkCheckerApi-Signature": generate_signature(post_body.to_json, Rails.application.secrets.link_checker_api_secret_token),
+      "X-LinkCheckerApi-Signature": generate_signature(post_body.to_json, Rails.application.credentials.link_checker_api_secret_token),
     }
 
     request.headers.merge! headers
diff --git a/test/integration/edition_link_check_test.rb b/test/integration/edition_link_check_test.rb
index 825bd11bf..84496365c 100644
--- a/test/integration/edition_link_check_test.rb
+++ b/test/integration/edition_link_check_test.rb
@@ -13,7 +13,7 @@ class EditionLinkCheckTest < LegacyJavascriptIntegrationTest
       uris: ["https://www.gov.uk"],
       id: 1234,
       webhook_uri: link_checker_api_callback_url(host: Plek.find("publisher")),
-      webhook_secret_token: Rails.application.secrets.link_checker_api_secret_token,
+      webhook_secret_token: Rails.application.credentials.link_checker_api_secret_token,
     )
 
     @place = FactoryBot.create(:place_edition, introduction: "This is [link](https://www.gov.uk) text.")
diff --git a/test/unit/services/link_check_report_creator_test.rb b/test/unit/services/link_check_report_creator_test.rb
index 474f28488..c175f7214 100644
--- a/test/unit/services/link_check_report_creator_test.rb
+++ b/test/unit/services/link_check_report_creator_test.rb
@@ -14,7 +14,7 @@ def create_edition(govspeak)
       uris: ["https://www.gov.uk"],
       id: 1234,
       webhook_uri: link_checker_api_callback_url(host: Plek.find("publisher")),
-      webhook_secret_token: Rails.application.secrets.link_checker_api_secret_token,
+      webhook_secret_token: Rails.application.credentials.link_checker_api_secret_token,
     )
   end