diff --git a/vault/policies/service-chat.hcl b/vault/policies/service-chat.hcl
new file mode 100644
index 0000000..a021006
--- /dev/null
+++ b/vault/policies/service-chat.hcl
@@ -0,0 +1,15 @@
+# vault/policies/service-chat.hcl
+#
+# Read-only access to shared Chat secrets (OAuth client config, forward auth
+# secret). Attached to the Chat Nomad job via workload identity (S5.2).
+#
+# Scope: kv/disinto/shared/chat — entries owned by the operator and
+# shared between the chat service and edge proxy.
+
+path "kv/data/disinto/shared/chat" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/shared/chat" {
+  capabilities = ["list", "read"]
+}
diff --git a/vault/roles.yaml b/vault/roles.yaml
index d3b1892..1e01be8 100644
--- a/vault/roles.yaml
+++ b/vault/roles.yaml
@@ -70,6 +70,11 @@ roles:
     namespace: default
     job_id:    agents
 
+  - name:      service-chat
+    policy:    service-chat
+    namespace: default
+    job_id:    chat
+
   # ── Per-agent bots (nomad/jobs/bot-<role>.hcl — land in later steps) ───────
   # job_id placeholders match the policy name 1:1 until each bot's jobspec
   # lands. When a bot's jobspec is added under nomad/jobs/, update the