diff --git a/nixos/modules/services/networking/frp.nix b/nixos/modules/services/networking/frp.nix
index d592e89b7201..2655f765a60e 100644
--- a/nixos/modules/services/networking/frp.nix
+++ b/nixos/modules/services/networking/frp.nix
@@ -43,6 +43,17 @@ in
                 '';
               };
 
+              environmentFiles = lib.mkOption {
+                type = lib.types.listOf lib.types.path;
+                description = ''
+                  List of paths files that follows systemd environmentfile structure.
+                  Can be used to pass secrets to settings attribute.
+
+                  Example content of a file: SECRET_TOKEN=1234
+                '';
+                default = [ ];
+              };
+
               settings = lib.mkOption {
                 type = settingsFormat.type;
                 default = { };
@@ -91,6 +102,7 @@ in
           RestartSec = 15;
           ExecStart = "${cfg.package}/bin/${executableFile} --strict_config -c ${configFile}";
           DynamicUser = true;
+          EnvironmentFile = options.environmentFiles;
           # Hardening
           CapabilityBoundingSet = serviceCapability;
           AmbientCapabilities = serviceCapability;
diff --git a/nixos/tests/frp.nix b/nixos/tests/frp.nix
index 11a1ce9a78b2..48c4e2bc842c 100644
--- a/nixos/tests/frp.nix
+++ b/nixos/tests/frp.nix
@@ -1,4 +1,15 @@
 { pkgs, lib, ... }:
+let
+  token = "1234";
+  dummyFile = pkgs.writeTextFile {
+    name = "secrets";
+    text = "dummy=value";
+  };
+  secretFile = pkgs.writeTextFile {
+    name = "secrets";
+    text = "token=${token}";
+  };
+in
 {
   name = "frp";
   meta.maintainers = with lib.maintainers; [ zaldnoay ];
@@ -15,12 +26,18 @@
         networkConfig.Address = "10.0.0.1/24";
       };
 
-      services.frp = {
+      services.frp.instances.server = {
         enable = true;
         role = "server";
+        environmentFiles = [
+          (builtins.toPath dummyFile)
+          (builtins.toPath secretFile)
+        ];
         settings = {
           bindPort = 7000;
           vhostHTTPPort = 80;
+          auth.method = "token";
+          auth.token = "{{ .Envs.token }}";
         };
       };
     };
@@ -53,12 +70,14 @@
         enablePHP = true;
       };
 
-      services.frp = {
+      services.frp.instances.client = {
         enable = true;
         role = "client";
         settings = {
           serverAddr = "10.0.0.1";
           serverPort = 7000;
+          auth.method = "token";
+          auth.token = token;
           proxies = [
             {
               name = "web";
@@ -74,9 +93,9 @@
 
   testScript = ''
     start_all()
-    frps.wait_for_unit("frp.service")
+    frps.wait_for_unit("frp-server.service")
     frps.wait_for_open_port(80)
-    frpc.wait_for_unit("frp.service")
+    frpc.wait_for_unit("frp-client.service")
     response = frpc.succeed("curl -fvvv -s http://127.0.0.1/")
     assert "PHP Version ${pkgs.php84.version}" in response, "PHP version not detected"
     response = frpc.succeed("curl -fvvv -s http://10.0.0.1/")