diff --git a/flake.lock b/flake.lock
index 791e900..51d5942 100644
--- a/flake.lock
+++ b/flake.lock
@@ -49,11 +49,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770422522,
-        "narHash": "sha256-WmIFnquu4u58v8S2bOVWmknRwHn4x88CRfBFTzJ1inQ=",
+        "lastModified": 1770590420,
+        "narHash": "sha256-Gih+2ufQXcZQzrlSrgZWcG7u9TjQT7z/6qybnX5yJn8=",
         "ref": "refs/heads/master",
-        "rev": "cf0ce858997af4d8dcc2ce10393ff393e17fc911",
-        "revCount": 11,
+        "rev": "acfb142788dc994cf64931f55063393d807c6ebf",
+        "revCount": 14,
         "type": "git",
         "url": "https://git.t-juice.club/torjus/nixos-exporter"
       },
diff --git a/flake.nix b/flake.nix
index 6e7936a..861f002 100644
--- a/flake.nix
+++ b/flake.nix
@@ -217,6 +217,7 @@
               pkgs.opentofu
               pkgs.openbao
               pkgs.kanidm_1_8
+              pkgs.nkeys
               (pkgs.callPackage ./scripts/create-host { })
               homelab-deploy.packages.${pkgs.system}.default
             ];
diff --git a/services/nats/default.nix b/services/nats/default.nix
index fdb7ce3..bb0a94f 100644
--- a/services/nats/default.nix
+++ b/services/nats/default.nix
@@ -35,9 +35,18 @@
         HOMELAB = {
           jetstream = "enabled";
           users = [
+            # alerttonotify (full access to HOMELAB account)
             {
               nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
             }
+            # nixos-exporter (restricted to nixos-exporter subjects)
+            {
+              nkey = "UBCL3ODHVERVZJNGUJ567YBBKHQZOV3LK3WO6TVVSGQOCTK2NQ3IJVRV"; # Replace with public key from: nix develop -c nk -gen user -pubout
+              permissions = {
+                publish = [ "nixos-exporter.>" ];
+                subscribe = [ "nixos-exporter.>" ];
+              };
+            }
           ];
         };
 
diff --git a/system/monitoring/metrics.nix b/system/monitoring/metrics.nix
index 3a1ec44..81b324e 100644
--- a/system/monitoring/metrics.nix
+++ b/system/monitoring/metrics.nix
@@ -19,15 +19,32 @@
     ];
   };
 
+  # Fetch NKey from Vault for NATS authentication
+  vault.secrets.nixos-exporter-nkey = {
+    secretPath = "shared/nixos-exporter/nkey";
+    extractKey = "nkey";
+  };
+
   services.prometheus.exporters.nixos = {
     enable = true;
     # Default port: 9971
     flake = {
       enable = true;
       url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+      nats = {
+        enable = true;
+        url = "nats://nats1.home.2rjus.net:4222";
+        credentialsFile = "/run/secrets/nixos-exporter-nkey";
+      };
     };
   };
 
+  # Ensure exporter starts after Vault secret is available
+  systemd.services.prometheus-nixos-exporter = {
+    after = [ "vault-secret-nixos-exporter-nkey.service" ];
+    requires = [ "vault-secret-nixos-exporter-nkey.service" ];
+  };
+
   # Register nixos-exporter as a Prometheus scrape target
   homelab.monitoring.scrapeTargets = [
     {
diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 2d257c5..f16e585 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -114,6 +114,12 @@ locals {
       auto_generate   = true
       password_length = 64
     }
+
+    # NKey for nixos-exporter NATS cache sharing
+    "shared/nixos-exporter/nkey" = {
+      auto_generate = false
+      data          = { nkey = var.nixos_exporter_nkey }
+    }
   }
 }
 
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index f53cb4f..928abd6 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -73,3 +73,10 @@ variable "homelab_deploy_admin_deployer_nkey" {
   sensitive   = true
 }
 
+variable "nixos_exporter_nkey" {
+  description = "NKey seed for nixos-exporter NATS authentication"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+