diff --git a/terraform/locals.tf b/terraform/locals.tf
index 8584f45d..6b01ffc1 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -1,7 +1,7 @@
 locals {
   namespace  = "redirectioneaza-${var.env}"
   image_repo = data.aws_ecr_repository.this.repository_url
-  image_tag  = "2.1.21"
+  image_tag  = "2.2.0"
 
   availability_zone = data.aws_availability_zones.current.names[0]
 
diff --git a/terraform/main.tf b/terraform/main.tf
index 2c193028..5d79807e 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -226,6 +226,34 @@ module "ecs_redirectioneaza" {
       name      = "CAPTCHA_PRIVATE_KEY"
       valueFrom = "${aws_secretsmanager_secret.recaptcha.arn}:private_key::"
     },
+    {
+      name      = "AWS_COGNITO_REGION"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_cognito.arn}:region::"
+    },
+    {
+      name      = "AWS_COGNITO_DOMAIN"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_cognito.arn}:domain::"
+    },
+    {
+      name      = "AWS_COGNITO_USER_POOL_ID"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_cognito.arn}:user_pool_id::"
+    },
+    {
+      name      = "AWS_COGNITO_CLIENT_ID"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_cognito.arn}:client_id::"
+    },
+    {
+      name      = "AWS_COGNITO_CLIENT_SECRET"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_cognito.arn}:client_secret::"
+    },
+    {
+      name      = "NGOHUB_API_ACCOUNT"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_api.arn}:account::"
+    },
+    {
+      name      = "NGOHUB_API_KEY"
+      valueFrom = "${aws_secretsmanager_secret.ngohub_api.arn}:key::"
+    },
   ]
 
   allowed_secrets = [
@@ -234,6 +262,8 @@ module "ecs_redirectioneaza" {
     aws_secretsmanager_secret.seed_admin.arn,
     aws_secretsmanager_secret.sentry_dsn.arn,
     aws_secretsmanager_secret.recaptcha.arn,
+    aws_secretsmanager_secret.ngohub_cognito.arn,
+    aws_secretsmanager_secret.ngohub_api.arn,
     aws_secretsmanager_secret.rds.arn,
   ]
 }
@@ -333,3 +363,30 @@ resource "aws_secretsmanager_secret_version" "recaptcha" {
     private_key = var.recaptcha_private_key
   })
 }
+
+resource "aws_secretsmanager_secret" "ngohub_cognito" {
+  name = "${local.namespace}-ngohub_cognito-${random_string.secrets_suffix.result}"
+}
+
+resource "aws_secretsmanager_secret_version" "ngohub_cognito" {
+  secret_id = aws_secretsmanager_secret.ngohub_cognito.id
+  secret_string = jsonencode({
+    region        = var.aws_cognito_region
+    domain        = var.aws_cognito_domain
+    user_pool_id  = var.aws_cognito_user_pool_id
+    client_id     = var.aws_cognito_client_id
+    client_secret = var.aws_cognito_client_secret
+  })
+}
+
+resource "aws_secretsmanager_secret" "ngohub_api" {
+  name = "${local.namespace}-ngohub_api_credentials-${random_string.secrets_suffix.result}"
+}
+
+resource "aws_secretsmanager_secret_version" "ngohub_api" {
+  secret_id = aws_secretsmanager_secret.ngohub_api.id
+  secret_string = jsonencode({
+    account = var.ngohub_api_account
+    key     = var.ngohub_api_key
+  })
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index effdd351..24b41c89 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -78,6 +78,47 @@ variable "recaptcha_public_key" {
 }
 
 variable "recaptcha_private_key" {
+  type      = string
+  sensitive = true
+  default   = null
+}
+
+# Cognito authentication
+variable "aws_cognito_region" {
+  type    = string
+  default = null
+}
+
+variable "aws_cognito_domain" {
   type    = string
   default = null
 }
+
+variable "aws_cognito_user_pool_id" {
+  type    = string
+  default = null
+}
+
+variable "aws_cognito_client_id" {
+  type    = string
+  default = null
+}
+
+variable "aws_cognito_client_secret" {
+  type      = string
+  sensitive = true
+  default   = null
+}
+
+# NGO Hub API
+variable "ngohub_api_account" {
+  type    = string
+  default = null
+}
+
+variable "ngohub_api_key" {
+  type      = string
+  sensitive = true
+  default   = null
+}
+