diff --git a/components/konflux-ui/staging/base/external-secret.yaml b/components/konflux-ui/staging/base/external-secret.yaml
new file mode 100644
index 00000000000..cb6c2366c74
--- /dev/null
+++ b/components/konflux-ui/staging/base/external-secret.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: watson-config
+  namespace: konflux-ui
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  data:
+  - secretKey: API_KEY
+    remoteRef:
+      key: staging/ui/Whatson
+      property: API_KEY
+  - secretKey: PUBLIC_ASSISTANT_ID
+    remoteRef:
+      key: staging/ui/Whatson
+      property: ASSISTANT_ID
+  - secretKey: PUBLIC_ENVIRONMENT_ID
+    remoteRef:
+      key: staging/ui/Whatson
+      property: ENVIRONMENT_ID
+  - secretKey: PUBLIC_VERSION
+    remoteRef:
+      key: staging/ui/Whatson
+      property: VERSION
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: watson-config
+    template:
+      metadata:
+        annotations:
+          argocd.argoproj.io/sync-options: Prune=false
+          argocd.argoproj.io/compare-options: IgnoreExtraneous
diff --git a/components/konflux-ui/staging/base/kustomization.yaml b/components/konflux-ui/staging/base/kustomization.yaml
index aca4d3d3888..36dac392a12 100644
--- a/components/konflux-ui/staging/base/kustomization.yaml
+++ b/components/konflux-ui/staging/base/kustomization.yaml
@@ -1,14 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - dex
-  - proxy
-  - route-and-oauth.yaml
-  - ../../base
+- dex
+- proxy
+- route-and-oauth.yaml
+- external-secret.yaml
+- ../../base
 
 images:
-  - name: quay.io/konflux-ci/workspace-manager
-    digest: sha256:48df30520a766101473e80e7a4abbf59ce06097a5f5919e15075afaa86bd1a2d
+- name: quay.io/konflux-ci/workspace-manager
+  digest: sha256:48df30520a766101473e80e7a4abbf59ce06097a5f5919e15075afaa86bd1a2d
 
   - name: quay.io/konflux-ci/konflux-ui
     newTag: a06fae3dc26e9712872e2ac2ebf3d7e74cddc6b0
diff --git a/components/konflux-ui/staging/base/proxy/kustomization.yaml b/components/konflux-ui/staging/base/proxy/kustomization.yaml
index 417b9d5df86..121b3f5b08d 100644
--- a/components/konflux-ui/staging/base/proxy/kustomization.yaml
+++ b/components/konflux-ui/staging/base/proxy/kustomization.yaml
@@ -10,11 +10,13 @@ configMapGenerator:
   - name: proxy-nginx-templates
     files:
       - auth.conf
+      - watson-auth.conf
   - name: proxy-nginx-static
     files:
       - tekton-results.conf
       - kubearchive.conf
       - kite.conf
+      - watson.conf
   - name: otel-collector-config
     files:
       - otel-collector-config.yaml
diff --git a/components/konflux-ui/staging/base/proxy/proxy.yaml b/components/konflux-ui/staging/base/proxy/proxy.yaml
index d5afc590757..d7d167feb98 100644
--- a/components/konflux-ui/staging/base/proxy/proxy.yaml
+++ b/components/konflux-ui/staging/base/proxy/proxy.yaml
@@ -52,8 +52,59 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+      - name: render-runtime-config
+        image: registry.access.redhat.com/ubi9/ubi@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072
+        envFrom:
+        - secretRef:
+            name: watson-config
+        command:
+          - sh
+          - -c
+          - |
+            set -e
+
+            # Generate runtime-config.js with PUBLIC_ variables
+            out=/mnt/static-content/runtime-config.js
+            printf "window.KONFLUX_RUNTIME = window.KONFLUX_RUNTIME || {};\n" > "$out"
+            env | grep -E '^PUBLIC_' | while IFS='=' read -r name value; do
+              esc=$(printf '%s' "$value" | sed -e 's/\\\\/\\\\\\\\/g' -e 's/\"/\\\"/g')
+              printf 'window.KONFLUX_RUNTIME.%s = "%s";\n' "$name" "$esc" >> "$out"
+            done
+
+            # Apply cluster-specific variables from ConfigMap files to runtime-config.js, if present
+            if [ -d /mnt/ui-runtime-env-variables ]; then
+              for f in /mnt/ui-runtime-env-variables/*; do
+                [ -f "$f" ] || continue
+                name=$(basename "$f")
+                value=$(cat "$f")
+                esc=$(printf '%s' "$value" | sed -e 's/\\\\/\\\\\\\\/g' -e 's/\"/\\\"/g')
+                printf 'if (window.KONFLUX_RUNTIME["%s"] === undefined) { window.KONFLUX_RUNTIME["%s"] = "%s"; }\n' "$name" "$name" "$esc" >> "$out"
+              done
+            fi
+        volumeMounts:
+        - name: static-content
+          mountPath: /mnt/static-content
+        - name: ui-runtime-env-variables
+          mountPath: /mnt/ui-runtime-env-variables
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1001
+        resources:
+          limits:
+            cpu: 50m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
       - name: generate-nginx-configs
         image: registry.access.redhat.com/ubi9/ubi@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072
+        env:
+        - name: WATSON_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: watson-config
+              key: API_KEY
         command:
           - sh
           - -c
@@ -66,6 +117,12 @@ spec:
 
             chmod 640 /mnt/nginx-generated-config/auth.conf
 
+            # Generate watson-auth.conf with Basic auth from Watson API key
+            watson_basic=$(printf "apikey:%s" "$WATSON_API_KEY" | base64 | tr -d '\n')
+            sed "s/__WATSON_BASIC_AUTH__/$watson_basic/g" /mnt/nginx-templates/watson-auth.conf > /mnt/nginx-generated-config/watson-auth.conf
+
+            chmod 640 /mnt/nginx-generated-config/watson-auth.conf
+
         volumeMounts:
         - name: nginx-generated-config
           mountPath: /mnt/nginx-generated-config
@@ -252,6 +309,10 @@ spec:
             secretName: proxy
         - name: static-content
           emptyDir: {}
+        - name: ui-runtime-env-variables
+          configMap:
+            name: ui-runtime-env-variables
+            optional: true
         - configMap:
             defaultMode: 420
             name: otel-collector-config
diff --git a/components/konflux-ui/staging/base/proxy/watson-auth.conf b/components/konflux-ui/staging/base/proxy/watson-auth.conf
new file mode 100644
index 00000000000..a53995173cf
--- /dev/null
+++ b/components/konflux-ui/staging/base/proxy/watson-auth.conf
@@ -0,0 +1,3 @@
+proxy_set_header Authorization "Basic __WATSON_BASIC_AUTH__";
+
+
diff --git a/components/konflux-ui/staging/base/proxy/watson.conf b/components/konflux-ui/staging/base/proxy/watson.conf
new file mode 100644
index 00000000000..71bfd9e79c1
--- /dev/null
+++ b/components/konflux-ui/staging/base/proxy/watson.conf
@@ -0,0 +1,11 @@
+location /api/chatbot/ {
+    auth_request /oauth2/auth;
+    rewrite /api/chatbot/(.+) /$1 break;
+    proxy_read_timeout 30m;
+    proxy_pass https://api.us-east.assistant.watson.cloud.ibm.com;
+    proxy_set_header Host api.us-east.assistant.watson.cloud.ibm.com;
+    proxy_ssl_server_name on;
+    include /mnt/nginx-generated-config/watson-auth.conf;
+}
+
+
diff --git a/components/konflux-ui/staging/stone-stage-p01/kustomization.yaml b/components/konflux-ui/staging/stone-stage-p01/kustomization.yaml
index 35f863d9019..0a57e742ea9 100644
--- a/components/konflux-ui/staging/stone-stage-p01/kustomization.yaml
+++ b/components/konflux-ui/staging/stone-stage-p01/kustomization.yaml
@@ -13,6 +13,9 @@ configMapGenerator:
     files:
       - kite.conf
     behavior: merge
+  - name: ui-runtime-env-variables
+    literals:
+      - DISABLE_WATSON_CHATBOT=true
 
 patches:
 - path: add-service-certs-patch.yaml