diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
index 17756d6..12d0155 100755
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@@ -1,41 +1,71 @@
-#!/bin/bash
+#!/bin/bash -eu
 
-if [ "$1" != "get" ]; then
-	echo "Usage: $0 get"
-	exit 1
-fi
+#echo "Called: $@" >> /tmp/credhelper
 
-baseDir() {
-	# see https://stackoverflow.com/questions/59895
-	SOURCE=${BASH_SOURCE[0]}
-	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
-		SOURCE=$(readlink "$SOURCE")
-		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-        done
-        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
-        echo $DIR
-}
+SECRETS_FILE=/var/cache/bridgehead/secrets/gitetcbridgehead
 
-BASE=$(baseDir)
-cd $BASE
+# Called from bridgehead, so shift 2 times
+shift
+shift
 
-source lib/functions.sh
-
-assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
+case "$1" in
+  erase)
+    rm -f $SECRETS_FILE
+    CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+    git -C /etc/bridgehead remote set-url origin $CLEAN_REPO
+    exit 0
+    ;;
+  get)
+    # continue below
+    ;;
+  store)
+    # We could store the credentials in /var/cache/bridgehead, but we already did -- so nothing to do
+    exit 0
+    ;;
+  *)
+    fail_and_report 1 "gitpassword.sh called incorrectly"
+    ;;
+esac
 
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 
-fetchVarsFromVault GIT_PASSWORD
+if [ ! -f ${SECRETS_FILE} ]; then
+   TMPFILE=$(mktemp)
+   docker run --rm \
+        -v $TMPFILE:/usr/local/cache \
+        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+        -e NO_PROXY=localhost,127.0.0.1 \
+        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+        -e PROXY_ID=$PROXY_ID \
+        -e BROKER_URL=$BROKER_URL \
+        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:GIT_CONFIG_REPO_TOKEN:bridgehead-configuration \
+        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+    mv $TMPFILE $SECRETS_FILE
+fi
 
-if [ -z "${GIT_PASSWORD}" ]; then
-	fail_and_report 1 "gitpassword.sh failed: Git password not found."
+source "${SECRETS_FILE}"
+
+if [ -z ${GIT_CONFIG_REPO_TOKEN} ]; then
+	rm "${SECRETS_FILE}"
+	fail_and_report 1 "gitpassword.sh failed: Git password file present but without token."
+fi
+
+REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|' | sed -E 's|https://||')"
+if ! git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL ls-remote https://bk-$SITE_ID:${GIT_CONFIG_REPO_TOKEN}@${REPO} 1>/dev/null 2>/dev/null 3>/dev/null; then
+	rm "${SECRETS_FILE}"
+	fail_and_report 1 "gitpassword.sh failed: Git password present but invalid."
 fi
 
 cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
-password=${GIT_PASSWORD}
+password=${GIT_CONFIG_REPO_TOKEN}
 EOF
+
+exit 0