diff --git a/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml b/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
index 2ac11c6..35c172a 100644
--- a/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
+++ b/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
@@ -6,7 +6,9 @@ rr:
   # proxy ingress). Here we exercise the *other* halves of those branches:
   #   - Secrets inline (no externalSecret.name) → the chart renders its own Secret
   #     (jwt-public-key / jwt-private-key / encryption-key / api-secret). jwtPublicKey
-  #     MUST be single-line: it is injected raw into the sandbox job-template JSON.
+  #     is injected into the sandbox job-template JSON via `toJson`, so a genuine
+  #     multi-line PEM (real newlines, as below) is escaped correctly — no need to
+  #     pre-flatten it to a single `\n`-escaped line.
   #   - Postgres sourcing OPTION 1: plaintext DSN via postgres.url.
   #   - Same-origin proxy: no dedicated proxy domain and no proxy ingress — the
   #     backend reverse-proxies /sandbox/* (frontendWsProxyDomain left empty).
@@ -21,8 +23,19 @@ rr:
       tag: 3.123.4
       pullPolicy: IfNotPresent
 
-    jwtPublicKey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AI\nY+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END PUBLIC KEY-----'
-    jwtPrivateKey: '-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMFXLiN/YsJv89D2YkEZ6/Dj5fujghENmYTOilwdChU3oAoGCCqGSM49\nAwEHoUQDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AIY+QUCicYtfv9wLGcEGPQuXoB\nQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END EC PRIVATE KEY-----'
+    # Real multi-line PEM (block scalar) — exercises the toJson newline escaping in
+    # the job-template JSON. A raw "{{ . }}" would produce invalid JSON here.
+    jwtPublicKey: |-
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AI
+      Y+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==
+      -----END PUBLIC KEY-----
+    jwtPrivateKey: |-
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIMFXLiN/YsJv89D2YkEZ6/Dj5fujghENmYTOilwdChU3oAoGCCqGSM49
+      AwEHoUQDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AIY+QUCicYtfv9wLGcEGPQuXoB
+      QtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==
+      -----END EC PRIVATE KEY-----
     encryptionKey: a12b01429fe0fe69a80da94e9e837ab2f1e9bda378ed8a25905a238f6fea6b7a
     apiSecret: test-agent-sandbox-api-secret
 
diff --git a/charts/retool/templates/deployment_agent_sandbox.yaml b/charts/retool/templates/deployment_agent_sandbox.yaml
index 0e9ac57..2dd1039 100644
--- a/charts/retool/templates/deployment_agent_sandbox.yaml
+++ b/charts/retool/templates/deployment_agent_sandbox.yaml
@@ -178,7 +178,7 @@ data:
                   ,{"name": "SANDBOX_GLOBAL_LIFETIME_MS", "value": "{{ $as.sandbox.sandboxGlobalLifetimeMs }}"}
                   ,{"name": "SANDBOX_READY_TIMEOUT_MS", "value": "{{ $as.sandbox.sandboxReadyTimeoutMs }}"}
                   {{- if $as.jwtPublicKey }}
-                  ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "value": "{{ $as.jwtPublicKey }}"}
+                  ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "value": {{ $as.jwtPublicKey | toJson }}}
                   {{- else if $as.externalSecret.name }}
                   ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "valueFrom": {"secretKeyRef": {"name": "{{ $defaultSecretName }}", "key": "jwt-public-key"}}}
                   {{- end }}