diff --git a/developers-italia-api/README.md b/developers-italia-api/README.md
index 003b6f5..02a3716 100644
--- a/developers-italia-api/README.md
+++ b/developers-italia-api/README.md
@@ -1,13 +1,21 @@
 # Deploy developers-italia-api Helm chart
 
-To install:
+To install (Helm >= v3.8.0 required for OCI image support):
 
 ```shell-session
+# Use your GitHub token when asked for password
+helm registry login ghcr.io -u api
+
 kubectl create namespace developers-italia-api
 kubectl -n developers-italia-api apply -f secrets.yaml
+
+# Get latest chart version from
+# https://github.com/italia/developers-italia-api/pkgs/container/developers-italia-api%2Fcharts%2Fdevelopers-italia-api
+
 helm -n developers-italia-api install \
     developers-italia-api \
-    oci://ghcr.io/italia/charts/developers-italia-api \
+    oci://ghcr.io/italia/developers-italia-api/charts/developers-italia-api \
+    --version <LATEST_CHART_VERSION> \
     -f custom.yaml
 ```
 
@@ -16,7 +24,8 @@ to upgrade:
 ```shell-session
 helm -n developers-italia-api upgrade \
     developers-italia-api \
-    oci://ghcr.io/italia/charts/developers-italia-api \
+    oci://ghcr.io/italia/developers-italia-api/charts/developers-italia-api \
+    --version <LATEST_CHART_VERSION> \
     -f custom.yaml
 ```
 
@@ -25,5 +34,25 @@ to remove:
 ```shell-session
 helm -n developers-italia-api uninstall developers-italia-api
 kubectl -n developers-italia-api delete -f secrets.yaml
-kubectl delete namespace developers-italia-api 
+kubectl delete namespace developers-italia-api
+```
+
+## Staging
+
+Optionally you can install a staging deploy tracking the `main`
+branch of developers-italia-api:
+
+```shell-session
+kubectl create namespace developers-italia-api-staging
+
+kubectl -n developers-italia-api-staging apply -f secrets-staging.yaml
+
+# Get latest chart version from
+# https://github.com/italia/developers-italia-api/pkgs/container/developers-italia-api%2Fcharts%2Fdevelopers-italia-api
+
+helm -n developers-italia-api-staging install \
+    developers-italia-api-staging \
+    oci://ghcr.io/italia/developers-italia-api/charts/developers-italia-api \
+    --version <LATEST_CHART_VERSION> \
+    -f custom-staging.yaml
 ```
diff --git a/developers-italia-api/custom-staging.yaml b/developers-italia-api/custom-staging.yaml
new file mode 100644
index 0000000..0c7e02f
--- /dev/null
+++ b/developers-italia-api/custom-staging.yaml
@@ -0,0 +1,35 @@
+image:
+  repository: ghcr.io/italia/developers-italia-api
+  pullPolicy: IfNotPresent
+  tag: main
+
+deploymentAnnotations:
+  keel.sh/policy: force
+  keel.sh/match-tag: "true"
+  keel.sh/trigger: poll
+  keel.sh/pollSchedule: "@every 5m"
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/acme-challenge-type: http01
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  path: /
+  hosts:
+    - host: api-staging.developers.italia.it
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - api-staging.developers.italia.it
+      secretName: developers-italia-api-staging-tls
+
+useExistingSecret: developers-italia-api-staging-azure-kv
+
+serviceMonitor:
+  enabled: true
diff --git a/developers-italia-api/secrets-staging.yaml b/developers-italia-api/secrets-staging.yaml
new file mode 100644
index 0000000..5c500cd
--- /dev/null
+++ b/developers-italia-api/secrets-staging.yaml
@@ -0,0 +1,13 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: developers-italia-api-staging
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: azure-kv-secret-store
+  target:
+    name: developers-italia-api-staging-azure-kv
+  dataFrom:
+    - extract:
+        key: k8s-secrets-developers-italia-api-staging