diff --git a/server.js b/server.js
index c64490f..c7be6c7 100644
--- a/server.js
+++ b/server.js
@@ -442,22 +442,22 @@ app.put("/api/s3/config", requireAdmin, (req, res) => {
 });
 
 app.post("/api/s3/test", requireAdmin, async (req, res) => {
-  // Support testing with submitted credentials (may not be saved yet)
-  const { endpoint, region, bucket, accessKeyId, secretAccessKey } = req.body;
+  // Merge submitted values with saved config — secret is often blank (keep existing)
+  const saved = db.s3Config || {};
   const testCfg = {
-    endpoint: endpoint || db.s3Config?.endpoint || "",
-    region: region || db.s3Config?.region || "us-east-1",
-    bucket: bucket || db.s3Config?.bucket || "",
-    accessKeyId: accessKeyId || db.s3Config?.accessKeyId || "",
-    secretAccessKey: secretAccessKey || db.s3Config?.secretAccessKey || "",
+    endpoint: (req.body.endpoint || saved.endpoint || "").trim(),
+    region: (req.body.region || saved.region || "us-east-1").trim(),
+    bucket: (req.body.bucket || saved.bucket || "").trim(),
+    accessKeyId: (req.body.accessKeyId || saved.accessKeyId || "").trim(),
+    secretAccessKey: (req.body.secretAccessKey || saved.secretAccessKey || "").trim(),
   };
+  console.log("[S3 Test] Config:", { endpoint: testCfg.endpoint, region: testCfg.region, bucket: testCfg.bucket, accessKeyId: testCfg.accessKeyId, hasSecret: !!testCfg.secretAccessKey });
   if (!testCfg.bucket || !testCfg.accessKeyId || !testCfg.secretAccessKey)
     return res.status(400).json({ success: false, error: "Bucket, Access Key ID, and Secret Key are required to test" });
 
   const testClient = buildS3Client(testCfg);
 
   try {
-    // Test by checking if bucket exists and is accessible
     await testClient.send(new HeadBucketCommand({ Bucket: testCfg.bucket }));
 
     res.json({ success: true, message: "✓ S3 connection confirmed! Credentials are valid and the bucket is accessible." });