diff --git a/controller/config/config.go b/controller/config/config.go
index 3b7fc4a0..340a88d2 100644
--- a/controller/config/config.go
+++ b/controller/config/config.go
@@ -1,6 +1,10 @@
 package config
 
 import (
+	"os"
+	"strconv"
+	"time"
+
 	"github.com/michaelquigley/cf"
 	"github.com/openziti/zrok/controller/agentController"
 	"github.com/openziti/zrok/controller/emailUi"
@@ -10,9 +14,6 @@ import (
 	"github.com/openziti/zrok/controller/store"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
 	"github.com/pkg/errors"
-	"os"
-	"strconv"
-	"time"
 )
 
 const ConfigVersion = 4
@@ -30,6 +31,7 @@ type Config struct {
 	Metrics         *metrics.Config
 	Registration    *RegistrationConfig
 	ResetPassword   *ResetPasswordConfig
+	Secrets         *SecretsConfig
 	Store           *store.Config
 	Ziti            *zrokEdgeSdk.Config
 	Tls             *TlsConfig
@@ -78,6 +80,12 @@ type ResetPasswordMaintenanceConfig struct {
 	BatchLimit        int
 }
 
+type SecretsConfig struct {
+	ZId          string
+	IdentityPath string
+	ServiceName  string
+}
+
 type TlsConfig struct {
 	CertPath string
 	KeyPath  string
diff --git a/controller/controller.go b/controller/controller.go
index 9383b3bc..b07383eb 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -2,6 +2,10 @@ package controller
 
 import (
 	"context"
+	"log"
+	"net/http"
+	_ "net/http/pprof"
+
 	"github.com/go-openapi/loads"
 	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	"github.com/jessevdk/go-flags"
@@ -15,9 +19,6 @@ import (
 	"github.com/openziti/zrok/rest_server_zrok/operations/metadata"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"log"
-	"net/http"
-	_ "net/http/pprof"
 )
 
 var (
@@ -153,6 +154,8 @@ func Run(inCfg *config.Config) error {
 		}
 	}
 
+	go startSecretsListener(cfg)
+
 	server := rest_server_zrok.NewServer(api)
 	defer func() { _ = server.Shutdown() }()
 	if cfg.Tls != nil {
diff --git a/controller/secrets.go b/controller/secrets.go
new file mode 100644
index 00000000..2ae7edb7
--- /dev/null
+++ b/controller/secrets.go
@@ -0,0 +1,50 @@
+package controller
+
+import (
+	"context"
+
+	"github.com/openziti/sdk-golang/ziti"
+	"github.com/openziti/zrok/controller/config"
+	"github.com/openziti/zrok/controller/secretsGrpc"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+)
+
+func startSecretsListener(cfg *config.Config) {
+	if cfg != nil && cfg.Secrets != nil {
+		zcfg, err := ziti.NewConfigFromFile(cfg.Secrets.IdentityPath)
+		if err != nil {
+			logrus.Errorf("error loading secrets listener identity '%v': %v", cfg.Secrets.IdentityPath, err)
+			return
+		}
+		zctx, err := ziti.NewContext(zcfg)
+		if err != nil {
+			logrus.Errorf("error creating ziti context: %v", err)
+			return
+		}
+		l, err := zctx.Listen(cfg.Secrets.ServiceName)
+		if err != nil {
+			logrus.Errorf("error listening on '%v': %v", cfg.Secrets.ServiceName, err)
+			return
+		}
+
+		srv := grpc.NewServer()
+		secretsGrpc.RegisterSecretsServer(srv, &secretsGrpcImpl{})
+		if err := srv.Serve(l); err != nil {
+			logrus.Errorf("error serving '%v': %v", cfg.Secrets.ServiceName, err)
+			return
+		}
+
+	} else {
+		logrus.Warnf("secrets listener disabled")
+	}
+}
+
+type secretsGrpcImpl struct {
+	secretsGrpc.UnimplementedSecretsServer
+}
+
+func (i *secretsGrpcImpl) FetchSecrets(_ context.Context, req *secretsGrpc.SecretsRequest) (*secretsGrpc.SecretsResponse, error) {
+	logrus.Infof("request for secrets for '%v'", req.ShareToken)
+	return nil, nil
+}