diff --git a/controller/addSecretsAccess.go b/controller/addSecretsAccess.go
new file mode 100644
index 00000000..2713d1b9
--- /dev/null
+++ b/controller/addSecretsAccess.go
@@ -0,0 +1,56 @@
+package controller
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/edge-api/rest_model"
+	"github.com/openziti/zrok/controller/zrokEdgeSdk"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type addSecretsAccessHandler struct{}
+
+func newAddSecretsAccessHandler() *addSecretsAccessHandler {
+	return &addSecretsAccessHandler{}
+}
+
+func (h *addSecretsAccessHandler) Handle(params admin.AddSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	secretsAccessIdentityZId := params.Body.SecretsIdentityZID
+
+	if !principal.Admin {
+		logrus.Errorf("invalid admin principal")
+		return admin.NewAddSecretsAccessUnauthorized()
+	}
+
+	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
+	if err != nil {
+		logrus.Errorf("error getting edge client: %v", err)
+		return admin.NewAddSecretsAccessInternalServerError()
+	}
+
+	serviceZId, err := getZIdForService(cfg.Secrets.ServiceName, edge)
+	if err != nil {
+		logrus.Errorf("error getting service ziti id for '%v': %v", cfg.Secrets.ServiceName, err)
+		return admin.NewAddSecretsAccessInternalServerError()
+	}
+
+	spZId, err := getZIdForServicePolicy(serviceZId, secretsAccessIdentityZId, rest_model.DialBindDial, edge)
+	if err != nil {
+		logrus.Infof("could not assert service policy; creating")
+
+		if err := zrokEdgeSdk.CreateServicePolicyDial(fmt.Sprintf("service-listener-dial-%v", secretsAccessIdentityZId), serviceZId, []string{secretsAccessIdentityZId}, nil, edge); err != nil {
+			logrus.Errorf("error creating dial service policy for '@%v' -> '@%v': %v", secretsAccessIdentityZId, serviceZId, err)
+			return admin.NewAddSecretsAccessInternalServerError()
+		}
+		logrus.Infof("created dial service policy for '@%v' -> '@%v'", secretsAccessIdentityZId, serviceZId)
+
+	} else {
+		logrus.Errorf("asserted existing service policy with ziti id '%v'", spZId)
+		return admin.NewAddSecretsAccessBadRequest()
+	}
+
+	return admin.NewAddSecretsAccessOK()
+}
diff --git a/controller/bootstrap.go b/controller/bootstrap.go
index 5026db40..09337fbb 100644
--- a/controller/bootstrap.go
+++ b/controller/bootstrap.go
@@ -332,7 +332,7 @@ func assertBindPolicyForIdentityAndService(serviceName, zId string, edge *rest_m
 		if err := zrokEdgeSdk.CreateServicePolicyBind(fmt.Sprintf("service-listener-bind-%v", zId), serviceZId, zId, nil, edge); err != nil {
 			return errors.Wrapf(err, "error creating bind policy for '%v' -> '%v'", zId, serviceName)
 		}
-		logrus.Infof("created bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
+		logrus.Infof("created bind policy for '@%v' -> '@%v'", zId, serviceName)
 	} else {
 		logrus.Infof("found existing bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
 	}
diff --git a/controller/controller.go b/controller/controller.go
index b07383eb..60cd1453 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -66,7 +66,11 @@ func Run(inCfg *config.Config) error {
 	api.AdminListOrganizationsHandler = newListOrganizationsHandler()
 	api.AdminRemoveOrganizationMemberHandler = newRemoveOrganizationMemberHandler()
 	api.AdminUpdateFrontendHandler = newUpdateFrontendHandler()
-	if cfg.AgentController != nil {
+	if cfg.Secrets != nil && cfg.Secrets.ZId != "" && cfg.Secrets.ServiceName != "" && cfg.Secrets.IdentityPath != "" {
+		api.AdminAddSecretsAccessHandler = newAddSecretsAccessHandler()
+		api.AdminDeleteSecretsAccessHandler = newDeleteSecretsAccessHandler()
+	}
+	if cfg.AgentController != nil && cfg.AgentController.ZId != "" && cfg.AgentController.IdentityPath != "" {
 		api.AgentEnrollHandler = newAgentEnrollHandler()
 		api.AgentPingHandler = newAgentPingHandler()
 		api.AgentRemoteAccessHandler = newAgentRemoteAccessHandler()
diff --git a/controller/deleteSecretsAccess.go b/controller/deleteSecretsAccess.go
new file mode 100644
index 00000000..3815274b
--- /dev/null
+++ b/controller/deleteSecretsAccess.go
@@ -0,0 +1,62 @@
+package controller
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/edge-api/rest_management_api_client/service_policy"
+	"github.com/openziti/edge-api/rest_model"
+	"github.com/openziti/zrok/controller/zrokEdgeSdk"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type deleteSecretsAccessHandler struct{}
+
+func newDeleteSecretsAccessHandler() *deleteSecretsAccessHandler {
+	return &deleteSecretsAccessHandler{}
+}
+
+func (h *deleteSecretsAccessHandler) Handle(params admin.DeleteSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	secretsAccessIdentityZId := params.Body.SecretsIdentityZID
+
+	if !principal.Admin {
+		logrus.Errorf("invalid admin principal")
+		return admin.NewDeleteSecretsAccessUnauthorized()
+	}
+
+	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
+	if err != nil {
+		logrus.Errorf("error getting edge client: %v", err)
+		return admin.NewDeleteSecretsAccessInternalServerError()
+	}
+
+	serviceZId, err := getZIdForService(cfg.Secrets.ServiceName, edge)
+	if err != nil {
+		logrus.Errorf("error getting service ziti id for '%v': %v", cfg.Secrets.ServiceName, err)
+		return admin.NewDeleteSecretsAccessInternalServerError()
+	}
+
+	spZId, err := getZIdForServicePolicy(serviceZId, secretsAccessIdentityZId, rest_model.DialBindDial, edge)
+	if err == nil {
+		req := &service_policy.DeleteServicePolicyParams{
+			ID:      spZId,
+			Context: context.Background(),
+		}
+		req.SetTimeout(30 * time.Second)
+		_, err := edge.ServicePolicy.DeleteServicePolicy(req, nil)
+		if err != nil {
+			logrus.Errorf("error deleting service policy '%v': %v", spZId, err)
+			return admin.NewDeleteSecretsAccessInternalServerError()
+		}
+		logrus.Infof("removed dial service policy for '@%v' -> '@%v", secretsAccessIdentityZId, serviceZId)
+
+	} else {
+		logrus.Errorf("error getting dial service policy ziti id: %v", err)
+		return admin.NewDeleteSecretsAccessBadRequest()
+	}
+
+	return admin.NewDeleteSecretsAccessOK()
+}