diff --git a/services/tunnelbroker/src/config.rs b/services/tunnelbroker/src/config.rs
--- a/services/tunnelbroker/src/config.rs
+++ b/services/tunnelbroker/src/config.rs
@@ -1,4 +1,6 @@
 use crate::constants;
+use crate::constants::ENV_APNS_CONFIG;
+use crate::notifs::apns::config::APNsConfig;
 use anyhow::{ensure, Result};
 use clap::Parser;
 use comm_lib::aws;
@@ -26,6 +28,10 @@
   #[arg(env = "COMM_TUNNELBROKER_IDENTITY_ENDPOINT")]
   #[arg(long, default_value = "http://localhost:50054")]
   pub identity_endpoint: String,
+  /// APNs secrets
+  #[arg(env = ENV_APNS_CONFIG)]
+  #[arg(long)]
+  pub apns_config: Option<APNsConfig>,
 }
 
 /// Stores configuration parsed from command-line arguments
diff --git a/services/tunnelbroker/src/main.rs b/services/tunnelbroker/src/main.rs
--- a/services/tunnelbroker/src/main.rs
+++ b/services/tunnelbroker/src/main.rs
@@ -10,6 +10,7 @@
 
 use anyhow::{anyhow, Result};
 use config::CONFIG;
+use std::str::FromStr;
 use tracing::{self, Level};
 use tracing_subscriber::EnvFilter;
 
@@ -29,6 +30,8 @@
   let db_client = database::DatabaseClient::new(&aws_config);
   let amqp_connection = amqp::connect().await;
 
+  let apns_config = CONFIG.apns_config.clone();
+
   let grpc_server = grpc::run_server(db_client.clone(), &amqp_connection);
   let websocket_server =
     websockets::run_server(db_client.clone(), &amqp_connection);
diff --git a/services/tunnelbroker/src/notifs/apns/config.rs b/services/tunnelbroker/src/notifs/apns/config.rs
new file mode 100644
--- /dev/null
+++ b/services/tunnelbroker/src/notifs/apns/config.rs
@@ -0,0 +1,18 @@
+use serde::{Deserialize, Serialize};
+use std::str::FromStr;
+
+#[derive(clap::Args, Clone, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct APNsConfig {
+  pub key: String,
+  pub key_id: String,
+  pub team_id: String,
+  pub production: bool,
+}
+
+impl FromStr for APNsConfig {
+  type Err = serde_json::Error;
+  fn from_str(s: &str) -> Result<Self, Self::Err> {
+    serde_json::from_str(s)
+  }
+}
diff --git a/services/tunnelbroker/src/notifs/apns/mod.rs b/services/tunnelbroker/src/notifs/apns/mod.rs
--- a/services/tunnelbroker/src/notifs/apns/mod.rs
+++ b/services/tunnelbroker/src/notifs/apns/mod.rs
@@ -1,3 +1,5 @@
+pub mod config;
+
 #[derive(Clone)]
 pub struct APNsClient {
   http2_client: reqwest::Client,