diff --git a/services/tunnelbroker/src/config.rs b/services/tunnelbroker/src/config.rs
index bb6b9ca18..60967e25d 100644
--- a/services/tunnelbroker/src/config.rs
+++ b/services/tunnelbroker/src/config.rs
@@ -1,60 +1,66 @@
 use crate::constants;
+use crate::constants::ENV_APNS_CONFIG;
+use crate::notifs::apns::config::APNsConfig;
 use anyhow::{ensure, Result};
 use clap::Parser;
 use comm_lib::aws;
 use once_cell::sync::Lazy;
 use tracing::info;
 
 #[derive(Parser)]
 #[command(version, about, long_about = None)]
 pub struct AppConfig {
   /// gRPC server listening port
   #[arg(long, default_value_t = constants::GRPC_SERVER_PORT)]
   pub grpc_port: u16,
   /// HTTP server listening port
   #[arg(long, default_value_t = 51001)]
   pub http_port: u16,
   /// AMQP server URI
   #[arg(env = "AMQP_URI")]
   #[arg(long, default_value = "amqp://comm:comm@localhost:5672")]
   pub amqp_uri: String,
   /// AWS Localstack service URL
   #[arg(env = "LOCALSTACK_ENDPOINT")]
   #[arg(long)]
   pub localstack_endpoint: Option<String>,
   /// Comm Identity service URL
   #[arg(env = "COMM_TUNNELBROKER_IDENTITY_ENDPOINT")]
   #[arg(long, default_value = "http://localhost:50054")]
   pub identity_endpoint: String,
+  /// APNs secrets
+  #[arg(env = ENV_APNS_CONFIG)]
+  #[arg(long)]
+  pub apns_config: Option<APNsConfig>,
 }
 
 /// Stores configuration parsed from command-line arguments
 /// and environment variables
 pub static CONFIG: Lazy<AppConfig> = Lazy::new(AppConfig::parse);
 
 /// Processes the command-line arguments and environment variables.
 /// Should be called at the beginning of the `main()` function.
 pub(super) fn parse_cmdline_args() -> Result<()> {
   // force evaluation of the lazy initialized config
   let cfg = Lazy::force(&CONFIG);
 
   // Perform some additional validation for CLI args
   ensure!(
     cfg.grpc_port != cfg.http_port,
     "gRPC and HTTP ports cannot be the same: {}",
     cfg.grpc_port
   );
   Ok(())
 }
 
 /// Provides region/credentials configuration for AWS SDKs
 pub async fn load_aws_config() -> aws::AwsConfig {
   let mut config_builder = aws::config::from_env();
 
   if let Some(endpoint) = &CONFIG.localstack_endpoint {
     info!("Using localstack URL: {}", endpoint);
     config_builder = config_builder.endpoint_url(endpoint);
   }
 
   config_builder.load().await
 }
diff --git a/services/tunnelbroker/src/main.rs b/services/tunnelbroker/src/main.rs
index 9115e55dc..54c56a01d 100644
--- a/services/tunnelbroker/src/main.rs
+++ b/services/tunnelbroker/src/main.rs
@@ -1,44 +1,47 @@
 pub mod amqp;
 pub mod config;
 pub mod constants;
 pub mod database;
 pub mod error;
 pub mod grpc;
 pub mod identity;
 pub mod notifs;
 pub mod websockets;
 
 use anyhow::{anyhow, Result};
 use config::CONFIG;
+use std::str::FromStr;
 use tracing::{self, Level};
 use tracing_subscriber::EnvFilter;
 
 #[tokio::main]
 async fn main() -> Result<()> {
   let filter = EnvFilter::builder()
     .with_default_directive(Level::INFO.into())
     .with_env_var(constants::LOG_LEVEL_ENV_VAR)
     .from_env_lossy();
 
   let subscriber = tracing_subscriber::fmt().with_env_filter(filter).finish();
   tracing::subscriber::set_global_default(subscriber)
     .expect("Unable to configure tracing");
 
   config::parse_cmdline_args()?;
   let aws_config = config::load_aws_config().await;
   let db_client = database::DatabaseClient::new(&aws_config);
   let amqp_connection = amqp::connect().await;
 
+  let apns_config = CONFIG.apns_config.clone();
+
   let grpc_server = grpc::run_server(db_client.clone(), &amqp_connection);
   let websocket_server =
     websockets::run_server(db_client.clone(), &amqp_connection);
 
   tokio::select! {
     Ok(_) = grpc_server => { Ok(()) },
     Ok(_) = websocket_server => { Ok(()) },
     else => {
       tracing::error!("A grpc or websocket server crashed.");
       Err(anyhow!("A grpc or websocket server crashed."))
     }
   }
 }
diff --git a/services/tunnelbroker/src/notifs/apns/config.rs b/services/tunnelbroker/src/notifs/apns/config.rs
new file mode 100644
index 000000000..696a9071c
--- /dev/null
+++ b/services/tunnelbroker/src/notifs/apns/config.rs
@@ -0,0 +1,18 @@
+use serde::{Deserialize, Serialize};
+use std::str::FromStr;
+
+#[derive(clap::Args, Clone, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct APNsConfig {
+  pub key: String,
+  pub key_id: String,
+  pub team_id: String,
+  pub production: bool,
+}
+
+impl FromStr for APNsConfig {
+  type Err = serde_json::Error;
+  fn from_str(s: &str) -> Result<Self, Self::Err> {
+    serde_json::from_str(s)
+  }
+}
diff --git a/services/tunnelbroker/src/notifs/apns/mod.rs b/services/tunnelbroker/src/notifs/apns/mod.rs
index c671dfc37..ca33d42c6 100644
--- a/services/tunnelbroker/src/notifs/apns/mod.rs
+++ b/services/tunnelbroker/src/notifs/apns/mod.rs
@@ -1,5 +1,7 @@
+pub mod config;
+
 #[derive(Clone)]
 pub struct APNsClient {
   http2_client: reqwest::Client,
   is_prod: bool,
 }