diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs
index 1bc446c15..296c9c690 100644
--- a/services/identity/src/config.rs
+++ b/services/identity/src/config.rs
@@ -1,110 +1,131 @@
 use base64::{engine::general_purpose, DecodeError, Engine as _};
 use once_cell::sync::Lazy;
 use std::{collections::HashSet, env, fmt, fs, io, path};
 use tracing::{error, info};
 
 use crate::constants::{
-  KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP,
-  SECRETS_DIRECTORY, SECRETS_SETUP_FILE,
+  DEFAULT_TUNNELBROKER_ENDPOINT, KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT,
+  OPAQUE_SERVER_SETUP, SECRETS_DIRECTORY, SECRETS_SETUP_FILE,
+  TUNNELBROKER_GRPC_ENDPOINT,
 };
 
 pub static CONFIG: Lazy<Config> =
   Lazy::new(|| Config::load().expect("failed to load config"));
 
 pub(super) fn load_config() {
   Lazy::force(&CONFIG);
 }
 
 #[derive(Clone)]
 pub struct Config {
   pub localstack_endpoint: Option<String>,
   // Opaque 2.0 server secrets
   pub server_setup: comm_opaque2::ServerSetup<comm_opaque2::Cipher>,
   // Reserved usernames
   pub reserved_usernames: HashSet<String>,
   pub keyserver_public_key: Option<String>,
+  pub tunnelbroker_endpoint: String,
 }
 
 impl Config {
   fn load() -> Result<Self, Error> {
     let localstack_endpoint = env::var(LOCALSTACK_ENDPOINT).ok();
+    let tunnelbroker_endpoint = match env::var(TUNNELBROKER_GRPC_ENDPOINT) {
+      Ok(val) => {
+        info!("Using tunnelbroker endpoint from env var: {}", val);
+        val
+      }
+      Err(std::env::VarError::NotPresent) => {
+        let val = DEFAULT_TUNNELBROKER_ENDPOINT;
+        info!("Falling back to default tunnelbroker endpoint: {}", val);
+        val.to_string()
+      }
+      Err(e) => {
+        error!(
+          "Failed to read environment variable {}: {:?}",
+          TUNNELBROKER_GRPC_ENDPOINT, e
+        );
+        return Err(Error::Env(e));
+      }
+    };
 
     let mut path_buf = path::PathBuf::new();
     path_buf.push(SECRETS_DIRECTORY);
     path_buf.push(SECRETS_SETUP_FILE);
 
     let server_setup = get_server_setup(path_buf.as_path())?;
 
     let reserved_usernames = get_reserved_usernames_set()?;
 
     let keyserver_public_key = env::var(KEYSERVER_PUBLIC_KEY).ok();
 
     Ok(Self {
       localstack_endpoint,
       server_setup,
       reserved_usernames,
       keyserver_public_key,
+      tunnelbroker_endpoint,
     })
   }
 }
 
 impl fmt::Debug for Config {
   fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
     f.debug_struct("Config")
       .field("server_keypair", &"** redacted **")
       .field("keyserver_auth_token", &"** redacted **")
       .field("localstack_endpoint", &self.localstack_endpoint)
       .finish()
   }
 }
 
 #[derive(Debug, derive_more::Display, derive_more::From)]
 pub enum Error {
   #[display(...)]
   Opaque(comm_opaque2::ProtocolError),
   #[display(...)]
   Io(io::Error),
   #[display(...)]
   Env(env::VarError),
   #[display(...)]
   Json(serde_json::Error),
   #[display(...)]
   Decode(DecodeError),
 }
 
 fn get_server_setup(
   path: &path::Path,
 ) -> Result<comm_opaque2::ServerSetup<comm_opaque2::Cipher>, Error> {
   let encoded_server_setup = if let Ok(env_setup) =
     env::var(OPAQUE_SERVER_SETUP)
   {
     info!(
       "Using OPAQUE server setup from env var: {}",
       OPAQUE_SERVER_SETUP
     );
     env_setup
   } else if let Ok(file_setup) = fs::read_to_string(path) {
     info!("Using OPAQUE server setup from file: {}", path.display());
     file_setup
   } else {
     error!("Unable to locate OPAQUE server setup. Please run `keygen` command and run Identity service again.");
     return Err(Error::Io(io::Error::new(
       io::ErrorKind::NotFound,
       "Missing server credentials",
     )));
   };
 
   let decoded_server_setup =
     general_purpose::STANDARD_NO_PAD.decode(encoded_server_setup)?;
   comm_opaque2::ServerSetup::deserialize(&decoded_server_setup)
     .map_err(Error::Opaque)
 }
 
 fn get_reserved_usernames_set() -> Result<HashSet<String>, Error> {
   // All entries in `reserved_usernames.json` must be lowercase and must also be
   // included in `lib/utils/reserved-users.js`!!
   let contents = include_str!("../reserved_usernames.json");
   let reserved_usernames: Vec<String> = serde_json::from_str(contents)?;
 
   Ok(reserved_usernames.into_iter().collect())
 }
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
index 93228ad74..194a45c00 100644
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -1,128 +1,132 @@
 // Secrets
 
 pub const SECRETS_DIRECTORY: &str = "secrets";
 pub const SECRETS_SETUP_FILE: &str = "server_setup.txt";
 
 // DynamoDB
 
 // User table information, supporting opaque_ke 2.0 and X3DH information
 
 // Users can sign in either through username+password or Eth wallet.
 //
 // This structure should be aligned with the messages defined in
 // shared/protos/identity_client.proto
 //
 // Structure for a user should be:
 // {
 //   userID: String,
 //   opaqueRegistrationData: Option<String>,
 //   username: Option<String>,
 //   walletAddress: Option<String>,
 //   devices: HashMap<String, Device>
 // }
 //
 // A device is defined as:
 // {
 //     deviceType: String, # client or keyserver
 //     keyPayload: String,
 //     keyPayloadSignature: String,
 //     identityPreKey: String,
 //     identityPreKeySignature: String,
 //     identityOneTimeKeys: Vec<String>,
 //     notifPreKey: String,
 //     notifPreKeySignature: String,
 //     notifOneTimeKeys: Vec<String>,
 //     socialProof: Option<String>
 //   }
 // }
 //
 // Additional context:
 // "devices" uses the signing public identity key of the device as a key for the devices map
 // "keyPayload" is a JSON encoded string containing identity and notif keys (both signature and verification)
 // if "deviceType" == "keyserver", then the device will not have any notif key information
 
 pub const USERS_TABLE: &str = "identity-users";
 pub const USERS_TABLE_PARTITION_KEY: &str = "userID";
 pub const USERS_TABLE_REGISTRATION_ATTRIBUTE: &str = "opaqueRegistrationData";
 pub const USERS_TABLE_USERNAME_ATTRIBUTE: &str = "username";
 pub const USERS_TABLE_DEVICES_ATTRIBUTE: &str = "devices";
 pub const USERS_TABLE_DEVICES_MAP_DEVICE_TYPE_ATTRIBUTE_NAME: &str =
   "deviceType";
 pub const USERS_TABLE_DEVICES_MAP_KEY_PAYLOAD_ATTRIBUTE_NAME: &str =
   "keyPayload";
 pub const USERS_TABLE_DEVICES_MAP_KEY_PAYLOAD_SIGNATURE_ATTRIBUTE_NAME: &str =
   "keyPayloadSignature";
 pub const USERS_TABLE_DEVICES_MAP_CONTENT_PREKEY_ATTRIBUTE_NAME: &str =
   "identityPreKey";
 pub const USERS_TABLE_DEVICES_MAP_CONTENT_PREKEY_SIGNATURE_ATTRIBUTE_NAME:
   &str = "identityPreKeySignature";
 pub const USERS_TABLE_DEVICES_MAP_CONTENT_ONETIME_KEYS_ATTRIBUTE_NAME: &str =
   "identityOneTimeKeys";
 pub const USERS_TABLE_DEVICES_MAP_NOTIF_PREKEY_ATTRIBUTE_NAME: &str = "preKey";
 pub const USERS_TABLE_DEVICES_MAP_NOTIF_PREKEY_SIGNATURE_ATTRIBUTE_NAME: &str =
   "preKeySignature";
 pub const USERS_TABLE_DEVICES_MAP_NOTIF_ONETIME_KEYS_ATTRIBUTE_NAME: &str =
   "notifOneTimeKeys";
 pub const USERS_TABLE_WALLET_ADDRESS_ATTRIBUTE: &str = "walletAddress";
 pub const USERS_TABLE_DEVICES_MAP_SOCIAL_PROOF_ATTRIBUTE_NAME: &str =
   "socialProof";
 pub const USERS_TABLE_USERNAME_INDEX: &str = "username-index";
 pub const USERS_TABLE_WALLET_ADDRESS_INDEX: &str = "walletAddress-index";
 
 pub const ACCESS_TOKEN_TABLE: &str = "identity-tokens";
 pub const ACCESS_TOKEN_TABLE_PARTITION_KEY: &str = "userID";
 pub const ACCESS_TOKEN_SORT_KEY: &str = "signingPublicKey";
 pub const ACCESS_TOKEN_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const ACCESS_TOKEN_TABLE_AUTH_TYPE_ATTRIBUTE: &str = "authType";
 pub const ACCESS_TOKEN_TABLE_VALID_ATTRIBUTE: &str = "valid";
 pub const ACCESS_TOKEN_TABLE_TOKEN_ATTRIBUTE: &str = "token";
 
 pub const NONCE_TABLE: &str = "identity-nonces";
 pub const NONCE_TABLE_PARTITION_KEY: &str = "nonce";
 pub const NONCE_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const NONCE_TABLE_EXPIRATION_TIME_ATTRIBUTE: &str = "expirationTime";
 pub const NONCE_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 // Usernames reserved because they exist in Ashoat's keyserver already
 pub const RESERVED_USERNAMES_TABLE: &str = "identity-reserved-usernames";
 pub const RESERVED_USERNAMES_TABLE_PARTITION_KEY: &str = "username";
 
 // One time keys table, which need to exist in their own table to ensure
 // atomicity of additions and removals
 pub mod one_time_keys_table {
   // The `PARTITION_KEY` will contain "notification_${deviceID}" or
   // "content_${deviceID}" to allow for both key sets to coexist in the same table
   pub const NAME: &'static str = "identity-one-time-keys";
   pub const PARTITION_KEY: &'static str = "deviceID";
   pub const DEVICE_ID: &'static str = PARTITION_KEY;
   pub const SORT_KEY: &'static str = "oneTimeKey";
   pub const ONE_TIME_KEY: &'static str = SORT_KEY;
 }
 
 // Tokio
 
 pub const MPSC_CHANNEL_BUFFER_CAPACITY: usize = 1;
 pub const IDENTITY_SERVICE_SOCKET_ADDR: &str = "[::]:50054";
 
 // Token
 
 pub const ACCESS_TOKEN_LENGTH: usize = 512;
 
 // Temporary config
 
 pub const AUTH_TOKEN: &str = "COMM_IDENTITY_SERVICE_AUTH_TOKEN";
 pub const KEYSERVER_PUBLIC_KEY: &str = "KEYSERVER_PUBLIC_KEY";
 
 // Nonce
 
 pub const NONCE_LENGTH: usize = 17;
 pub const NONCE_TTL_DURATION: i64 = 30;
 
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
 
 // OPAQUE Server Setup
 
 pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
+
+// Tunnelbroker
+pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT";
+pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051";