diff --git a/binary_dependencies/jwtproxy b/binary_dependencies/jwtproxy
new file mode 100755
index 000000000..3a8ec77f9
Binary files /dev/null and b/binary_dependencies/jwtproxy differ
diff --git a/conf/http-base.conf b/conf/http-base.conf
index 492ce40e4..34116bb05 100644
--- a/conf/http-base.conf
+++ b/conf/http-base.conf
@@ -37,6 +37,9 @@ map $http_x_forwarded_proto $proper_scheme {
 upstream web_app_server {
     server unix:/tmp/gunicorn_web.sock fail_timeout=0;
 }
+upstream jwtproxy {
+    server unix:/tmp/jwtproxy.sock fail_timeout=0;
+}
 upstream verbs_app_server {
     server unix:/tmp/gunicorn_verbs.sock fail_timeout=0;
 }
diff --git a/conf/init/service/jwtproxy/log/run b/conf/init/service/jwtproxy/log/run
new file mode 100755
index 000000000..0fd684fe2
--- /dev/null
+++ b/conf/init/service/jwtproxy/log/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec logger -i -t jwtproxy 
diff --git a/conf/init/service/jwtproxy/run b/conf/init/service/jwtproxy/run
new file mode 100755
index 000000000..48613a7a9
--- /dev/null
+++ b/conf/init/service/jwtproxy/run
@@ -0,0 +1,8 @@
+#! /bin/bash
+
+echo 'Starting jwtproxy'
+
+cd /
+/binary_dependencies/jwtproxy --config conf/jwtproxy_conf.yaml
+
+echo 'Jwtproxy exited'
diff --git a/conf/jwtproxy_conf.yaml b/conf/jwtproxy_conf.yaml
new file mode 100644
index 000000000..fad176309
--- /dev/null
+++ b/conf/jwtproxy_conf.yaml
@@ -0,0 +1,13 @@
+jwtproxy:
+  signer_proxy:
+    enabled: false
+  verifier_proxy:
+    enabled: true
+    listen_addr: unix:/tmp/jwtproxy.sock
+    verifier:
+      upstream: unix:/tmp/gunicorn_web.sock 
+      audience: http://quay.io
+      key_server:
+        type: keyregistry
+        options:
+          registry: unix:/tmp/gunicorn_web.sock 
diff --git a/conf/server-base.conf b/conf/server-base.conf
index a2b8d1511..04fd06c66 100644
--- a/conf/server-base.conf
+++ b/conf/server-base.conf
@@ -49,6 +49,10 @@ location ~ ^/(v1/repositories|v2/auth)/ {
     limit_req zone=repositories burst=10;
 }
 
+location /api/v1/secscan/ {
+    proxy_pass http://jwtproxy;
+}
+
 location ~ ^/v2 {
     # If we're being accessed via v1.quay.io, pretend we don't support v2.
     if ($host = "v1.quay.io") {