diff --git a/confluent_osdeploy/common/opt/confluent/bin/apiclient b/confluent_osdeploy/common/opt/confluent/bin/apiclient
index 0ebdc091..5e8c418a 100644
--- a/confluent_osdeploy/common/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/opt/confluent/bin/apiclient
@@ -10,13 +10,32 @@ import ssl
 import sys
 
 def get_apikey(nodename, mgr):
+    sealnew = True
     if os.path.exists('/etc/confluent/confluent.apikey'):
         return open('/etc/confluent/confluent.apikey').read().strip()
     apikey = subprocess.check_output(['/opt/confluent/bin/clortho', nodename, mgr])
     if not isinstance(apikey, str):
         apikey = apikey.decode('utf8')
+    if apikey.startswith('SEALED:'):
+        sealnew = False
+        with open('/etc/confluent/confluent.sealedapikey', 'w+') as apiout:
+            apiout.write(apikey[7:])
+        with open('/etc/confluent/confluent.sealedapikey') as inp:
+            sp = subprocess.Popen(['/usr/bin/clevis-decrypt-tpm2'],
+                stdin=inp, stdout=subprocess.PIPE)
+            apikey = sp.communicate()[0]
+            if not isinstance(apikey, str):
+                apikey = apikey.decode('utf8')
     with open('/etc/confluent/confluent.apikey', 'w+') as apiout:
         apiout.write(apikey)
+    if sealnew and os.path.exists('/usr/bin/clevis-encrypt-tpm2'):
+        try:
+            with open('/etc/confluent/confluent.apikey') as apin:
+                sealed = subprocess.check_output(
+                    ['/usr/bin/clevis-encrypt-tpm2', '{}'], stdin=apin)
+            print(HTTPSClient().grab_url('/confluent-api/self/saveapikey', sealed).decode())
+        except Exception:
+            sys.stderr.write('Unable to persist API key through TPM2 sealing\n')
     apikey = apikey.strip()
     os.chmod('/etc/confluent/confluent.apikey', 0o600)
     return apikey
diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py
index b8f45265..1f62fd66 100644
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@@ -256,8 +256,11 @@ def handle_request(env, start_response):
         else:
             start_response('500 Error', (('Content-Type', 'text/plain'),))
             yield 'No pending profile detected, unable to accept status update'
-    elif env['PATH_INFO'] == '/self/savetoken':
-        print(repr(reqbody))
+    elif env['PATH_INFO'] == '/self/saveapikey':
+        cfg.set_node_attributes({
+            nodename: {'deployment.sealedapikey': {'value': reqbody}}})
+        start_response('200 OK', ())
+        yield ''
     else:
         start_response('404 Not Found', ())
         yield 'Not found'