diff --git a/llarp/config/config.cpp b/llarp/config/config.cpp
index eda628dda0..19526fde62 100644
--- a/llarp/config/config.cpp
+++ b/llarp/config/config.cpp
@@ -2,6 +2,7 @@
 #include "definition.hpp"
 #include "ini.hpp"
 
+#include <oxenmq/address.h>
 #include <llarp/constants/files.hpp>
 #include <llarp/constants/platform.hpp>
 #include <llarp/constants/version.hpp>
@@ -1152,10 +1153,45 @@ namespace llarp
             "Recommend localhost-only for security purposes.",
         });
 
-    conf.defineOption<std::string>("api", "authkey", Deprecated);
+    conf.defineOption<std::string>(
+        "api",
+        "bind_curve",
+        Default{""},
+        MultiValue,
+        [this](std::string arg) mutable {
+          if (arg.empty())
+            return;
+
+          auto pipe = arg.find("|");
+
+          if (pipe == arg.npos)
+            throw std::invalid_argument(
+                "Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs");
+
+          auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos);
 
-    // TODO: this was from pre-refactor:
-    // TODO: add pubkey to whitelist
+          if (not starts_with(key, "tcp://"))
+            key = "tcp://" + key;
+
+          auto pubkeys = split(values, ",", true);
+
+          for (auto& pk : pubkeys)
+            m_rpcEncryptedAddresses[oxenmq::address{key}].emplace(pk);
+        },
+        Comment{
+            "Specify encrypted listener addresses and comma-delimited public keys to be accepted ",
+            "by exposed encrypted listener. Keys must be attached to a listener address.",
+            "",
+            "Example: ",
+            "   bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB",
+            "   bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD",
+            "",
+            "In the given example above, port 1234 is only accessible by whitelisted ",
+            "pubkeys A and B, while 5678 is accessible by C and D.",
+            "",
+            "Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"});
+
+    conf.defineOption<std::string>("api", "authkey", Deprecated);
   }
 
   void
diff --git a/llarp/config/config.hpp b/llarp/config/config.hpp
index 3165f03543..5b18636df8 100644
--- a/llarp/config/config.hpp
+++ b/llarp/config/config.hpp
@@ -2,8 +2,8 @@
 #include "ini.hpp"
 #include "definition.hpp"
 
+#include <oxenmq/auth.h>
 #include <chrono>
-
 #include <llarp/bootstrap.hpp>
 #include <llarp/crypto/types.hpp>
 #include <llarp/router_contact.hpp>
@@ -26,6 +26,7 @@
 #include <utility>
 #include <vector>
 #include <unordered_set>
+#include <unordered_map>
 
 #include <oxenmq/address.h>
 
@@ -190,6 +191,7 @@ namespace llarp
   {
     bool m_enableRPCServer = false;
     std::vector<oxenmq::address> m_rpcBindAddresses;
+    std::unordered_map<oxenmq::address, std::unordered_set<std::string>> m_rpcEncryptedAddresses;
 
     void
     defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);