diff --git a/service/config/sample-secrets-bundle.yml b/service/config/sample-secrets-bundle.yml
index 3303136b5444675f32896e6185f8afcb3e69ce56..a4c6389107db696fe782f4c55be2a7b7aafd616e 100644
--- a/service/config/sample-secrets-bundle.yml
+++ b/service/config/sample-secrets-bundle.yml
@@ -46,6 +46,8 @@ gcpAttachments.rsaSigningKey: |
   AAAAAAAA
   -----END PRIVATE KEY-----
 
+apn.teamId: team-id
+apn.keyId: key-id
 apn.signingKey: |
   -----BEGIN PRIVATE KEY-----
   ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
diff --git a/service/config/sample.yml b/service/config/sample.yml
index ee51a9f8adc46a98d782cb2fb1352d0e561dfe4f..93b75a7dad1f5549a5ab0e9a35334ceba850582a 100644
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -208,8 +208,8 @@ accountDatabaseCrawler:
 apn: # Apple Push Notifications configuration
   sandbox: true
   bundleId: com.example.textsecuregcm
-  keyId: unset
-  teamId: unset
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
   signingKey: secret://apn.signingKey
 
 fcm: # FCM configuration
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
index 3a996d6bacca527dadb32a76bdb8a76f68a5c12f..440c6423fda3e06a810bc24a8591ea7e1c9b29a3 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
@@ -9,8 +9,8 @@ import javax.validation.constraints.NotNull;
 import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
 
-public record ApnConfiguration(@NotBlank String teamId,
-                               @NotBlank String keyId,
+public record ApnConfiguration(@NotNull SecretString teamId,
+                               @NotNull SecretString keyId,
                                @NotNull SecretString signingKey,
                                @NotBlank String bundleId,
                                boolean sandbox) {
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
index 15482ac0d0f7a7f4dc44c1aaa1bb93735ac3cd2d..e4aaa54618de772b2a1e046a28c53e292ca9d2db 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
@@ -64,7 +64,7 @@ public class APNSender implements Managed, PushNotificationSender {
     this.bundleId = configuration.bundleId();
     this.apnsClient = new ApnsClientBuilder().setSigningKey(
             ApnsSigningKey.loadFromInputStream(new ByteArrayInputStream(configuration.signingKey().value().getBytes()),
-                configuration.teamId(), configuration.keyId()))
+                configuration.teamId().value(), configuration.keyId().value()))
         .setTrustedServerCertificateChain(getClass().getResourceAsStream(APNS_CA_FILENAME))
         .setApnsServer(configuration.sandbox() ? ApnsClientBuilder.DEVELOPMENT_APNS_HOST : ApnsClientBuilder.PRODUCTION_APNS_HOST)
         .build();