diff --git a/service/config/sample-secrets-bundle.yml b/service/config/sample-secrets-bundle.yml
index 3303136b5..a4c638910 100644
--- a/service/config/sample-secrets-bundle.yml
+++ b/service/config/sample-secrets-bundle.yml
@@ -46,6 +46,8 @@ gcpAttachments.rsaSigningKey: |
   AAAAAAAA
   -----END PRIVATE KEY-----
 
+apn.teamId: team-id
+apn.keyId: key-id
 apn.signingKey: |
   -----BEGIN PRIVATE KEY-----
   ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
diff --git a/service/config/sample.yml b/service/config/sample.yml
index ee51a9f8a..93b75a7da 100644
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -208,8 +208,8 @@ accountDatabaseCrawler:
 apn: # Apple Push Notifications configuration
   sandbox: true
   bundleId: com.example.textsecuregcm
-  keyId: unset
-  teamId: unset
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
   signingKey: secret://apn.signingKey
 
 fcm: # FCM configuration
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
index 3a996d6ba..440c6423f 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
@@ -9,8 +9,8 @@ import javax.validation.constraints.NotNull;
 import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
 
-public record ApnConfiguration(@NotBlank String teamId,
-                               @NotBlank String keyId,
+public record ApnConfiguration(@NotNull SecretString teamId,
+                               @NotNull SecretString keyId,
                                @NotNull SecretString signingKey,
                                @NotBlank String bundleId,
                                boolean sandbox) {
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
index 15482ac0d..e4aaa5461 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
@@ -64,7 +64,7 @@ public class APNSender implements Managed, PushNotificationSender {
     this.bundleId = configuration.bundleId();
     this.apnsClient = new ApnsClientBuilder().setSigningKey(
             ApnsSigningKey.loadFromInputStream(new ByteArrayInputStream(configuration.signingKey().value().getBytes()),
-                configuration.teamId(), configuration.keyId()))
+                configuration.teamId().value(), configuration.keyId().value()))
         .setTrustedServerCertificateChain(getClass().getResourceAsStream(APNS_CA_FILENAME))
         .setApnsServer(configuration.sandbox() ? ApnsClientBuilder.DEVELOPMENT_APNS_HOST : ApnsClientBuilder.PRODUCTION_APNS_HOST)
         .build();