diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml
index 7f4638a..d4c9877 100644
--- a/group_vars/default/pvc.yml
+++ b/group_vars/default/pvc.yml
@@ -7,6 +7,14 @@ pvc_log_keepalive_cluster_details: True
 pvc_log_keepalive_storage_details: True
 pvc_log_console_lines: 1000
 
+# Client API authentication configuration
+# > If the key is left blank, the API will listen UNAUTHENTICATED on all IP addresses of the
+#   current primary node; use this with care and not in unsecured environments (e.g. if the
+#   upstream network is untrusted).
+pvc_api_authentication_key: ""              # Use pwgen to generate
+pvc_api_listen_address: "0.0.0.0"
+pvc_api_listen_port: "7370"
+
 # Ceph storage
 pvc_ceph_storage_secret_uuid: ""            # Use uuidgen to generate
 
diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml
index 4aeb327..e701f6e 100644
--- a/roles/pvc/tasks/pvc/main.yml
+++ b/roles/pvc/tasks/pvc/main.yml
@@ -3,19 +3,22 @@
   apt:
     name:
       - pvc-daemon
-      - pvc-client-cli
       - pvc-client-common
+      - pvc-client-cli
+      - pvc-client-api
       - debootstrap
       - ethtool
     state: latest
 
-- name: install pvc configuration
+- name: install pvc configurations
   template:
-    src: pvc/{{ item }}.j2
-    dest: /etc/pvc/{{ item }}
+    src: pvc/{{ item }}.yaml.j2
+    dest: /etc/pvc/{{ item }}.yaml
+  notify:
+    - restart {{ item }}
   with_items:
-    - pvcd.yaml
-  notify: restart pvcd
+    - pvcd
+    - pvc-api
 
 - name: stop and disable unneccessary services
   service:
@@ -29,7 +32,7 @@
   when: bootstrap is defined and bootstrap
   run_once: yes
 
-- name: enable services but don't start them
+- name: enable daemon services but don't start them
   service:
     name: "{{ item }}"
     enabled: yes
diff --git a/roles/pvc/templates/pvc/pvc-api.yaml.j2 b/roles/pvc/templates/pvc/pvc-api.yaml.j2
new file mode 100644
index 0000000..cb43f1a
--- /dev/null
+++ b/roles/pvc/templates/pvc/pvc-api.yaml.j2
@@ -0,0 +1,13 @@
+---
+# pvc-api client configuration
+# {{ ansible_managed }}
+pvc:
+    coordinators:
+{% for node in pvc_nodes if node.is_coordinator %}
+        - {{ node.hostname }}.{{ pvc_cluster_domain }}
+{% endfor %}
+    api:
+        listen_address: "{{ pvc_api_listen_address }}"
+        listen_port: "{{ pvc_api_listen_port }}"
+        authentication:
+            key: "{{ pvc_api_authentication_key }}"