diff --git a/README.md b/README.md
index d78d903..2182fb5 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ WantedBy=multi-user.target
 ## API
 
 ### Unlock
-POST `/api/unlock`
+POST `/api/admin/unlock`
 
 Data
 ```
@@ -71,11 +71,13 @@ Data
 }
 ```
 
-If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made.
+If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made. 
+
+This API call can only be made once after the service has started. Subsequent calls will receive an error until the service is restarted.
 
 ### User Operations
 
-#### Register
+#### Register User
 POST `/api/admin/user/register`
 
 Data
@@ -89,7 +91,7 @@ Data
 
 This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint.
 
-#### Remove Users
+#### Remove User
 POST `/api/admin/user/delete`
 
 Data
diff --git a/controllers/unlock.go b/controllers/unlock.go
index 71531b7..5f55561 100644
--- a/controllers/unlock.go
+++ b/controllers/unlock.go
@@ -24,6 +24,11 @@ func Unlock(c *gin.Context) {
 	}
 	log.Println("Unlock received JSON input")
 
+	if models.CheckKeyProvided() {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "secret key can only be provided once after service start"})
+		return
+	}
+
 	// check that the key is 32 bytes long
 	if len(input.SecretKey) != 32 {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secret key provided is invalid, must be exactly 32 bytes long"})
diff --git a/main.go b/main.go
index 6635d0f..0f4ce26 100644
--- a/main.go
+++ b/main.go
@@ -242,7 +242,7 @@ func main() {
 	// Register our routes
 	public := router.Group("/api")
 	public.POST("/login", controllers.Login)
-	public.POST("/unlock", controllers.Unlock)
+	//public.POST("/unlock", controllers.Unlock)
 
 	// API calls that only an administrator can make
 	adminOnly := router.Group("/api/admin")
@@ -252,6 +252,9 @@ func main() {
 	adminOnly.GET("/roles", controllers.GetRoles)
 	adminOnly.GET("/users", controllers.GetUsers)
 
+	// TODO Make unlock an admin only function
+	adminOnly.POST("/unlock", controllers.Unlock)
+
 	// Get secrets
 	protected := router.Group("/api/secret")
 	protected.Use(middlewares.JwtAuthMiddleware())
diff --git a/models/key.go b/models/key.go
index 02af83a..c2f0b79 100644
--- a/models/key.go
+++ b/models/key.go
@@ -28,3 +28,7 @@ func ProvideKey() ([]byte, error) {
 		return nil, errors.New("secret key has not been received")
 	}
 }
+
+func CheckKeyProvided() bool {
+	return secretReceived
+}