diff --git a/confluent_server/confluent/credserver.py b/confluent_server/confluent/credserver.py
index 89c536db..8484e326 100644
--- a/confluent_server/confluent/credserver.py
+++ b/confluent_server/confluent/credserver.py
@@ -25,6 +25,10 @@ import hashlib
 import hmac
 import os
 import struct
+import ctypes
+import ctypes.util
+
+libc = ctypes.CDLL(ctypes.util.find_library('c'))
 
 # cred grant tlvs:
 # 0, 0 - null
@@ -36,6 +40,50 @@ import struct
 # 6, len, hmac - hmac of crypted key using shared secret for long-haul support
 # 128, len, len, key - sealed key
 
+_semitrusted = []
+
+def read_authnets(cfgpath):
+    with open(cfgpath, 'r') as cfgin:
+            _semitrusted = []
+            for line in cfgin.readlines:
+                line = line.split('#', 1)[0].strip()
+                if '/' not in line:
+                    continue
+                subnet, prefix = line.split('/')
+                _semitrusted.append((subnet, prefix))
+
+
+def watch_trusted():
+    while True:
+        watcher = libc.inotify_init1(os.O_NONBLOCK)
+        cfgpath = '/etc/confluent/auth_nets'
+        if not os.path.exists(cfgpath):
+            with open(cfgpath, 'w') as cfgout:
+                cfgout.write(
+                    '# This is a list of networks in addition to local\n'
+                    '# networks to allow grant of initial deployment token,\n'
+                    '# when a node has deployment API armed\n')
+        read_authnets(cfgpath)
+        if libc.inotify_add_watch(watcher, cfgpath, 0xcc2) <= -1:
+            eventlet.sleep(15)
+            continue
+        select.select((watcher,), (), (), 86400)
+        try:
+            os.read(watcher, 1024)
+        except Exception:
+            pass
+        os.close(watcher)
+
+
+
+def address_is_somewhat_trusted(address):
+    for authnet in _semitrusted:
+        if netutil.ip_on_same_subnet(address, authnet[0], authnet[1]):
+            return True
+    if netutil.address_is_local(address):
+        return True
+    return False
+
 class CredServer(object):
     def __init__(self):
         self.cfm = cfm.ConfigManager(None)
@@ -60,7 +108,7 @@ class CredServer(object):
             elif tlv[1]:
                 client.recv(tlv[1])
             if not hmackey:
-                if not netutil.address_is_local(peer[0]):
+                if not address_is_somewhat_trusted(peer[0]):
                     client.close()
                     return
                 apimats = self.cfm.get_node_attributes(nodename,
diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py
index 341f1973..d7cd0736 100644
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@@ -496,6 +496,7 @@ class SockApi(object):
             self.start_remoteapi()
         else:
             eventlet.spawn_n(self.watch_for_cert)
+        eventlet.spawn_n(credserver.watch_trusted)
         eventlet.spawn_n(self.watch_resolv)
         self.unixdomainserver = eventlet.spawn(_unixdomainhandler)