diff --git a/cmd/kat-agent/main.go b/cmd/kat-agent/main.go
index 641109a..eb84bb3 100644
--- a/cmd/kat-agent/main.go
+++ b/cmd/kat-agent/main.go
@@ -251,6 +251,13 @@ func runInit(cmd *cobra.Command, args []string) {
 				apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) {
 					log.Printf("Received join request from %s", r.RemoteAddr)
 					
+					// Check if this is a secure connection with client cert
+					if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+						log.Printf("Client provided certificate with CN: %s", r.TLS.PeerCertificates[0].Subject.CommonName)
+					} else {
+						log.Printf("Client did not provide a certificate - this is expected for initial join")
+					}
+					
 					// Read request body
 					var joinReq cli.JoinRequest
 					if err := json.NewDecoder(r.Body).Decode(&joinReq); err != nil {
diff --git a/internal/api/server.go b/internal/api/server.go
index 694b000..57544c4 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -8,6 +8,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 )
 
@@ -105,12 +106,28 @@ func (s *Server) Start() error {
 		return fmt.Errorf("failed to append CA certificate to pool")
 	}
 
-	// Configure TLS
+	// Configure TLS with GetConfigForClient to allow join endpoint without client cert
 	s.httpServer.TLSConfig = &tls.Config{
 		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientAuth:   tls.RequireAndVerifyClientCert, // Default, but will be overridden for join endpoint
 		ClientCAs:    caCertPool,
 		MinVersion:   tls.VersionTLS12,
+		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
+			// Check if this is a request to the join endpoint
+			// This is a simple check based on SNI, but in a real implementation
+			// we would need a more robust way to identify the join endpoint
+			if hello.ServerName == "" && strings.HasPrefix(hello.Conn.RemoteAddr().String(), "127.0.0.1:") {
+				// For local connections, assume it might be a join request and don't require client cert
+				return &tls.Config{
+					Certificates: []tls.Certificate{cert},
+					ClientAuth:   tls.RequestClientCert, // Request but don't require
+					ClientCAs:    caCertPool,
+					MinVersion:   tls.VersionTLS12,
+				}, nil
+			}
+			// For all other requests, use the default config (require client cert)
+			return nil, nil
+		},
 	}
 
 	log.Printf("Server configured with TLS, starting to listen for requests")