diff --git a/lib/config.js b/lib/config.js
index 403a50a..586208d 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -5,6 +5,24 @@ if (process.env.AWS_SAM_LOCAL !== undefined) {
   console.log(process.env);
 }
 
+function getScaniiAPISecrets() {
+  const headers = {"X-Aws-Parameters-Secrets-Token": process.env.AWS_SESSION_TOKEN}
+  const scaniiAPISecrets = process.env.SCANII_API_SECRETS_NAME;
+  return fetch(`http://localhost:2773/secretsmanager/get?secretId=${scaniiAPISecrets}`, {
+    method: 'GET',
+    headers: headers,
+  })
+    .then(function (response) {
+      if (!response.ok) {
+        throw new Error('API request failed with status: ' + response.status);
+      }
+      return response.json();
+    })
+    .then(function (data) {
+      return data.SecretString;
+    })
+}
+
 function defaults() {
   CONFIG.KEY = null;
   CONFIG.SECRET = null;
@@ -16,13 +34,6 @@ function defaults() {
   CONFIG.MAX_ATTEMPT_DELAY_MSEC = 30_000;
 
 // extracting config overwrites from the environment:
-  if (process.env.API_KEY) {
-    CONFIG.KEY = process.env.API_KEY;
-  }
-  if (process.env.API_SECRET) {
-    CONFIG.SECRET = process.env.API_SECRET;
-  }
-
   if (process.env.API_ENDPOINT) {
     CONFIG.API_ENDPOINT = process.env.API_ENDPOINT;
   }
@@ -50,5 +61,13 @@ function defaults() {
 }
 
 defaults();
+
+var secrets = getScaniiAPISecrets()
+  .then(function (secretString) {
+    secrets = JSON.parse(secretString)
+    CONFIG.KEY = secrets['API_KEY'];
+    CONFIG.SECRET = secrets['API_SECRET'];
+  });
+
 exports.defaults = defaults;
 exports.CONFIG = CONFIG;