diff --git a/bridgehead b/bridgehead
index 8db9735..b1b5d36 100755
--- a/bridgehead
+++ b/bridgehead
@@ -66,6 +66,7 @@ loadVars() {
 	detectCompose
 	setHostname
 	setupProxy
+    sync_secrets
 }
 
 case "$ACTION" in
diff --git a/lib/functions.sh b/lib/functions.sh
index 4d2bb2f..4c435a9 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -239,3 +239,35 @@ add_basic_auth_user() {
  	log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
    sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
 }
+
+SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""}
+# First argument is the variable name that will be generated.
+# Second argument is a comma seperated list of allowed redirect urls for the oidc client.
+function generate_oidc_client() {
+    local delimiter=$'\x1E'
+    if [[ $SECRET_SYNC_ARGS == "" ]]; then
+        SECRET_SYNC_ARGS+="OIDC:$1:$2"
+    else 
+        SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:$2"
+    fi
+}
+
+function sync_secrets() {
+    if [[ $SECRET_SYNC_ARGS == "" ]]; then
+        return
+    fi
+    # The oidc provider will need to be switched based on the project at some point I guess
+    docker run --rm \
+        -v /var/cache/bridgehead/secrets:/usr/local/cache \
+        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+        -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+        -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
+        -e PROXY_ID=$PROXY_ID \
+        -e BROKER_URL=$BROKER_URL \
+        -e OIDC_PROVIDER=secret-sync.central.$BROKER_ID \
+        -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
+        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+    source /var/cache/bridgehead/secrets/*
+}