diff --git a/Cargo.lock b/Cargo.lock
index 63de92dd..7eed3c0f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1596,6 +1596,7 @@ dependencies = [
  "cb-pbs",
  "cb-signer",
  "eyre",
+ "jsonwebtoken",
  "reqwest",
  "serde_json",
  "tempfile",
diff --git a/crates/cli/src/docker_init.rs b/crates/cli/src/docker_init.rs
index 7f418e97..84473a6d 100644
--- a/crates/cli/src/docker_init.rs
+++ b/crates/cli/src/docker_init.rs
@@ -6,16 +6,16 @@ use std::{
 
 use cb_common::{
     config::{
-        CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig, SignerType, BUILDER_PORT_ENV,
-        BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV, DIRK_CA_CERT_DEFAULT,
-        DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV, DIRK_DIR_SECRETS_DEFAULT,
-        DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV, LOGS_DIR_DEFAULT,
-        LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_ENDPOINT_ENV,
-        PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV, PROXY_DIR_KEYS_DEFAULT,
-        PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT, PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT,
-        SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_DEFAULT,
-        SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME,
-        SIGNER_URL_ENV,
+        CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig, SignerType, ADMIN_JWT_ENV,
+        BUILDER_PORT_ENV, BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV,
+        DIRK_CA_CERT_DEFAULT, DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV,
+        DIRK_DIR_SECRETS_DEFAULT, DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV,
+        LOGS_DIR_DEFAULT, LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV,
+        PBS_ENDPOINT_ENV, PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV,
+        PROXY_DIR_KEYS_DEFAULT, PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT,
+        PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV,
+        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV,
+        SIGNER_MODULE_NAME, SIGNER_URL_ENV,
     },
     pbs::{BUILDER_API_PATH, GET_STATUS_PATH},
     signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
@@ -333,6 +333,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
                 let mut signer_envs = IndexMap::from([
                     get_env_val(CONFIG_ENV, CONFIG_DEFAULT),
                     get_env_same(JWTS_ENV),
+                    get_env_same(ADMIN_JWT_ENV),
                 ]);
 
                 // Bind the signer API to 0.0.0.0
@@ -366,6 +367,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
 
                 // write jwts to env
                 envs.insert(JWTS_ENV.into(), format_comma_separated(&jwts));
+                envs.insert(ADMIN_JWT_ENV.into(), random_jwt_secret());
 
                 // volumes
                 let mut volumes = vec![config_volume.clone()];
diff --git a/crates/common/src/commit/constants.rs b/crates/common/src/commit/constants.rs
index 7c9f948c..ea9cd9bb 100644
--- a/crates/common/src/commit/constants.rs
+++ b/crates/common/src/commit/constants.rs
@@ -3,3 +3,4 @@ pub const REQUEST_SIGNATURE_PATH: &str = "/signer/v1/request_signature";
 pub const GENERATE_PROXY_KEY_PATH: &str = "/signer/v1/generate_proxy_key";
 pub const STATUS_PATH: &str = "/status";
 pub const RELOAD_PATH: &str = "/reload";
+pub const REVOKE_MODULE_PATH: &str = "/revoke_jwt";
diff --git a/crates/common/src/commit/request.rs b/crates/common/src/commit/request.rs
index b8843234..9a67dcc2 100644
--- a/crates/common/src/commit/request.rs
+++ b/crates/common/src/commit/request.rs
@@ -1,4 +1,5 @@
 use std::{
+    collections::HashMap,
     fmt::{self, Debug, Display},
     str::FromStr,
 };
@@ -9,13 +10,17 @@ use alloy::{
     rpc::types::beacon::BlsSignature,
 };
 use derive_more::derive::From;
-use serde::{Deserialize, Serialize};
+use serde::{Deserialize, Deserializer, Serialize};
 use tree_hash::TreeHash;
 use tree_hash_derive::TreeHash;
 
 use crate::{
-    constants::COMMIT_BOOST_DOMAIN, error::BlstErrorWrapper, signature::verify_signed_message,
-    signer::BlsPublicKey, types::Chain,
+    config::decode_string_to_map,
+    constants::COMMIT_BOOST_DOMAIN,
+    error::BlstErrorWrapper,
+    signature::verify_signed_message,
+    signer::BlsPublicKey,
+    types::{Chain, ModuleId},
 };
 
 pub trait ProxyId: AsRef<[u8]> + Debug + Clone + Copy + TreeHash + Display {}
@@ -198,6 +203,31 @@ pub struct GetPubkeysResponse {
     pub keys: Vec<ConsensusProxyMap>,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ReloadRequest {
+    #[serde(default, deserialize_with = "deserialize_jwt_secrets")]
+    pub jwt_secrets: Option<HashMap<ModuleId, String>>,
+    pub admin_secret: Option<String>,
+}
+
+pub fn deserialize_jwt_secrets<'de, D>(
+    deserializer: D,
+) -> Result<Option<HashMap<ModuleId, String>>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let raw: String = Deserialize::deserialize(deserializer)?;
+
+    decode_string_to_map(&raw)
+        .map(Some)
+        .map_err(|_| serde::de::Error::custom("Invalid format".to_string()))
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct RevokeModuleRequest {
+    pub module_id: ModuleId,
+}
+
 /// Map of consensus pubkeys to proxies
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct ConsensusProxyMap {
@@ -288,7 +318,7 @@ mod tests {
 
         let _: SignedProxyDelegationBls = serde_json::from_str(data).unwrap();
 
-        let data = r#"{ 
+        let data = r#"{
             "message": {
                 "delegator": "0xa3366b54f28e4bf1461926a3c70cdb0ec432b5c92554ecaae3742d33fb33873990cbed1761c68020e6d3c14d30a22050",
                 "proxy": "0x4ca9939a8311a7cab3dde201b70157285fa81a9d"
diff --git a/crates/common/src/config/constants.rs b/crates/common/src/config/constants.rs
index 8b07f732..743cdbe9 100644
--- a/crates/common/src/config/constants.rs
+++ b/crates/common/src/config/constants.rs
@@ -42,6 +42,7 @@ pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV: &str =
 
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";
+pub const ADMIN_JWT_ENV: &str = "CB_SIGNER_ADMIN_JWT";
 
 /// Path to json file with plaintext keys (testing only)
 pub const SIGNER_KEYS_ENV: &str = "CB_SIGNER_LOADER_FILE";
diff --git a/crates/common/src/config/signer.rs b/crates/common/src/config/signer.rs
index 7e5fbd58..d0adcdf4 100644
--- a/crates/common/src/config/signer.rs
+++ b/crates/common/src/config/signer.rs
@@ -133,6 +133,7 @@ pub struct StartSignerConfig {
     pub store: Option<ProxyStore>,
     pub endpoint: SocketAddr,
     pub jwts: HashMap<ModuleId, String>,
+    pub admin_secret: String,
     pub jwt_auth_fail_limit: u32,
     pub jwt_auth_fail_timeout_seconds: u32,
     pub dirk: Option<DirkConfig>,
@@ -142,7 +143,7 @@ impl StartSignerConfig {
     pub fn load_from_env() -> Result<Self> {
         let config = CommitBoostConfig::from_env_path()?;
 
-        let jwts = load_jwt_secrets()?;
+        let (admin_secret, jwts) = load_jwt_secrets()?;
 
         let signer_config = config.signer.ok_or_eyre("Signer config is missing")?;
 
@@ -177,6 +178,7 @@ impl StartSignerConfig {
                 loader: Some(loader),
                 endpoint,
                 jwts,
+                admin_secret,
                 jwt_auth_fail_limit,
                 jwt_auth_fail_timeout_seconds,
                 store,
@@ -207,6 +209,7 @@ impl StartSignerConfig {
                     chain: config.chain,
                     endpoint,
                     jwts,
+                    admin_secret,
                     jwt_auth_fail_limit,
                     jwt_auth_fail_timeout_seconds,
                     loader: None,
diff --git a/crates/common/src/config/utils.rs b/crates/common/src/config/utils.rs
index 13784316..7ab346f1 100644
--- a/crates/common/src/config/utils.rs
+++ b/crates/common/src/config/utils.rs
@@ -4,7 +4,7 @@ use alloy::rpc::types::beacon::BlsPublicKey;
 use eyre::{bail, Context, Result};
 use serde::de::DeserializeOwned;
 
-use super::JWTS_ENV;
+use super::{ADMIN_JWT_ENV, JWTS_ENV};
 use crate::{config::MUXER_HTTP_MAX_LENGTH, types::ModuleId, utils::read_chunked_body_with_max};
 
 pub fn load_env_var(env: &str) -> Result<String> {
@@ -26,9 +26,10 @@ pub fn load_file_from_env<T: DeserializeOwned>(env: &str) -> Result<T> {
 }
 
 /// Loads a map of module id -> jwt secret from a json env
-pub fn load_jwt_secrets() -> Result<HashMap<ModuleId, String>> {
+pub fn load_jwt_secrets() -> Result<(String, HashMap<ModuleId, String>)> {
+    let admin_jwt = std::env::var(ADMIN_JWT_ENV).wrap_err(format!("{ADMIN_JWT_ENV} is not set"))?;
     let jwt_secrets = std::env::var(JWTS_ENV).wrap_err(format!("{JWTS_ENV} is not set"))?;
-    decode_string_to_map(&jwt_secrets)
+    decode_string_to_map(&jwt_secrets).map(|secrets| (admin_jwt, secrets))
 }
 
 /// Reads an HTTP response safely, erroring out if it failed or if the body is
@@ -71,7 +72,7 @@ pub fn remove_duplicate_keys(keys: Vec<BlsPublicKey>) -> Vec<BlsPublicKey> {
     unique_keys
 }
 
-fn decode_string_to_map(raw: &str) -> Result<HashMap<ModuleId, String>> {
+pub fn decode_string_to_map(raw: &str) -> Result<HashMap<ModuleId, String>> {
     // trim the string and split for comma
     raw.trim()
         .split(',')
diff --git a/crates/common/src/types.rs b/crates/common/src/types.rs
index 5293a789..3d07e89c 100644
--- a/crates/common/src/types.rs
+++ b/crates/common/src/types.rs
@@ -23,6 +23,12 @@ pub struct JwtClaims {
     pub module: String,
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+pub struct JwtAdmin {
+    pub exp: u64,
+    pub admin: bool,
+}
+
 #[derive(Clone, Copy, PartialEq, Eq)]
 pub enum Chain {
     Mainnet,
diff --git a/crates/common/src/utils.rs b/crates/common/src/utils.rs
index ccaf8888..7f2fbbca 100644
--- a/crates/common/src/utils.rs
+++ b/crates/common/src/utils.rs
@@ -30,7 +30,7 @@ use crate::{
     config::LogsSettings,
     constants::SIGNER_JWT_EXPIRATION,
     pbs::HEADER_VERSION_VALUE,
-    types::{Chain, Jwt, JwtClaims, ModuleId},
+    types::{Chain, Jwt, JwtAdmin, JwtClaims, ModuleId},
 };
 
 const MILLIS_PER_SECOND: u64 = 1_000;
@@ -405,6 +405,24 @@ pub fn validate_jwt(jwt: Jwt, secret: &str) -> eyre::Result<()> {
     .map_err(From::from)
 }
 
+/// Validate an admin JWT with the given secret
+pub fn validate_admin_jwt(jwt: Jwt, secret: &str) -> eyre::Result<()> {
+    let mut validation = jsonwebtoken::Validation::default();
+    validation.leeway = 10;
+
+    let token = jsonwebtoken::decode::<JwtAdmin>(
+        jwt.as_str(),
+        &jsonwebtoken::DecodingKey::from_secret(secret.as_ref()),
+        &validation,
+    )?;
+
+    if token.claims.admin {
+        Ok(())
+    } else {
+        eyre::bail!("Token is not admin")
+    }
+}
+
 /// Generates a random string
 pub fn random_jwt_secret() -> String {
     rand::rng().sample_iter(&Alphanumeric).take(32).map(char::from).collect()
diff --git a/crates/signer/src/error.rs b/crates/signer/src/error.rs
index a2a113f3..b0fc88de 100644
--- a/crates/signer/src/error.rs
+++ b/crates/signer/src/error.rs
@@ -25,6 +25,9 @@ pub enum SignerModuleError {
     #[error("Dirk signer does not support this operation")]
     DirkNotSupported,
 
+    #[error("module id not found")]
+    ModuleIdNotFound,
+
     #[error("internal error: {0}")]
     Internal(String),
 
@@ -48,6 +51,7 @@ impl IntoResponse for SignerModuleError {
                 (StatusCode::INTERNAL_SERVER_ERROR, "internal error".to_string())
             }
             SignerModuleError::SignerError(err) => (StatusCode::BAD_REQUEST, err.to_string()),
+            SignerModuleError::ModuleIdNotFound => (StatusCode::NOT_FOUND, self.to_string()),
             SignerModuleError::RateLimited(duration) => {
                 (StatusCode::TOO_MANY_REQUESTS, format!("rate limited for {duration:?}"))
             }
diff --git a/crates/signer/src/service.rs b/crates/signer/src/service.rs
index 1a41a008..59da3c3d 100644
--- a/crates/signer/src/service.rs
+++ b/crates/signer/src/service.rs
@@ -18,17 +18,17 @@ use cb_common::{
     commit::{
         constants::{
             GENERATE_PROXY_KEY_PATH, GET_PUBKEYS_PATH, RELOAD_PATH, REQUEST_SIGNATURE_PATH,
-            STATUS_PATH,
+            REVOKE_MODULE_PATH, STATUS_PATH,
         },
         request::{
-            EncryptionScheme, GenerateProxyRequest, GetPubkeysResponse, SignConsensusRequest,
-            SignProxyRequest, SignRequest,
+            EncryptionScheme, GenerateProxyRequest, GetPubkeysResponse, ReloadRequest,
+            RevokeModuleRequest, SignConsensusRequest, SignProxyRequest, SignRequest,
         },
     },
     config::StartSignerConfig,
     constants::{COMMIT_BOOST_COMMIT, COMMIT_BOOST_VERSION},
     types::{Chain, Jwt, ModuleId},
-    utils::{decode_jwt, validate_jwt},
+    utils::{decode_jwt, validate_admin_jwt, validate_jwt},
 };
 use cb_metrics::provider::MetricsProvider;
 use eyre::Context;
@@ -63,7 +63,9 @@ struct SigningState {
 
     /// Map of modules ids to JWT secrets. This also acts as registry of all
     /// modules running
-    jwts: Arc<HashMap<ModuleId, String>>,
+    jwts: Arc<ParkingRwLock<HashMap<ModuleId, String>>>,
+    /// Secret for the admin JWT
+    admin_secret: Arc<ParkingRwLock<String>>,
 
     /// Map of JWT failures per peer
     jwt_auth_failures: Arc<ParkingRwLock<HashMap<IpAddr, JwtAuthFailureInfo>>>,
@@ -84,7 +86,8 @@ impl SigningService {
 
         let state = SigningState {
             manager: Arc::new(RwLock::new(start_manager(config.clone()).await?)),
-            jwts: config.jwts.into(),
+            jwts: Arc::new(ParkingRwLock::new(config.jwts)),
+            admin_secret: Arc::new(ParkingRwLock::new(config.admin_secret)),
             jwt_auth_failures: Arc::new(ParkingRwLock::new(HashMap::new())),
             jwt_auth_fail_limit: config.jwt_auth_fail_limit,
             jwt_auth_fail_timeout: Duration::from_secs(config.jwt_auth_fail_timeout_seconds as u64),
@@ -113,20 +116,30 @@ impl SigningService {
 
         SigningService::init_metrics(config.chain)?;
 
-        let app = axum::Router::new()
+        let signer_app = axum::Router::new()
             .route(REQUEST_SIGNATURE_PATH, post(handle_request_signature))
             .route(GET_PUBKEYS_PATH, get(handle_get_pubkeys))
             .route(GENERATE_PROXY_KEY_PATH, post(handle_generate_proxy))
             .route_layer(middleware::from_fn_with_state(state.clone(), jwt_auth))
+            .with_state(state.clone())
+            .route_layer(middleware::from_fn(log_request));
+
+        let admin_app = axum::Router::new()
             .route(RELOAD_PATH, post(handle_reload))
+            .route(REVOKE_MODULE_PATH, post(handle_revoke_module))
+            .route_layer(middleware::from_fn_with_state(state.clone(), admin_auth))
             .with_state(state.clone())
             .route_layer(middleware::from_fn(log_request))
-            .route(STATUS_PATH, get(handle_status))
-            .into_make_service_with_connect_info::<SocketAddr>();
+            .route(STATUS_PATH, get(handle_status));
 
         let listener = TcpListener::bind(config.endpoint).await?;
 
-        axum::serve(listener, app).await.wrap_err("signer server exited")
+        axum::serve(
+            listener,
+            signer_app.merge(admin_app).into_make_service_with_connect_info::<SocketAddr>(),
+        )
+        .await
+        .wrap_err("signer server exited")
     }
 
     fn init_metrics(network: Chain) -> eyre::Result<()> {
@@ -214,7 +227,8 @@ fn check_jwt_auth(
         SignerModuleError::Unauthorized
     })?;
 
-    let jwt_secret = state.jwts.get(&module_id).ok_or_else(|| {
+    let guard = state.jwts.read();
+    let jwt_secret = guard.get(&module_id).ok_or_else(|| {
         error!("Unauthorized request. Was the module started correctly?");
         SignerModuleError::Unauthorized
     })?;
@@ -226,6 +240,22 @@ fn check_jwt_auth(
     Ok(module_id)
 }
 
+async fn admin_auth(
+    State(state): State<SigningState>,
+    TypedHeader(auth): TypedHeader<Authorization<Bearer>>,
+    req: Request,
+    next: Next,
+) -> Result<Response, SignerModuleError> {
+    let jwt: Jwt = auth.token().to_string().into();
+
+    validate_admin_jwt(jwt, &state.admin_secret.read()).map_err(|e| {
+        error!("Unauthorized request. Invalid JWT: {e}");
+        SignerModuleError::Unauthorized
+    })?;
+
+    Ok(next.run(req).await)
+}
+
 /// Requests logging middleware layer
 async fn log_request(req: Request, next: Next) -> Result<Response, SignerModuleError> {
     let url = &req.uri().clone();
@@ -360,6 +390,7 @@ async fn handle_generate_proxy(
 
 async fn handle_reload(
     State(mut state): State<SigningState>,
+    Json(request): Json<ReloadRequest>,
 ) -> Result<impl IntoResponse, SignerModuleError> {
     let req_id = Uuid::new_v4();
 
@@ -373,6 +404,14 @@ async fn handle_reload(
         }
     };
 
+    if let Some(jwt_secrets) = request.jwt_secrets {
+        *state.jwts.write() = jwt_secrets;
+    }
+
+    if let Some(admin_secret) = request.admin_secret {
+        *state.admin_secret.write() = admin_secret;
+    }
+
     let new_manager = match start_manager(config).await {
         Ok(manager) => manager,
         Err(err) => {
@@ -386,6 +425,17 @@ async fn handle_reload(
     Ok(StatusCode::OK)
 }
 
+async fn handle_revoke_module(
+    State(state): State<SigningState>,
+    Json(request): Json<RevokeModuleRequest>,
+) -> Result<impl IntoResponse, SignerModuleError> {
+    let mut guard = state.jwts.write();
+    guard
+        .remove(&request.module_id)
+        .ok_or(SignerModuleError::ModuleIdNotFound)
+        .map(|_| StatusCode::OK)
+}
+
 async fn start_manager(config: StartSignerConfig) -> eyre::Result<SigningManager> {
     let proxy_store = if let Some(store) = config.store.clone() {
         Some(store.init_from_env()?)
diff --git a/docs/docs/get_started/configuration.md b/docs/docs/get_started/configuration.md
index 5dd46329..b65e73ad 100644
--- a/docs/docs/get_started/configuration.md
+++ b/docs/docs/get_started/configuration.md
@@ -398,6 +398,15 @@ Commit-Boost supports hot-reloading the configuration file. This means that you
 docker compose -f cb.docker-compose.yml exec cb_signer curl -X POST http://localhost:20000/reload
 ```
 
+### Signer module reload
+
+The signer module takes 2 optional parameters in the JSON body:
+
+- `jwt_secrets`: a string with a comma-separated list of `<MODULE_ID>=<JWT_SECRET>` for all modules.
+- `admin_secret`: a string with the secret for the signer admin JWT.
+
+Parameters that are not provided will not be updated; they will be regenerated using their original on-disk data as though the signer service was being restarted. Note that any changes you made with calls to `/revoke_jwt` or `/reload` will be reverted, so make sure you provide any modifications again as part of this call.
+
 ### Notes
 
 - The hot reload feature is available for PBS modules (both default and custom) and signer module.
diff --git a/docs/docs/get_started/running/binary.md b/docs/docs/get_started/running/binary.md
index 385e7a0c..97991ee5 100644
--- a/docs/docs/get_started/running/binary.md
+++ b/docs/docs/get_started/running/binary.md
@@ -26,6 +26,7 @@ Modules need some environment variables to work correctly.
 - `CB_MUX_PATH_{ID}`: optional, override where to load mux validator keys for mux with `id=\{ID\}`.
 
 ### Signer Module
+- `CB_SIGNER_ADMIN_JWT`: secret to use for admin JWT.
 - `CB_SIGNER_ENDPOINT`: optional, override to specify the `IP:port` endpoint to bind the signer server to.
 - For loading keys we currently support:
   - `CB_SIGNER_LOADER_FILE`: path to a `.json` with plaintext keys (for testing purposes only).
diff --git a/tests/Cargo.toml b/tests/Cargo.toml
index f1b5c9d9..573cfa20 100644
--- a/tests/Cargo.toml
+++ b/tests/Cargo.toml
@@ -11,6 +11,7 @@ cb-common.workspace = true
 cb-pbs.workspace = true
 cb-signer.workspace = true
 eyre.workspace = true
+jsonwebtoken.workspace = true
 reqwest.workspace = true
 serde_json.workspace = true
 tempfile.workspace = true
diff --git a/tests/src/utils.rs b/tests/src/utils.rs
index b677d800..04aa371a 100644
--- a/tests/src/utils.rs
+++ b/tests/src/utils.rs
@@ -118,6 +118,7 @@ pub fn get_start_signer_config(
     signer_config: SignerConfig,
     chain: Chain,
     jwts: HashMap<ModuleId, String>,
+    admin_secret: String,
 ) -> StartSignerConfig {
     match signer_config.inner {
         SignerType::Local { loader, .. } => StartSignerConfig {
@@ -126,6 +127,7 @@ pub fn get_start_signer_config(
             store: None,
             endpoint: SocketAddr::new(signer_config.host.into(), signer_config.port),
             jwts,
+            admin_secret,
             jwt_auth_fail_limit: signer_config.jwt_auth_fail_limit,
             jwt_auth_fail_timeout_seconds: signer_config.jwt_auth_fail_timeout_seconds,
             dirk: None,
diff --git a/tests/tests/signer_jwt_auth.rs b/tests/tests/signer_jwt_auth.rs
index 90a0365f..820afbcc 100644
--- a/tests/tests/signer_jwt_auth.rs
+++ b/tests/tests/signer_jwt_auth.rs
@@ -2,10 +2,14 @@ use std::{collections::HashMap, time::Duration};
 
 use alloy::{hex, primitives::FixedBytes};
 use cb_common::{
-    commit::{constants::GET_PUBKEYS_PATH, request::GetPubkeysResponse},
+    commit::{
+        constants::{GET_PUBKEYS_PATH, REVOKE_MODULE_PATH},
+        request::GetPubkeysResponse,
+    },
     config::StartSignerConfig,
+    constants::SIGNER_JWT_EXPIRATION,
     signer::{SignerLoader, ValidatorKeysFormat},
-    types::{Chain, ModuleId},
+    types::{Chain, Jwt, JwtAdmin, ModuleId},
     utils::create_jwt,
 };
 use cb_signer::service::SigningService;
@@ -16,6 +20,7 @@ use tracing::info;
 
 const JWT_MODULE: &str = "test-module";
 const JWT_SECRET: &str = "test-jwt-secret";
+const ADMIN_SECRET: &str = "test-admin-secret";
 
 #[tokio::test]
 async fn test_signer_jwt_auth_success() -> Result<()> {
@@ -86,6 +91,74 @@ async fn test_signer_jwt_rate_limit() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+async fn test_signer_revoked_jwt_fail() -> Result<()> {
+    setup_test_env();
+    let module_id = ModuleId(JWT_MODULE.to_string());
+    let start_config = start_server(20400).await?;
+
+    // Run as many pubkeys requests as the fail limit
+    let jwt = create_jwt(&module_id, JWT_SECRET)?;
+    let admin_jwt = create_admin_jwt()?;
+    let client = reqwest::Client::new();
+
+    // At first, test module should be allowed to request pubkeys
+    let url = format!("http://{}{}", start_config.endpoint, GET_PUBKEYS_PATH);
+    let response = client.get(&url).bearer_auth(&jwt).send().await?;
+    assert!(response.status() == StatusCode::OK);
+
+    let revoke_url = format!("http://{}{}", start_config.endpoint, REVOKE_MODULE_PATH);
+    let response = client
+        .post(&revoke_url)
+        .header("content-type", "application/json")
+        .body(reqwest::Body::wrap(format!("{{\"module_id\": \"{JWT_MODULE}\"}}")))
+        .bearer_auth(&admin_jwt)
+        .send()
+        .await?;
+    assert!(response.status() == StatusCode::OK);
+
+    // After revoke, test module shouldn't be allowed anymore
+    let response = client.get(&url).bearer_auth(&jwt).send().await?;
+    assert!(response.status() == StatusCode::UNAUTHORIZED);
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn test_signer_only_admin_can_revoke() -> Result<()> {
+    setup_test_env();
+    let module_id = ModuleId(JWT_MODULE.to_string());
+    let start_config = start_server(20500).await?;
+
+    // Run as many pubkeys requests as the fail limit
+    let jwt = create_jwt(&module_id, JWT_SECRET)?;
+    let admin_jwt = create_admin_jwt()?;
+    let client = reqwest::Client::new();
+    let url = format!("http://{}{}", start_config.endpoint, REVOKE_MODULE_PATH);
+
+    // Module JWT shouldn't be able to revoke modules
+    let response = client
+        .post(&url)
+        .header("content-type", "application/json")
+        .body(reqwest::Body::wrap(format!("{{\"module_id\": \"{JWT_MODULE}\"}}")))
+        .bearer_auth(&jwt)
+        .send()
+        .await?;
+    assert!(response.status() == StatusCode::UNAUTHORIZED);
+
+    // Admin should be able to revoke modules
+    let response = client
+        .post(&url)
+        .header("content-type", "application/json")
+        .body(reqwest::Body::wrap(format!("{{\"module_id\": \"{JWT_MODULE}\"}}")))
+        .bearer_auth(&admin_jwt)
+        .send()
+        .await?;
+    assert!(response.status() == StatusCode::OK);
+
+    Ok(())
+}
+
 // Starts the signer moduler server on a separate task and returns its
 // configuration
 async fn start_server(port: u16) -> Result<StartSignerConfig> {
@@ -107,7 +180,7 @@ async fn start_server(port: u16) -> Result<StartSignerConfig> {
     config.port = port;
     config.jwt_auth_fail_limit = 3; // Set a low fail limit for testing
     config.jwt_auth_fail_timeout_seconds = 3; // Set a short timeout for testing
-    let start_config = get_start_signer_config(config, chain, jwts);
+    let start_config = get_start_signer_config(config, chain, jwts, ADMIN_SECRET.to_string());
 
     // Run the Signer
     let server_handle = tokio::spawn(SigningService::run(start_config.clone()));
@@ -144,3 +217,16 @@ async fn verify_pubkeys(response: Response) -> Result<()> {
     }
     Ok(())
 }
+
+fn create_admin_jwt() -> Result<Jwt> {
+    jsonwebtoken::encode(
+        &jsonwebtoken::Header::default(),
+        &JwtAdmin {
+            admin: true,
+            exp: jsonwebtoken::get_current_timestamp() + SIGNER_JWT_EXPIRATION,
+        },
+        &jsonwebtoken::EncodingKey::from_secret(ADMIN_SECRET.as_ref()),
+    )
+    .map_err(Into::into)
+    .map(Jwt::from)
+}