diff --git a/pom.xml b/pom.xml
index bfab878a..f49c532f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,7 +16,7 @@
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
         <junit-jupiter.version>5.11.2</junit-jupiter.version>
-        <uid2-shared.version>10.9.0</uid2-shared.version>
+        <uid2-shared.version>10.9.4</uid2-shared.version>
         <okta-jwt.version>0.5.10</okta-jwt.version>
         <image.version>${project.version}</image.version>
     </properties>
diff --git a/src/main/java/com/uid2/admin/auth/OktaCustomScope.java b/src/main/java/com/uid2/admin/auth/OktaCustomScope.java
index fd7f930c..c60a0814 100644
--- a/src/main/java/com/uid2/admin/auth/OktaCustomScope.java
+++ b/src/main/java/com/uid2/admin/auth/OktaCustomScope.java
@@ -11,6 +11,7 @@ public enum OktaCustomScope {
     SECRET_ROTATION("uid2.admin.secret-rotation", Role.SECRET_ROTATION),
     SITE_SYNC("uid2.admin.site-sync", Role.PRIVATE_OPERATOR_SYNC),
     METRICS_EXPORT("uid2.admin.metrics-export", Role.METRICS_EXPORT),
+    ENCLAVE_REGISTRAR("uid2.admin.enclave-registrar", Role.ENCLAVE_REGISTRAR),
     INVALID("invalid", Role.UNKNOWN);
     private final String name;
     private final Role role;
diff --git a/src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java b/src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java
index ec641370..9e4859ee 100644
--- a/src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java
+++ b/src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java
@@ -57,7 +57,7 @@ public void setupRoutes(Router router) {
             synchronized (writeLock) {
                 this.handleEnclaveAdd(ctx);
             }
-        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED));
+        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED, Role.ENCLAVE_REGISTRAR));
         router.post(API_ENCLAVE_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleEnclaveDel(ctx);
diff --git a/src/test/java/com/uid2/admin/vertx/EnclaveIdServiceTest.java b/src/test/java/com/uid2/admin/vertx/EnclaveIdServiceTest.java
index c87faea0..e26348ec 100644
--- a/src/test/java/com/uid2/admin/vertx/EnclaveIdServiceTest.java
+++ b/src/test/java/com/uid2/admin/vertx/EnclaveIdServiceTest.java
@@ -96,7 +96,7 @@ public void enclaveId_Add_Success(String protocol, Vertx vertx, VertxTestContext
     }
 
     @ParameterizedTest
-    @EnumSource(value = Role.class, names = {"PRIVILEGED", "SUPER_USER"}, mode = EnumSource.Mode.EXCLUDE)
+    @EnumSource(value = Role.class, names = {"PRIVILEGED", "SUPER_USER", "ENCLAVE_REGISTRAR"}, mode = EnumSource.Mode.EXCLUDE)
     public void enclaveId_Add_NotAuthorized(Role role, Vertx vertx, VertxTestContext vertxTestContext) {
         fakeAuth(role);
 
@@ -238,4 +238,27 @@ public void enclaveId_Delete_NotAuthorized(Role role, Vertx vertx, VertxTestCont
         });
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "/api/enclave/list",
+            "/api/enclave/metadata",
+            "/api/enclave/del?name=some-name",
+    })
+    public void enclaveId_Endpoints_NotAuthorized_ForEnclaveRegistrar(String url, Vertx vertx, VertxTestContext vertxTestContext) {
+        fakeAuth(Role.ENCLAVE_REGISTRAR);
+
+        // Use GET for list/metadata, POST for delete
+        if (url.contains("/del")) {
+            post(vertx, vertxTestContext, url, "", response -> {
+                assertEquals(401, response.statusCode());
+                vertxTestContext.completeNow();
+            });
+        } else {
+            get(vertx, vertxTestContext, url, response -> {
+                assertEquals(401, response.statusCode());
+                vertxTestContext.completeNow();
+            });
+        }
+    }
+
 }