diff --git a/src/get-a2a-apikeysecret.sh b/src/get-a2a-apikeysecret.sh
new file mode 100755
index 0000000..e337b71
--- /dev/null
+++ b/src/get-a2a-apikeysecret.sh
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+print_usage()
+{
+    cat <<EOF
+USAGE: get-a2a-apikeysecret.sh [-h]
+       get-a2a-apikeysecret.sh [-a appliance] [-B cabundle] [-v version] [-c file] [-k file] [-A apikey] [-O] [-p] [-r]
+
+  -h  Show help and exit
+  -a  Network address of the appliance
+  -B  CA bundle for SSL trust validation (no checking by default)
+  -v  Web API Version: 4 is default
+  -c  File containing client certificate
+  -k  File containing client private key
+  -A  A2A API token identifying the account
+  -O  Use openssl s_client instead of curl for TLS client authentication problems
+  -p  Read certificate password from stdin
+  -r  Raw output, i.e. remove quotes from JSON string to get just the password (requires jq)
+
+Retrieve an API key secret using the Safeguard A2A service.  More than one key may be associated with an account.
+This script returns an array of objects representing all API key secrets.
+
+EOF
+    exit 0
+}
+
+ScriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+
+Appliance=
+CABundleArg=
+CABundle=
+Version=4
+Cert=
+PKey=
+ApiKey=
+Raw=false
+PassStdin=
+Pass=
+UseOpenSslSclient=false
+
+. "$ScriptDir/utils/loginfile.sh"
+. "$ScriptDir/utils/a2a.sh"
+
+require_args()
+{
+    handle_ca_bundle_arg
+    if [ -z "$Appliance" ]; then
+        read -p "Appliance Network Address: " Appliance
+    fi
+    if [ -z "$Cert" ]; then
+        read -p "Client Certificate File: " Cert
+    fi
+    if [ -z "$PKey" ]; then
+        read -p "Client Private Key File: " PKey
+    fi
+    if [ -z "$Pass" ]; then
+        read -s -p "Private Key Password: " Pass
+        >&2 echo
+    fi
+    if [ -z "$ApiKey" ]; then
+        read -p "A2A API Key: " ApiKey
+    fi
+}
+
+while getopts ":a:B:v:c:k:A:pOrh" opt; do
+    case $opt in
+    a)
+        Appliance=$OPTARG
+        ;;
+    B)
+        CABundle=$OPTARG
+        ;;
+    v)
+        Version=$OPTARG
+        ;;
+    c)
+        Cert=$OPTARG
+        ;;
+    k)
+        PKey=$OPTARG
+        ;;
+    p)
+        PassStdin="-p"
+        ;;
+    A)
+        ApiKey=$OPTARG
+        ;;
+    O)
+        UseOpenSslSclient=true
+        ;;
+    r)
+        Raw=true
+        ;;
+    h)
+        print_usage
+        ;;
+    esac
+done
+
+require_args
+
+ATTRFILTER='cat'
+ERRORFILTER='cat'
+if [ ! -z "$(which jq 2> /dev/null)" ]; then
+    ERRORFILTER='jq .'
+    if $Raw; then
+        ATTRFILTER='jq --raw-output .'
+    else
+        ATTRFILTER='jq .'
+    fi
+fi
+
+Result=$(invoke_a2a_method "$Appliance" "$CABundleArg" "$Cert" "$PKey" "$Pass" "$ApiKey" a2a GET "Credentials?type=ApiKey" $Version $UseOpenSslSclient)
+echo $Result | jq . > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo $Result
+else
+    Error=$(echo $Result | jq .Code 2> /dev/null)
+    if [ -z "$Error" -o "$Error" = "null" ]; then
+        echo $Result | $ATTRFILTER
+    else
+        echo $Result | $ERRORFILTER
+        exit 1
+    fi
+fi
diff --git a/src/get-a2a-privatekey.sh b/src/get-a2a-privatekey.sh
index e83e378..56adaf0 100755
--- a/src/get-a2a-privatekey.sh
+++ b/src/get-a2a-privatekey.sh
@@ -21,7 +21,7 @@ USAGE: get-a2a-privatekey.sh [-h]
       Ssh2: Tectia format for use with tools from SSH.com
       Putty: Putty format for use with PuTTY tools
 
-Retrieve a private key using the Safeguard A2A service.
+Retrieve an SSH private key using the Safeguard A2A service.
 
 EOF
     exit 0