diff --git a/controllers/pkg/reconcilers/spire-bootstrap/reconciler.go b/controllers/pkg/reconcilers/spire-bootstrap/reconciler.go
index 9248e85b..2401c869 100644
--- a/controllers/pkg/reconcilers/spire-bootstrap/reconciler.go
+++ b/controllers/pkg/reconcilers/spire-bootstrap/reconciler.go
@@ -19,6 +19,7 @@ package spirebootstrap
 import (
 	"context"
 	"encoding/base64"
+	"flag"
 	"fmt"
 	"strings"
 	"time"
@@ -27,6 +28,7 @@ import (
 	reconcilerinterface "github.com/nephio-project/nephio/controllers/pkg/reconcilers/reconciler-interface"
 	"github.com/nephio-project/nephio/controllers/pkg/resource"
 	vaultClient "github.com/nephio-project/nephio/controllers/pkg/vault-client"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
@@ -128,6 +130,18 @@ func (r *reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	vaultAddr := "http://10.146.0.21:8200"
 
+	workloadAPIAddr := flag.String("workload-api-addr", "", "Workload API Address")
+	flag.Parse()
+
+	var opts []workloadapi.ClientOption
+	if *workloadAPIAddr != "" {
+		opts = append(opts, workloadapi.WithAddr(*workloadAPIAddr))
+	}
+
+	fmt.Println("Watching...")
+	err = workloadapi.WatchX509Context(context.Background(), resource.Watcher{}, opts...)
+	log.Error(err, "Error: ")
+
 	jwtSVID, err := resource.GetJWT(ctx)
 	if err != nil {
 		log.Error(err, "Unable to get jwtSVID")
diff --git a/controllers/pkg/resource/workloadapi.go b/controllers/pkg/resource/workloadapi.go
index 45054cc8..6c633265 100644
--- a/controllers/pkg/resource/workloadapi.go
+++ b/controllers/pkg/resource/workloadapi.go
@@ -40,3 +40,21 @@ func GetJWT(ctx context.Context) (*jwtsvid.SVID, error) {
 
 	return jwtSVID, err
 }
+
+type Watcher struct{}
+
+func (Watcher) OnX509ContextUpdate(x509Context *workloadapi.X509Context) {
+	fmt.Println("Update:")
+	fmt.Println("  SVIDs:")
+	for _, svid := range x509Context.SVIDs {
+		fmt.Printf("    %s\n", svid.ID)
+	}
+	fmt.Println("  Bundles:")
+	for _, bundle := range x509Context.Bundles.Bundles() {
+		fmt.Printf("    %s (%d authorities)\n", bundle.TrustDomain(), len(bundle.X509Authorities()))
+	}
+}
+
+func (Watcher) OnX509ContextWatchError(err error) {
+	fmt.Println("Error:", err)
+}