diff --git a/src/internal/controller/machineuser_controller.go b/src/internal/controller/machineuser_controller.go
index 1044d61..dd02308 100644
--- a/src/internal/controller/machineuser_controller.go
+++ b/src/internal/controller/machineuser_controller.go
@@ -2,6 +2,7 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -98,6 +99,10 @@ func (wr *wrappedMachineUserReconciler) Reconcile(ctx context.Context, ztdClient
 			Name:      "pat",
 			Reconcile: wr.reconcilePAT,
 		},
+		{
+			Name:      "jwt",
+			Reconcile: wr.reconcileJWT,
+		},
 	}
 	for _, p := range phases {
 		err := p.Reconcile(ctx, ztdClient)
@@ -210,6 +215,66 @@ func (wr *wrappedMachineUserReconciler) reconcilePAT(ctx context.Context, ztdCli
 	return nil
 }
 
+func (wr *wrappedMachineUserReconciler) reconcileJWT(ctx context.Context, ztdClient *management.Client) error {
+	org, err := wr.refResolver.OrganizationRef(ctx, &wr.MachineUser.Spec.OrganizationRef, wr.MachineUser.Namespace)
+	if err != nil {
+		return err
+	}
+	ctx = middleware.SetOrgID(ctx, org.Status.OrgId)
+
+	token, err := ztdClient.GetMachineKeyByIDs(ctx, &pb.GetMachineKeyByIDsRequest{
+		UserId: wr.MachineUser.Status.UserId,
+		KeyId:  wr.MachineUser.Status.KeyId,
+	})
+	if err != nil {
+		if !strings.Contains(err.Error(), "not found") {
+			return fmt.Errorf("Error getting JWT: %v", err)
+		}
+	}
+
+	if token == nil {
+		resp, err := ztdClient.AddMachineKey(ctx, &pb.AddMachineKeyRequest{
+			UserId: wr.MachineUser.Status.UserId,
+		})
+		if err != nil {
+			return fmt.Errorf("Error adding JWT: %v", err)
+		}
+		key := types.NamespacedName{
+			Name:      wr.MachineUser.Name + "-machinekey-secret",
+			Namespace: wr.MachineUser.Namespace,
+		}
+
+		var jsonKey Key
+		if err = json.Unmarshal(resp.KeyDetails, &jsonKey); err != nil {
+			return fmt.Errorf("Could not unmarshal key details: %v", err)
+		}
+
+		secretData := map[string][]byte{
+			"clientId": []byte(jsonKey.ClientID),
+			"type":     []byte(jsonKey.Type),
+			"keyId":    []byte(jsonKey.KeyID),
+			"appId":    []byte(jsonKey.AppID),
+			"key":      []byte(jsonKey.Key),
+		}
+		patSecret, err := wr.Builder.BuildSecret(builder.SecretOpts{
+			Key:       key,
+			Immutable: true,
+			Data:      secretData,
+		}, wr.MachineUser)
+
+		if err != nil {
+			return fmt.Errorf("error building machine key Secret: %v", err)
+		}
+		if err := wr.Create(ctx, patSecret); err != nil {
+			return fmt.Errorf("error creating machine key Secret: %v", err)
+		}
+		patch := ctrlClient.MergeFrom(wr.MachineUser.DeepCopy())
+		wr.MachineUser.Status.KeyId = resp.KeyId
+		return wr.Client.Status().Patch(ctx, wr.MachineUser, patch)
+	}
+	return nil
+}
+
 func (wr *wrappedMachineUserReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
 	patch := client.MergeFrom(wr.MachineUser.DeepCopy())
 	patcher(&wr.MachineUser.Status)