diff --git a/src/internal/controller/apiapp_controller.go b/src/internal/controller/apiapp_controller.go
index baf712d..d14638b 100644
--- a/src/internal/controller/apiapp_controller.go
+++ b/src/internal/controller/apiapp_controller.go
@@ -198,7 +198,7 @@ func (wr *wrappedAPIAppReconciler) reconcileKeys(ctx context.Context, ztdClient
 			return err
 		}
 		if wr.APIApp.Status.KeyId != "" {
-			_, err := ztdClient.GetAppKey(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppKeyRequest{
+			appKey, err := ztdClient.GetAppKey(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppKeyRequest{
 				ProjectId: project.Status.ProjectId,
 				AppId:     wr.APIApp.Status.AppId,
 				KeyId:     wr.APIApp.Status.KeyId,
@@ -208,6 +208,9 @@ func (wr *wrappedAPIAppReconciler) reconcileKeys(ctx context.Context, ztdClient
 					return fmt.Errorf("Could not get key: %v", err)
 				}
 			}
+			if appKey.Key != nil {
+				return nil
+			}
 		}
 		resp, err := ztdClient.AddAppKey(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.AddAppKeyRequest{
 			ProjectId:      project.Status.ProjectId,
@@ -231,7 +234,7 @@ func (wr *wrappedAPIAppReconciler) reconcileKeys(ctx context.Context, ztdClient
 			return fmt.Errorf("error building Secret: %v", err)
 		}
 		if err := wr.Create(ctx, secret); err != nil {
-			return fmt.Errorf("error creating Client-secret Secret: %v", err)
+			return fmt.Errorf("error creating private-key Secret: %v", err)
 		}
 		patch := ctrlClient.MergeFrom(wr.APIApp.DeepCopy())
 		wr.APIApp.Status.KeyId = resp.Id