diff --git a/rpc/rpc.go b/rpc/rpc.go
index 498e290e..2b45e732 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -191,10 +191,13 @@ func (s *RPC) Handler() http.Handler {
 	r.Use(middleware.PageRoute("/status", http.HandlerFunc(s.statusHandler)))
 	r.Use(middleware.PageRoute("/favicon.ico", http.HandlerFunc(emptyHandler)))
 
-	userRouter := r.Group(func(r chi.Router) {
-		// Generate attestation document
-		r.Use(attestation.Middleware(s.Enclave))
+	// Generate attestation document
+	r.Use(attestation.Middleware(s.Enclave))
+
+	// Healthcheck
+	r.Use(middleware.PageRoute("/health", http.HandlerFunc(s.healthHandler)))
 
+	userRouter := r.Group(func(r chi.Router) {
 		// Find and decrypt tenant data
 		r.Use(tenant.Middleware(s.Tenants, s.Config.KMS.TenantKeys))
 	})
@@ -203,9 +206,6 @@ func (s *RPC) Handler() http.Handler {
 	adminRouter := r.Group(func(r chi.Router) {
 		// Validate admin JWTs
 		r.Use(access.JWTAuthMiddleware(s.Config.Admin))
-
-		// Generate attestation document
-		r.Use(attestation.Middleware(s.Enclave))
 	})
 	adminRouter.Handle("/rpc/WaasAuthenticatorAdmin/*", proto.NewWaasAuthenticatorAdminServer(s))
 
diff --git a/rpc/status.go b/rpc/status.go
index 4f59a467..b939cef2 100644
--- a/rpc/status.go
+++ b/rpc/status.go
@@ -8,6 +8,7 @@ import (
 
 	waasauthenticator "github.com/0xsequence/waas-authenticator"
 	"github.com/0xsequence/waas-authenticator/proto"
+	"github.com/0xsequence/waas-authenticator/rpc/attestation"
 )
 
 func (s *RPC) Version(ctx context.Context) (*proto.Version, error) {
@@ -46,3 +47,13 @@ func (s *RPC) statusHandler(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 	_ = json.NewEncoder(w).Encode(status)
 }
+
+func (s *RPC) healthHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	att := attestation.FromContext(ctx)
+	if _, err := att.GenerateDataKey(ctx, s.Config.KMS.TenantKeys[0]); err != nil {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}