diff --git a/castellan/key_manager/barbican_key_manager.py b/castellan/key_manager/barbican_key_manager.py
index 0a4bdd5..bc756de 100644
--- a/castellan/key_manager/barbican_key_manager.py
+++ b/castellan/key_manager/barbican_key_manager.py
@@ -70,6 +70,12 @@
                 default=True,
                 help='Specifies if insecure TLS (https) requests. If False, '
                      'the server\'s certificate will not be validated'),
+    cfg.StrOpt('barbican_endpoint_type',
+               default='public',
+               choices=['public', 'internal', 'admin'],
+               help='Specifies the type of endpoint.  Allowed values are: '
+                    'public, private, and admin'),
+
 ]
 
 BARBICAN_OPT_GROUP = 'barbican'
@@ -183,12 +189,13 @@
             raise exception.Forbidden(reason=msg)
 
     def _get_barbican_endpoint(self, auth, sess):
-        if self.conf.barbican.barbican_endpoint:
-            return self.conf.barbican.barbican_endpoint
+        barbican = self.conf.barbican
+        if barbican.barbican_endpoint:
+            return barbican.barbican_endpoint
         else:
             service_parameters = {'service_type': 'key-manager',
                                   'service_name': 'barbican',
-                                  'interface': 'public'}
+                                  'interface': barbican.barbican_endpoint_type}
             return auth.get_endpoint(sess, **service_parameters)
 
     def _create_base_url(self, auth, sess, endpoint):
diff --git a/castellan/options.py b/castellan/options.py
index e6bc245..e748fd9 100644
--- a/castellan/options.py
+++ b/castellan/options.py
@@ -40,7 +40,8 @@
                  barbican_api_version=None, auth_endpoint=None,
                  retry_delay=None, number_of_retries=None, verify_ssl=None,
                  api_class=None, vault_root_token_id=None, vault_url=None,
-                 vault_ssl_ca_crt_file=None, vault_use_ssl=None):
+                 vault_ssl_ca_crt_file=None, vault_use_ssl=None,
+                 barbican_endpoint_type=None):
     """Set defaults for configuration values.
 
     Overrides the default options values.
@@ -56,6 +57,8 @@
     :param vault_url: Use this for the url for vault.
     :param vault_use_ssl: Use this to force vault driver to use ssl.
     :param vault_ssl_ca_crt_file: Use this for the CA file for vault.
+    :param barbican_endpoint_type: Use this to specify the type of URL.
+    :                              Valid values are: public, internal or admin.
     """
     conf.register_opts(km.key_manager_opts, group='key_manager')
     if bkm:
@@ -86,6 +89,9 @@
                              group=bkm.BARBICAN_OPT_GROUP)
         if verify_ssl is not None:
             conf.set_default('verify_ssl', verify_ssl,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if barbican_endpoint_type is not None:
+            conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
                              group=bkm.BARBICAN_OPT_GROUP)
 
     if vkm is not None:
diff --git a/castellan/tests/unit/test_options.py b/castellan/tests/unit/test_options.py
index e1ac3f3..bd8c3ff 100644
--- a/castellan/tests/unit/test_options.py
+++ b/castellan/tests/unit/test_options.py
@@ -66,3 +66,8 @@
         options.set_defaults(conf, verify_ssl=True)
         self.assertEqual(verify_ssl,
                          conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
+
+        barbican_endpoint_type = 'internal'
+        options.set_defaults(conf, barbican_endpoint_type='internal')
+        result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type
+        self.assertEqual(barbican_endpoint_type, result_type)