diff --git a/internal/api/server.go b/internal/api/server.go
index 83802b4a..9751f41d 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -331,6 +331,8 @@ func (s *Server) registerManagementRoutes() {
 		return
 	}
 
+	log.Info("management routes registered after secret key configuration")
+
 	mgmt := s.engine.Group("/v0/management")
 	mgmt.Use(s.managementAvailabilityMiddleware(), s.mgmt.Middleware())
 	{
diff --git a/internal/watcher/watcher.go b/internal/watcher/watcher.go
index 6819b9fa..7011ce81 100644
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -533,7 +533,12 @@ func (w *Watcher) reloadConfig() bool {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
 		if oldConfig.RemoteManagement.SecretKey != newConfig.RemoteManagement.SecretKey {
-			log.Debug("  remote-management.secret-key: updated (value hidden)")
+			log.Debug("  remote-management.secret-key: updated")
+			if newConfig.RemoteManagement.SecretKey == "" {
+				log.Info("management routes will be disabled after secret key removal")
+			} else {
+				log.Info("management routes will be enabled after secret key update")
+			}
 		}
 		if oldConfig.RemoteManagement.DisableControlPanel != newConfig.RemoteManagement.DisableControlPanel {
 			log.Debugf("  remote-management.disable-control-panel: %t -> %t", oldConfig.RemoteManagement.DisableControlPanel, newConfig.RemoteManagement.DisableControlPanel)