diff --git a/dist/errors-static/400-wkd-invalid.htm b/dist/errors-static/400-wkd-invalid.htm
new file mode 100644
index 0000000..2cfd37d
--- /dev/null
+++ b/dist/errors-static/400-wkd-invalid.htm
@@ -0,0 +1,2 @@
+<p><strong>Error 400</strong> Invalid request</p>
+<p>See https://keys.openpgp.org/about/api</p>
diff --git a/dist/errors-static/404-wkd.htm b/dist/errors-static/404-wkd.htm
new file mode 100644
index 0000000..0ea2f84
--- /dev/null
+++ b/dist/errors-static/404-wkd.htm
@@ -0,0 +1 @@
+No key found for this email address.
diff --git a/hagrid-routes.conf b/hagrid-routes.conf
index 9464b59..c530cdc 100644
--- a/hagrid-routes.conf
+++ b/hagrid-routes.conf
@@ -93,6 +93,34 @@ location /pks/lookup {
     return 400;
 }
 
+# WKD requests
+location /.well-known/openpgpkey {
+    etag off;
+
+    location ~ "^/.well-known/openpgpkey/([^/]+)/hu/([^/][^/])([^/][^/])(.*)" {
+        limit_req zone=search_email burst=50 nodelay;
+        error_page 429 /errors-static/429-rate-limit-vks-email.htm;
+
+        error_page 404 /errors-static/404-wkd.htm;
+        default_type application/pgp-keys;
+        add_header Content-Disposition 'attachment; filename="$2$3$4.asc"';
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Cache-Control' 'no-cache';
+        try_files /keys/links/wkd/$1/$2/$3/$4 =404;
+    }
+
+    location = /.well-known/openpgpkey/policy {
+        default_type text/plain;
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Cache-Control' 'no-cache';
+        return 200 '';
+    }
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    error_page 400 /errors-static/400-wkd-invalid.htm;
+    return 400;
+}
+
 location /pks/internal {
     internal;