diff --git a/src/routes/directoryserver.js b/src/routes/directoryserver.js
index 65f779993..868b97131 100644
--- a/src/routes/directoryserver.js
+++ b/src/routes/directoryserver.js
@@ -23,7 +23,9 @@ async function setConfig(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
     if (typeof req.body.enabled !== 'boolean') return next(new HttpError(400, 'enabled must be a boolean'));
-    if (typeof req.body.secret !== 'string') return next(new HttpError(400, 'secret must be a string'));
+
+    // these can still be there when enabled=false so that the values are preserved
+    if ('secret' in req.body && typeof req.body.secret !== 'string') return next(new HttpError(400, 'secret must be a string'));
     if ('allowlist' in req.body && typeof req.body.allowlist !== 'string') return next(new HttpError(400, 'allowlist must be a string'));
 
     const [error] = await safe(directoryServer.setConfig(req.body));