diff --git a/kdc/httpkadmind.8 b/kdc/httpkadmind.8
index e191ac445..034db2be8 100644
--- a/kdc/httpkadmind.8
+++ b/kdc/httpkadmind.8
@@ -70,9 +70,11 @@ Serves the following resources:
 .Pp
 The
 .Ar /get-keys
-end-point allows callers to get keytab content for named
-principals, possibly performing write operations such as creating
-a non-existent principal, or rotating its keys, if requested.
+end-point allows callers to get a principal's keys in
+.Dq keytab
+format for named principals, possibly performing write operations
+such as creating a non-existent principal, or rotating its keys,
+if requested.
 .Pp
 The
 .Ar /get-config
@@ -409,6 +411,17 @@ Configuration parameters specific to
 .Pp
 The
 .Nm [ext_keytab]
+.Nm get_keys_max_spns = NUMBER
+parameter can be used to specify a maximum number of principals whose
+keys can be retrieved in one
+.Nm GET
+of the
+.Nm /get-keys
+end-point.
+Defaults to 400.
+.Pp
+The
+.Nm [ext_keytab]
 .Nm new_hostbased_service_principal_attributes
 parameter may be used instead of virtual host-based service
 namespace principals to specify the attributes of new principals
diff --git a/kdc/httpkadmind.c b/kdc/httpkadmind.c
index a8a3d1b5e..a625f37e0 100644
--- a/kdc/httpkadmind.c
+++ b/kdc/httpkadmind.c
@@ -1585,8 +1585,9 @@ get_keysN(kadmin_request_desc r, const char *method)
             return bad_503(r, ret, "Out of memory");
     }
 
-    /* FIXME: Make this configurable */
-    if (nspns + nsvcs * nhosts > 40)
+    if (nspns + nsvcs * nhosts >
+        krb5_config_get_int_default(r->context, NULL, 400,
+                                    "ext_keytab", "get_keys_max_spns", NULL))
         return bad_403(r, EINVAL, "Requested keys for too many principals");
 
     ret = make_keytab(r);