diff --git a/internal/zero/bootstrap/bootstrap.go b/internal/zero/bootstrap/bootstrap.go
index a86e43d68..41dbb4f03 100644
--- a/internal/zero/bootstrap/bootstrap.go
+++ b/internal/zero/bootstrap/bootstrap.go
@@ -20,7 +20,6 @@ import (
 
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/retry"
-	sdk "github.com/pomerium/pomerium/internal/zero/api"
 	connect_mux "github.com/pomerium/pomerium/internal/zero/connect-mux"
 )
 
@@ -34,17 +33,7 @@ const (
 )
 
 // Run initializes the bootstrap config source
-func (svc *Source) Run(
-	ctx context.Context,
-	api *sdk.API,
-	fileCachePath string,
-) error {
-	log.Ctx(ctx).Info().Str("bootstrap-config-path", fileCachePath).
-		Msg("initializing bootstrap config source")
-
-	svc.api = api
-	svc.fileCachePath = fileCachePath
-
+func (svc *Source) Run(ctx context.Context) error {
 	svc.tryLoadFromFile(ctx)
 
 	eg, ctx := errgroup.WithContext(ctx)
@@ -109,18 +98,27 @@ func (svc *Source) updateAndSave(ctx context.Context) error {
 		return fmt.Errorf("load bootstrap config from API: %w", err)
 	}
 
-	err = SaveBootstrapConfigToFile(cfg, svc.fileCachePath, svc.fileCipher)
+	svc.UpdateBootstrap(ctx, *cfg)
+
+	if svc.fileCachePath == nil {
+		return nil
+	}
+
+	err = SaveBootstrapConfigToFile(cfg, *svc.fileCachePath, svc.fileCipher)
 	if err != nil {
 		log.Ctx(ctx).Error().Err(err).
 			Msg("failed to save bootstrap config to file, note it may prevent Pomerium from starting up in case of connectivity issues")
 	}
 
-	svc.UpdateBootstrap(ctx, *cfg)
 	return nil
 }
 
 func (svc *Source) tryLoadFromFile(ctx context.Context) {
-	cfg, err := LoadBootstrapConfigFromFile(svc.fileCachePath, svc.fileCipher)
+	if svc.fileCachePath == nil {
+		return
+	}
+
+	cfg, err := LoadBootstrapConfigFromFile(*svc.fileCachePath, svc.fileCipher)
 	if err != nil {
 		log.Ctx(ctx).Error().Err(err).Msg("failed to load bootstrap config from file")
 		return
diff --git a/internal/zero/bootstrap/new.go b/internal/zero/bootstrap/new.go
index 8bf8b67fa..590b9e81f 100644
--- a/internal/zero/bootstrap/new.go
+++ b/internal/zero/bootstrap/new.go
@@ -25,7 +25,7 @@ type Source struct {
 
 	api *sdk.API
 
-	fileCachePath string
+	fileCachePath *string
 	fileCipher    cipher.AEAD
 
 	checkForUpdate chan struct{}
@@ -33,7 +33,7 @@ type Source struct {
 }
 
 // New creates a new bootstrap config source
-func New(secret []byte) (*Source, error) {
+func New(secret []byte, fileCachePath *string, api *sdk.API) (*Source, error) {
 	cfg := new(config.Config)
 
 	err := setConfigDefaults(cfg)
@@ -54,7 +54,9 @@ func New(secret []byte) (*Source, error) {
 	}
 
 	svc := &Source{
+		api:            api,
 		source:         source{ready: make(chan struct{})},
+		fileCachePath:  fileCachePath,
 		fileCipher:     cipher,
 		checkForUpdate: make(chan struct{}, 1),
 	}
diff --git a/internal/zero/bootstrap/new_test.go b/internal/zero/bootstrap/new_test.go
index 8a2a75517..c729649ca 100644
--- a/internal/zero/bootstrap/new_test.go
+++ b/internal/zero/bootstrap/new_test.go
@@ -11,7 +11,7 @@ import (
 func TestConfigDeterministic(t *testing.T) {
 	secret := []byte("secret")
 
-	src, err := bootstrap.New(secret)
+	src, err := bootstrap.New(secret, nil, nil)
 	require.NoError(t, err)
 	cfg := src.GetConfig()
 	require.NotNil(t, cfg)
@@ -20,7 +20,7 @@ func TestConfigDeterministic(t *testing.T) {
 	require.NoError(t, cfg.Options.Validate())
 
 	// test that the config is deterministic
-	src2, err := bootstrap.New(secret)
+	src2, err := bootstrap.New(secret, nil, nil)
 	require.NoError(t, err)
 
 	cfg2 := src2.GetConfig()
diff --git a/internal/zero/bootstrap/source_test.go b/internal/zero/bootstrap/source_test.go
index 7fad274cb..bd70d823e 100644
--- a/internal/zero/bootstrap/source_test.go
+++ b/internal/zero/bootstrap/source_test.go
@@ -18,7 +18,7 @@ func TestConfigChanges(t *testing.T) {
 
 	secret := []byte("secret")
 
-	src, err := bootstrap.New(secret)
+	src, err := bootstrap.New(secret, nil, nil)
 	require.NoError(t, err)
 
 	ptr := func(s string) *string { return &s }
diff --git a/internal/zero/cmd/command.go b/internal/zero/cmd/command.go
index b26bcad77..644ea5f31 100644
--- a/internal/zero/cmd/command.go
+++ b/internal/zero/cmd/command.go
@@ -28,19 +28,22 @@ func Run(ctx context.Context, configFile string) error {
 		return errors.New("no token provided")
 	}
 
-	bootstrapConfigFileName, err := getBootstrapConfigFileName()
-	if err != nil {
-		return fmt.Errorf("error getting bootstrap config path: %w", err)
-	}
-
-	return controller.Run(
-		withInterrupt(ctx),
+	opts := []controller.Option{
 		controller.WithAPIToken(token),
 		controller.WithClusterAPIEndpoint(getClusterAPIEndpoint()),
 		controller.WithConnectAPIEndpoint(getConnectAPIEndpoint()),
 		controller.WithOTELAPIEndpoint(getOTELAPIEndpoint()),
-		controller.WithBootstrapConfigFileName(bootstrapConfigFileName),
-	)
+	}
+
+	bootstrapConfigFileName, err := getBootstrapConfigFileName()
+	if err != nil {
+		log.Ctx(ctx).Error().Err(err).Msg("would not be able to save cluster bootstrap config, that will prevent Pomerium from starting independent from the control plane")
+	} else {
+		log.Ctx(ctx).Info().Str("file", bootstrapConfigFileName).Msg("cluster bootstrap config path")
+		opts = append(opts, controller.WithBootstrapConfigFileName(bootstrapConfigFileName))
+	}
+
+	return controller.Run(withInterrupt(ctx), opts...)
 }
 
 // IsManagedMode returns true if Pomerium should start in managed mode using this command.
diff --git a/internal/zero/controller/config.go b/internal/zero/controller/config.go
index 016bab07b..9f7b631e2 100644
--- a/internal/zero/controller/config.go
+++ b/internal/zero/controller/config.go
@@ -12,7 +12,7 @@ type controllerConfig struct {
 	otelEndpoint       string
 
 	tmpDir                  string
-	bootstrapConfigFileName string
+	bootstrapConfigFileName *string
 
 	reconcilerLeaseDuration  time.Duration
 	databrokerRequestTimeout time.Duration
@@ -56,7 +56,7 @@ func WithAPIToken(token string) Option {
 // WithBootstrapConfigFileName sets the name of the file to store the bootstrap config in.
 func WithBootstrapConfigFileName(name string) Option {
 	return func(c *controllerConfig) {
-		c.bootstrapConfigFileName = name
+		c.bootstrapConfigFileName = &name
 	}
 }
 
diff --git a/internal/zero/controller/controller.go b/internal/zero/controller/controller.go
index 68a5016fb..5bb958904 100644
--- a/internal/zero/controller/controller.go
+++ b/internal/zero/controller/controller.go
@@ -31,7 +31,7 @@ func Run(ctx context.Context, opts ...Option) error {
 		return fmt.Errorf("init api: %w", err)
 	}
 
-	src, err := bootstrap.New([]byte(c.cfg.apiToken))
+	src, err := bootstrap.New([]byte(c.cfg.apiToken), c.cfg.bootstrapConfigFileName, c.api)
 	if err != nil {
 		return fmt.Errorf("error creating bootstrap config: %w", err)
 	}
@@ -82,7 +82,7 @@ func (c *controller) runBootstrap(ctx context.Context) error {
 	ctx = log.WithContext(ctx, func(c zerolog.Context) zerolog.Context {
 		return c.Str("service", "zero-bootstrap")
 	})
-	return c.bootstrapConfig.Run(ctx, c.api, c.cfg.bootstrapConfigFileName)
+	return c.bootstrapConfig.Run(ctx)
 }
 
 func (c *controller) runPomeriumCore(ctx context.Context) error {