diff --git a/src/api/hit.rs b/src/api/hit.rs
index 4e75f55..90cbc81 100644
--- a/src/api/hit.rs
+++ b/src/api/hit.rs
@@ -1,3 +1,4 @@
+use crate::auth::Authenticated;
 use crate::dtos::hit::HitDTO;
 use crate::models::AppState;
 use crate::models::hit::Hit;
@@ -14,6 +15,7 @@ use uuid::Uuid;
 pub fn index(
     offset: Option<i64>,
     limit: Option<i64>,
+    auth: Authenticated,
     state: &State<AppState>,
 ) -> Result<Json<Vec<HitDTO>>, Status> {
     let mut db = state.db.lock().unwrap();
@@ -35,7 +37,7 @@ pub fn index(
 }
 
 #[get("/<id>")]
-pub fn get(id: &str, state: &State<AppState>) -> Result<Json<HitDTO>, Status> {
+pub fn get(id: &str, auth: Authenticated, state: &State<AppState>) -> Result<Json<HitDTO>, Status> {
     let mut db = state.db.lock().unwrap();
 
     let id = match Uuid::parse_str(id).ok() {
@@ -55,7 +57,7 @@ pub fn get(id: &str, state: &State<AppState>) -> Result<Json<HitDTO>, Status> {
 }
 
 #[delete("/<id>")]
-pub fn delete(id: &str, state: &State<AppState>) -> Result<Status, Status> {
+pub fn delete(id: &str, auth: Authenticated, state: &State<AppState>) -> Result<Status, Status> {
     let mut db = state.db.lock().unwrap();
 
     let id = match Uuid::parse_str(id).ok() {
diff --git a/src/api/tracker.rs b/src/api/tracker.rs
index 6dbfb17..13ea7b7 100644
--- a/src/api/tracker.rs
+++ b/src/api/tracker.rs
@@ -1,3 +1,4 @@
+use crate::auth::Authenticated;
 use crate::dtos::tracker::TrackerDTO;
 use crate::models::AppState;
 use crate::models::tracker::Tracker;
@@ -15,6 +16,7 @@ use uuid::Uuid;
 pub fn index(
     offset: Option<i64>,
     limit: Option<i64>,
+    auth: Authenticated,
     state: &State<AppState>,
 ) -> Result<Json<Vec<TrackerDTO>>, Status> {
     let mut db = state.db.lock().unwrap();
@@ -36,7 +38,11 @@ pub fn index(
 }
 
 #[get("/<id>")]
-pub fn get(id: &str, state: &State<AppState>) -> Result<Json<TrackerDTO>, Status> {
+pub fn get(
+    id: &str,
+    auth: Authenticated,
+    state: &State<AppState>,
+) -> Result<Json<TrackerDTO>, Status> {
     let mut db = state.db.lock().unwrap();
 
     let id = match Uuid::parse_str(id).ok() {
@@ -56,7 +62,7 @@ pub fn get(id: &str, state: &State<AppState>) -> Result<Json<TrackerDTO>, Status
 }
 
 #[post("/")]
-pub fn create(state: &State<AppState>) -> Result<Json<TrackerDTO>, Status> {
+pub fn create(auth: Authenticated, state: &State<AppState>) -> Result<Json<TrackerDTO>, Status> {
     let mut db = state.db.lock().unwrap();
 
     let new = Tracker {
@@ -79,6 +85,7 @@ pub fn create(state: &State<AppState>) -> Result<Json<TrackerDTO>, Status> {
 pub fn delete(
     id: &str,
     delete_hits: Option<bool>,
+    auth: Authenticated,
     state: &State<AppState>,
 ) -> Result<Status, Status> {
     let mut db = state.db.lock().unwrap();
diff --git a/src/auth.rs b/src/auth.rs
new file mode 100644
index 0000000..23ce3f4
--- /dev/null
+++ b/src/auth.rs
@@ -0,0 +1,24 @@
+use rocket::Request;
+use rocket::http::Status;
+use rocket::request::{FromRequest, Outcome};
+use std::env;
+
+pub struct Authenticated;
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for Authenticated {
+    type Error = ();
+
+    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        let token = req.headers().get_one("Authorization");
+        if let Some(token) = token {
+            if token == env::var("API_KEY").unwrap().as_str() {
+                Outcome::Success(Authenticated)
+            } else {
+                Outcome::Error((Status::Unauthorized, ()))
+            }
+        } else {
+            Outcome::Error((Status::Unauthorized, ()))
+        }
+    }
+}
diff --git a/src/main.rs b/src/main.rs
index 4971bb8..ce2d76f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -2,6 +2,7 @@ mod api;
 mod dtos;
 mod models;
 mod schema;
+mod auth;
 
 use crate::api::hit;
 use crate::api::image;