diff --git a/cmd/dkl-local-server/http.go b/cmd/dkl-local-server/http.go
index fb4e1e3..8dea7b0 100644
--- a/cmd/dkl-local-server/http.go
+++ b/cmd/dkl-local-server/http.go
@@ -20,6 +20,7 @@ import (
 
 var (
 	hostsToken = flag.String("hosts-token", "", "Token to give to access /hosts (open is none)")
+	adminToken = flag.String("admin-token", "", "Token to give to access to admin actions (open is none)")
 
 	reHost = regexp.MustCompile("^/hosts/([^/]+)/([^/]+)$")
 
@@ -27,14 +28,22 @@ var (
 )
 
 func authorizeHosts(r *http.Request) bool {
-	if *hostsToken == "" {
+	return authorizeToken(r, *hostsToken)
+}
+
+func authorizeAdmin(r *http.Request) bool {
+	return authorizeToken(r, *adminToken)
+}
+
+func authorizeToken(r *http.Request, token string) bool {
+	if token == "" {
 		// access is open
 		return true
 	}
 
 	reqToken := r.Header.Get("Authorization")
 
-	return reqToken == "Bearer "+*hostsToken
+	return reqToken == "Bearer "+token
 }
 
 func forbidden(w http.ResponseWriter, r *http.Request) {
@@ -256,7 +265,7 @@ func serveCluster(w http.ResponseWriter, r *http.Request) {
 }
 
 func uploadConfig(w http.ResponseWriter, r *http.Request) {
-	if !authorizeHosts(r) { // FIXME admin token instead
+	if !authorizeAdmin(r) {
 		forbidden(w, r)
 		return
 	}