diff --git a/cmd/dkl-store-upload/main.go b/cmd/dkl-store-upload/main.go
index f6ddf6c..a631eb5 100644
--- a/cmd/dkl-store-upload/main.go
+++ b/cmd/dkl-store-upload/main.go
@@ -62,6 +62,7 @@ func main() {
 	req, err := http.NewRequest("POST", outURL, in)
 	fail(err)
 
+	req.Header.Set("Authorization", "Bearer "+*token)
 	req.Header.Set("X-Content-SHA1", sha1Hex)
 
 	log.Print("uploading...")
diff --git a/cmd/dkl-store/main.go b/cmd/dkl-store/main.go
index b7c9242..4bcac06 100644
--- a/cmd/dkl-store/main.go
+++ b/cmd/dkl-store/main.go
@@ -58,6 +58,11 @@ func handleHTTP(w http.ResponseWriter, req *http.Request) {
 		http.ServeFile(w, req, filePath)
 
 	case "POST":
+		if req.Header.Get("Authorization") != ("Bearer " + *uploadToken) {
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+
 		tmpOut := filepath.Join(filepath.Dir(filePath), "."+filepath.Base(filePath))
 
 		if err := os.MkdirAll(filepath.Dir(filePath), 0755); err != nil {