diff --git a/briar-headless/src/main/java/org/briarproject/briar/headless/Main.kt b/briar-headless/src/main/java/org/briarproject/briar/headless/Main.kt
index 0cad5534f..74abc50f7 100644
--- a/briar-headless/src/main/java/org/briarproject/briar/headless/Main.kt
+++ b/briar-headless/src/main/java/org/briarproject/briar/headless/Main.kt
@@ -17,6 +17,7 @@ import java.lang.System.setProperty
 import java.nio.file.Files.setPosixFilePermissions
 import java.nio.file.attribute.PosixFilePermission
 import java.nio.file.attribute.PosixFilePermission.*
+import java.util.UUID.randomUUID
 import java.util.logging.Level.*
 import java.util.logging.LogManager
 
@@ -63,14 +64,17 @@ class Main : CliktCommand(
         setProperty(DEFAULT_LOG_LEVEL_KEY, levelSlf4j);
         LogManager.getLogManager().getLogger("").level = level
 
+        val dataDir = getDataDir()
+        val authToken = getOrCreateAuthToken(dataDir)
+
         val app =
-            DaggerBriarHeadlessApp.builder().headlessModule(HeadlessModule(getDataDir())).build()
+            DaggerBriarHeadlessApp.builder().headlessModule(HeadlessModule(dataDir)).build()
         // We need to load the eager singletons directly after making the
         // dependency graphs
         BrambleCoreModule.initEagerSingletons(app)
         BriarCoreModule.initEagerSingletons(app)
 
-        app.router().start(port, debug)
+        app.router().start(authToken, port, debug)
     }
 
     private fun getDataDir(): File {
@@ -87,6 +91,19 @@ class Main : CliktCommand(
         setPosixFilePermissions(file.toPath(), perms);
         return file
     }
+
+    private fun getOrCreateAuthToken(dataDir: File): String {
+        val tokenFile = File(dataDir, "auth_token")
+        return if (tokenFile.isFile) {
+            tokenFile.readText()
+        } else {
+            // TODO use better way of getting random token?
+            val authToken = randomUUID().toString()
+            tokenFile.writeText(authToken)
+            authToken
+        }
+    }
+
 }
 
 fun main(args: Array<String>) = Main().main(args)
diff --git a/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt b/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
index d8be0dbf4..b27286cd2 100644
--- a/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
+++ b/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
@@ -25,7 +25,7 @@ constructor(
     private val blogController: BlogController
 ) {
 
-    fun start(port: Int, debug: Boolean) {
+    fun start(authToken: String, port: Int, debug: Boolean) {
         briarService.start()
         getRuntime().addShutdownHook(Thread(Runnable { briarService.stop() }))
 
@@ -39,6 +39,13 @@ constructor(
         if (debug) app.enableDebugLogging()
         app.start()
 
+        app.accessManager { handler, ctx, _ ->
+            if (ctx.header("Authorization") == "Bearer $authToken") {
+                handler.handle(ctx)
+            } else {
+                ctx.status(401).result("Unauthorized")
+            }
+        }
         app.routes {
             path("/v1") {
                 path("/contacts") {