diff --git a/vieter/auth.v b/vieter/auth.v
new file mode 100644
index 0000000..eab63c8
--- /dev/null
+++ b/vieter/auth.v
@@ -0,0 +1,11 @@
+module main
+
+import net.http
+
+fn (mut app App) is_authorized() bool {
+	x_header := app.req.header.get_custom('X-Api-Key', http.HeaderQueryConfig{ exact: true }) or {
+		return false
+	}
+
+	return x_header.trim_space() == app.api_key
+}
diff --git a/vieter/routes.v b/vieter/routes.v
index a8e5e1a..0b570ca 100644
--- a/vieter/routes.v
+++ b/vieter/routes.v
@@ -38,6 +38,10 @@ fn (mut app App) get_root(filename string) web.Result {
 
 ['/pkgs/:pkg'; put]
 fn (mut app App) put_package(pkg string) web.Result {
+	if !app.is_authorized() {
+		return app.text('Unauthorized.')
+	}
+
 	if !is_pkg_name(pkg) {
 		app.lwarn("Invalid package name '$pkg'.")