diff --git a/README.md b/README.md
index d9e6c646e..bc103f5a6 100644
--- a/README.md
+++ b/README.md
@@ -156,6 +156,7 @@ rm "$prod" && ln -s "$old" "$prod"
   - `disable_warning_days`: list of day numbers when a user will get an email warning that their account will be disabled
   - `disable_day`: day number when a user will be disabled
   - a "day number" starts counting from the last day that a user logged in, so on day 5, the user last logged in 5 days ago
+- `[api]keys` can now be specified in the config file
 
 ### 1.5 -> 1.6
 
diff --git a/defaults/config.ini.default b/defaults/config.ini.default
index e326a038f..cf9781b0a 100644
--- a/defaults/config.ini.default
+++ b/defaults/config.ini.default
@@ -132,3 +132,6 @@ disable_warning_days[] = 360
 disable_warning_days[] = 380
 disable_warning_days[] = 399
 disable_day = 400
+
+[api]
+keys[] = insert_key_here ; API keys for admin/api/...
diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php
index 5c4a3b5f5..59dd15d60 100644
--- a/resources/lib/UnityHTTPD.php
+++ b/resources/lib/UnityHTTPD.php
@@ -420,4 +420,16 @@ public static function getCSRFTokenHiddenFormInput(): string
         $token = htmlspecialchars(CSRFToken::generate());
         return "<input type='hidden' name='csrf_token' value='$token'>";
     }
+
+    public static function validateAPIKey(): void
+    {
+        $authorization = $_SERVER["HTTP_AUTHORIZATION"] ?? "";
+        if (!str_starts_with($authorization, "Bearer ")) {
+            self::badRequest("HTTP_AUTHORIZATION is not Bearer", "invalid HTTP_AUTHORIZATION");
+        }
+        $key = substr($authorization, strlen("Bearer "));
+        if (!in_array($key, CONFIG["api"]["keys"])) {
+            self::forbidden("API key not found in config", "forbidden");
+        }
+    }
 }