diff --git a/lib/haibu/drone/service.js b/lib/haibu/drone/service.js
index cecd419..a5100ee 100644
--- a/lib/haibu/drone/service.js
+++ b/lib/haibu/drone/service.js
@@ -18,7 +18,23 @@ exports.createRouter = function (drone) {
   // TODO (indexzero): Setup token-based auth for Drone API servers
   //
   haibu.router.strict = false;
-  
+
+  var authToken;
+  if (authToken = haibu.config.get('authToken')) {
+    //
+    // Check if X-Auth-Token header matches with one in options
+    //
+    haibu.router.every.before = function (next) {
+      if (this.req.headers['x-auth-token'] === authToken) {
+        next();
+        return true;
+      }
+
+      haibu.sendResponse(this.res, 403, { message: 'Wrong auth token' });
+      return false;
+    };
+  }
+
   //
   // ### Default Root
   // `GET /` responds with default JSON message
diff --git a/test/drone/auth-token-test.js b/test/drone/auth-token-test.js
new file mode 100644
index 0000000..0fc6d11
--- /dev/null
+++ b/test/drone/auth-token-test.js
@@ -0,0 +1,66 @@
+/*
+ * drone-api-test.js: Tests for the `drone` module's RESTful API.
+ *
+ * (C) 2010, Nodejitsu Inc.
+ *
+ */
+
+var assert = require('assert'),
+    exec = require('child_process').exec,
+    fs = require('fs'),
+    path = require('path'),
+    eyes = require('eyes'),
+    request = require('request'),
+    vows = require('vows'),
+    helpers = require('../helpers'),
+    data = require('../fixtures/apps'),
+    haibu = require('../../lib/haibu');
+
+var ipAddress = '127.0.0.1',
+    port = 9000,
+    app = data.apps[0],
+    server;
+
+app.user = 'marak';
+
+haibu.config.set('authToken', 'haibu');
+var auth = {
+      'X-Auth-Token': 'haibu'
+    },
+    noAuth = {
+      'X-Auth-Token': 'not-haibu'
+    };
+
+vows.describe('haibu/drone/api').addBatch(
+  helpers.requireStart(port, function (_server) {
+    server = _server;
+  })
+).addBatch({
+  "When using the drone server": {
+    "with incorrect auth token": {
+      "a request against /": helpers.requireResponse('/', noAuth, 403),
+      "a request against /version": helpers.requireResponse(
+          '/version',
+          noAuth,
+          403
+      )
+    },
+    "with correct auth token": {
+      "a request against /": helpers.requireResponse('/', auth, 400),
+      "a request against /version": helpers.requireResponse(
+          '/version',
+          auth,
+          200
+      )
+    }
+  }
+}).addBatch({
+  "when the tests are over": {
+    topic: function () {
+      return false;
+    },
+    "the server should clean up": function () {
+      server.close();
+    }
+  }
+}).export(module);
diff --git a/test/helpers.js b/test/helpers.js
index 3be2337..1685b6b 100644
--- a/test/helpers.js
+++ b/test/helpers.js
@@ -129,4 +129,23 @@ helpers.assertTestApp = function () {
   return helpers.assertApp("should respond with 'hello, i know nodejitsu.'", function (err, res, body) {
     assert.equal(body, 'hello, i know nodejitsu.');
   });
-};
\ No newline at end of file
+};
+
+helpers.requireResponse = function(url, headers, code) {
+  var vow = {
+    topic: function () {
+      var options = {
+        uri: 'http://localhost:9000' + url,
+        headers: headers,
+      };
+
+      request(options, this.callback);
+    }
+  };
+
+  vow['should respond with ' + code] = function (error, response, body) {
+    assert.equal(response.statusCode, code);
+  };
+
+  return vow;
+};