diff --git a/mqtt/pom.xml b/mqtt/pom.xml
index 3e79d2e..e08a76a 100644
--- a/mqtt/pom.xml
+++ b/mqtt/pom.xml
@@ -85,6 +85,12 @@
         </dependency>
 
         <!--TESTS-->
+        <dependency>
+            <groupId>org.seedstack.seed</groupId>
+            <artifactId>seed-web-security</artifactId>
+            <version>${seed.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.seedstack.seed</groupId>
             <artifactId>seed-testing</artifactId>
diff --git a/mqtt/src/main/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResource.java b/mqtt/src/main/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResource.java
index 6136e4b..ef9386a 100644
--- a/mqtt/src/main/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResource.java
+++ b/mqtt/src/main/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResource.java
@@ -16,6 +16,7 @@
 import org.seedstack.mqtt.spi.MqttInfo;
 import org.seedstack.mqtt.spi.MqttPoolConfiguration;
 import org.seedstack.seed.rest.Rel;
+import org.seedstack.seed.security.RequiresPermissions;
 
 import javax.inject.Inject;
 import javax.ws.rs.GET;
@@ -48,6 +49,7 @@ public class ClientResource {
     @GET
     @Rel(value = Rels.CLIENTS, home = true)
     @Produces({MediaType.APPLICATION_JSON, "application/hal+json"})
+    @RequiresPermissions("seed:monitoring:mqtt:read")
     public Response getClients() {
         if (mqttInfo.getClientNames() != null && !mqttInfo.getClientNames().isEmpty()) {
             return clientListRepresentation();
@@ -59,6 +61,7 @@ public Response getClients() {
     @Path("/{clientId}")
     @Rel(value = Rels.CLIENT)
     @Produces({MediaType.APPLICATION_JSON, "application/hal+json"})
+    @RequiresPermissions("seed:monitoring:mqtt:read")
     public Response getClient() {
         boolean clientExists = clientExists(clientId);
         if (clientExists) {
diff --git a/mqtt/src/main/resources/META-INF/configuration/mqtt-monitoring-security.props b/mqtt/src/main/resources/META-INF/configuration/mqtt-monitoring-security.props
new file mode 100644
index 0000000..c3eda33
--- /dev/null
+++ b/mqtt/src/main/resources/META-INF/configuration/mqtt-monitoring-security.props
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2013-2016, The SeedStack authors <http://seedstack.org>
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+[org.seedstack.seed.security.permissions]
+seed-monitoring-mqtt.reader = seed:monitoring:mqtt:read
diff --git a/mqtt/src/test/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResourceTest.java b/mqtt/src/test/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResourceTest.java
index 23b82c9..5265dd9 100644
--- a/mqtt/src/test/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResourceTest.java
+++ b/mqtt/src/test/java/org/seedstack/monitoring/mqtt/internal/rest/clients/ClientResourceTest.java
@@ -27,6 +27,10 @@
 
 public class ClientResourceTest extends AbstractSeedWebIT {
 
+    private static final String LOGIN = "reader";
+
+    private static final String PASSWORD = "password";
+
     @ArquillianResource
     private URL baseURL;
 
@@ -48,7 +52,7 @@ public static WebArchive createDeployment() {
     @RunAsClient
     @Test
     public void testGetClients() {
-        Response response = expect().statusCode(200).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients");
+        Response response = expect().statusCode(200).given().auth().basic(LOGIN, PASSWORD).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients");
         int resultSize = from(response.asString()).get("resultSize");
         assertThat(resultSize).isEqualTo(1);
     }
@@ -56,7 +60,7 @@ public void testGetClients() {
     @RunAsClient
     @Test
     public void testGetClient() {
-        Response response = expect().statusCode(200).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients/client_test");
+        Response response = expect().statusCode(200).given().auth().basic(LOGIN, PASSWORD).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients/client_test");
         String clientId = from(response.asString()).get("clientId");
         assertThat(clientId).isEqualTo("client_test");
     }
@@ -64,6 +68,6 @@ public void testGetClient() {
     @RunAsClient
     @Test
     public void testGetClientNotFound() {
-        expect().statusCode(404).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients/client_fake");
+        expect().statusCode(404).given().auth().basic(LOGIN, PASSWORD).when().get(baseURL.toString() + "seed-monitoring/mqtt/clients/client_fake");
     }
 }
diff --git a/mqtt/src/test/resources/META-INF/configuration/mqtt.props b/mqtt/src/test/resources/META-INF/configuration/mqtt.props
index 20d3727..789ed6e 100644
--- a/mqtt/src/test/resources/META-INF/configuration/mqtt.props
+++ b/mqtt/src/test/resources/META-INF/configuration/mqtt.props
@@ -6,6 +6,21 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 
+[org.seedstack.seed.security.urls]
+/** = authcBasic
+
+[org.seedstack.seed.security]
+realms = ConfigurationRealm
+
+ConfigurationRealm.role-mapping = ConfigurationRoleMapping
+ConfigurationRealm.role-permission-resolver = ConfigurationRolePermissionResolver
+
+[org.seedstack.seed.security.users]
+reader = password
+
+[org.seedstack.seed.security.roles]
+seed-monitoring-mqtt.reader = *
+
 [org.seedstack.mqtt]
 clients = client_test