diff --git a/lib/puma/app/status.rb b/lib/puma/app/status.rb
index 83710af9..0206a513 100644
--- a/lib/puma/app/status.rb
+++ b/lib/puma/app/status.rb
@@ -4,9 +4,21 @@ module Puma
       def initialize(server, cli)
         @server = server
         @cli = cli
+        @auth_token = nil
+      end
+
+      attr_accessor :auth_token
+
+      def authenticate(env)
+        return true unless @auth_token
+        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
       end
 
       def call(env)
+        unless authenticate(env)
+          return [403, {}, ["Invalid auth token"]]
+        end
+
         case env['PATH_INFO']
         when "/stop"
           @server.stop
diff --git a/test/test_app_status.rb b/test/test_app_status.rb
index cc06433d..092c7c98 100644
--- a/test/test_app_status.rb
+++ b/test/test_app_status.rb
@@ -24,6 +24,30 @@ class TestAppStatus < Test::Unit::TestCase
   def setup
     @server = FakeServer.new
     @app = Puma::App::Status.new(@server, @server)
+    @app.auth_token = nil
+  end
+
+  def test_bad_token
+    @app.auth_token = "abcdef"
+
+    env = { 'PATH_INFO' => "/whatever" }
+
+    status, header, body = @app.call env
+
+    assert_equal 403, status
+  end
+
+  def test_good_token
+    @app.auth_token = "abcdef"
+
+    env = {
+      'PATH_INFO' => "/whatever",
+      'QUERY_STRING' => "token=abcdef"
+    }
+
+    status, header, body = @app.call env
+
+    assert_equal 404, status
   end
 
   def test_unsupported