diff --git a/config.go b/config.go
index 7f9032e..3108a24 100644
--- a/config.go
+++ b/config.go
@@ -9,6 +9,8 @@ import (
 type config struct {
 	HTTPAddress string
 	LogLevel    string
+	User        string
+	Password    string
 	ntfy        ntfyConfig
 }
 
@@ -43,6 +45,20 @@ func readConfig(path string) (*config, error) {
 		}
 	}
 
+	d = cfg.Get("user")
+	if d != nil {
+		if err := d.ParseParams(&config.User); err != nil {
+			return nil, err
+		}
+	}
+
+	d = cfg.Get("password")
+	if d != nil {
+		if err := d.ParseParams(&config.Password); err != nil {
+			return nil, err
+		}
+	}
+
 	ntfyDir := cfg.Get("ntfy")
 	if ntfyDir == nil {
 		return nil, fmt.Errorf("%q directive missing", "ntfy")
diff --git a/main.go b/main.go
index 2810ef2..e0094de 100644
--- a/main.go
+++ b/main.go
@@ -34,6 +34,19 @@ type alert struct {
 }
 
 func (rcv *receiver) handleWebhooks(w http.ResponseWriter, r *http.Request) {
+	if rcv.cfg.User != "" && rcv.cfg.Password != "" {
+		user, pass, ok := r.BasicAuth()
+		if !ok {
+			rcv.logger.Error("basic auth failure")
+			return
+		}
+
+		if user != rcv.cfg.User || pass != rcv.cfg.Password {
+			rcv.logger.Info("basic auth: wrong user or password")
+			return
+		}
+	}
+
 	defer r.Body.Close()
 
 	if r.Method != http.MethodPost {