diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 3040abe..9ad53c4 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -317,6 +317,10 @@ class PingView(views.APIView):
 
 class DoorViewSet(viewsets.ViewSet, List):
     def list(self, request):
+        auth_token = request.META.get('HTTP_AUTHORIZATION', '')
+        if auth_token != secrets.DOOR_API_TOKEN:
+            raise exceptions.PermissionDenied()
+
         cards = models.Card.objects.filter(active_status='card_active')
         active_member_cards = {}
 
diff --git a/apiserver/apiserver/secrets.py.example b/apiserver/apiserver/secrets.py.example
index 836b9c6..88c959f 100644
--- a/apiserver/apiserver/secrets.py.example
+++ b/apiserver/apiserver/secrets.py.example
@@ -27,6 +27,12 @@ LDAP_API_URL = ''
 # spaceport/ldapserver/secrets.py
 LDAP_API_KEY = ''
 
+# Door cards API token
+# Set this to random characters
+# For example, use the output of this:
+# head /dev/urandom | base32 | head -c 40
+DOOR_API_TOKEN = ''
+
 # Backup API tokens
 # These tokens allow each user to download a backup of member data.
 # Don't mess up the data structure!