diff --git a/cmd/api.go b/cmd/api.go
index a612846..14ba555 100644
--- a/cmd/api.go
+++ b/cmd/api.go
@@ -4,6 +4,7 @@ Copyright © 2023 AGECEM & Victor Lacasse-Beaudoin
 package cmd
 
 import (
+	"crypto/subtle"
 	"fmt"
 	"log"
 
@@ -30,6 +31,13 @@ var apiCmd = &cobra.Command{
 
 		e.Pre(middleware.AddTrailingSlash())
 
+		if cfg.API.Key != "" {
+			e.Use(middleware.KeyAuth(func(key string, c echo.Context) (bool, error) {
+				return subtle.ConstantTimeCompare([]byte(key), []byte(cfg.API.Key)) == 1, nil
+			}))
+			log.Println("API server is using an API key")
+		}
+
 		v0 := e.Group("/v0")
 
 		bottinApiClient := bottindata.NewApiClient(cfg.Bottin.API.Key, cfg.Bottin.API.Host, cfg.Bottin.API.Protocol, cfg.Bottin.API.Port)
@@ -38,6 +46,7 @@ var apiCmd = &cobra.Command{
 		if err != nil {
 			log.Fatal(err)
 		}
+		defer dbClient.DB.Close()
 
 		handler := apihandler.New(bottinApiClient, dbClient)
 
diff --git a/cmd/web.go b/cmd/web.go
index 0706774..52d584f 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -4,6 +4,7 @@ Copyright © 2023 AGECEM & Victor Lacasse-Beaudoin
 package cmd
 
 import (
+	"crypto/subtle"
 	"fmt"
 	"log"
 	"net/http"
@@ -34,6 +35,12 @@ var webCmd = &cobra.Command{
 
 		e.Pre(middleware.AddTrailingSlash())
 
+		e.Use(middleware.BasicAuth(func(user, password string, c echo.Context) (bool, error) {
+			usersMatch := subtle.ConstantTimeCompare([]byte(user), []byte(cfg.Web.User)) == 1
+			passwordsMatch := subtle.ConstantTimeCompare([]byte(password), []byte(cfg.Web.Password)) == 1
+			return usersMatch && passwordsMatch, nil
+		}))
+
 		client := http.DefaultClient
 		defer client.CloseIdleConnections()
 
diff --git a/config/config.go b/config/config.go
index c1f239a..be43f13 100644
--- a/config/config.go
+++ b/config/config.go
@@ -46,7 +46,9 @@ type WebConfig struct {
 		Port     int
 		Protocol string
 	}
-	Port int
+	Password string
+	Port     int
+	User     string
 }
 
 func UnmarshalConfig() (cfg Config, err error) {
@@ -184,11 +186,23 @@ func RegisterFlags(cmd *cobra.Command) error {
 		return err
 	}
 
+	// web.password ; --web-password
+	if err := RegisterString(cmd, true,
+		"web.password", "web-password", "Webserver basic auth password", "bottinag"); err != nil {
+		return err
+	}
+
 	// web.port ; --web-port
 	cmd.PersistentFlags().Int("web-port", 3183, "Webserver port")
 	if err := viper.BindPFlag("web.port", cmd.PersistentFlags().Lookup("web-port")); err != nil {
 		return err
 	}
 
+	// web.user ; --web-user
+	if err := RegisterString(cmd, true,
+		"web.user", "web-user", "Webserver basic auth username", "bottinag"); err != nil {
+		return err
+	}
+
 	return nil
 }