diff --git a/cmd/build.go b/cmd/build.go
index 6a72544..0e243fc 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -254,7 +254,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, *leeway.FilesystemC
 	if ep, err := cmd.Flags().GetString("remote-report"); err != nil {
 		log.Fatal(err)
 	} else if ep != "" {
-		reporter = append(reporter, remotereporter.NewReporter(ep))
+		reporter = append(reporter, remotereporter.NewReporter(ep, os.Getenv("LEEWAY_REMOTE_REPORT_TOKEN")))
 	}
 
 	dontTest, err := cmd.Flags().GetBool("dont-test")
diff --git a/pkg/remotereporter/reporter.go b/pkg/remotereporter/reporter.go
index 85a1492..f0646bc 100644
--- a/pkg/remotereporter/reporter.go
+++ b/pkg/remotereporter/reporter.go
@@ -15,14 +15,21 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func NewReporter(endpoint string) *Reporter {
+func NewReporter(endpoint, token string) *Reporter {
 	id, err := uuid.NewRandom()
 	if err != nil {
 		panic(fmt.Sprintf("cannot create remote reporting sesison UUID: %v.\nTry running without --remote-report", err))
 	}
 
 	httpclient := &http.Client{Timeout: 2 * time.Second}
-	client := v1connect.NewReporterServiceClient(httpclient, endpoint)
+	client := v1connect.NewReporterServiceClient(httpclient, endpoint, connect_go.WithInterceptors(connect_go.UnaryInterceptorFunc(func(uf connect_go.UnaryFunc) connect_go.UnaryFunc {
+		return func(ctx context.Context, req connect_go.AnyRequest) (connect_go.AnyResponse, error) {
+			if token != "" {
+				req.Header().Set("Authorization", token)
+			}
+			return uf(ctx, req)
+		}
+	})))
 	return &Reporter{
 		sessionID: id.String(),
 		times:     make(map[string]time.Time),
diff --git a/tracker/backend/ingestor/main.go b/tracker/backend/ingestor/main.go
index 97a5d11..65e3260 100644
--- a/tracker/backend/ingestor/main.go
+++ b/tracker/backend/ingestor/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"flag"
+	"fmt"
 	"log"
 	"net/http"
 	"os"
@@ -13,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/cloudwatch"
 	"github.com/awslabs/aws-lambda-go-api-proxy/httpadapter"
+	"github.com/bufbuild/connect-go"
 	grpcreflect "github.com/bufbuild/connect-grpcreflect-go"
 	segment "github.com/segmentio/analytics-go/v3"
 	"github.com/sirupsen/logrus"
@@ -64,7 +66,15 @@ func main() {
 	default:
 		logrus.Fatalf("unsupported --sample-sink: %s", *sink)
 	}
-	mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store)))
+	mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store), connect.WithInterceptors(connect.UnaryInterceptorFunc(func(uf connect.UnaryFunc) connect.UnaryFunc {
+		return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+			tkn := req.Header().Get("Authorization")
+			if tkn == "" {
+				return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("no token present"))
+			}
+			return uf(ctx, req)
+		}
+	}))))
 
 	reflector := grpcreflect.NewStaticReflector(
 		v1connect.ReporterServiceName,