diff --git a/web/api/flukso/src/flukso.erl b/web/api/flukso/src/flukso.erl
index 701351b..10ffaf6 100644
--- a/web/api/flukso/src/flukso.erl
+++ b/web/api/flukso/src/flukso.erl
@@ -15,6 +15,9 @@ ensure_started(App) ->
 	    ok
     end.
 
+mysql_prepare() ->
+    mysql:prepare(permissions, <<"SELECT permissions FROM logger_tokens WHERE meter = ? AND token = ?">>).
+
 %% @spec start_link() -> {ok,Pid::pid()}
 %% @doc Starts the app for inclusion in a supervisor tree
 start_link() ->
@@ -22,6 +25,7 @@ start_link() ->
     ensure_started(crypto),
     ensure_started(erlrrd),
     ensure_started(mysql),
+    mysql_prepare(),
     ensure_started(webmachine),
     flukso_sup:start_link().
 
@@ -32,6 +36,7 @@ start() ->
     ensure_started(crypto),
     ensure_started(erlrrd),
     ensure_started(mysql),
+    mysql_prepare(),
     ensure_started(webmachine),
     application:start(flukso).
 
diff --git a/web/api/flukso/src/flukso_resource.erl b/web/api/flukso/src/flukso_resource.erl
index f4d5554..2d811b5 100644
--- a/web/api/flukso/src/flukso_resource.erl
+++ b/web/api/flukso/src/flukso_resource.erl
@@ -3,14 +3,15 @@
 %% @doc Flukso webmachine_resource.
 
 -module(flukso_resource).
--export([init/1, allowed_methods/2, malformed_request/2, content_types_provided/2, to_json/2]).
+-export([init/1, allowed_methods/2, malformed_request/2, is_authorized/2, content_types_provided/2, to_json/2]).
 
 -include_lib("webmachine/include/webmachine.hrl").
 
 -record(state,
         {rrdSensor,
          rrdTime,
-         rrdFactor}).
+         rrdFactor,
+         token}).
 
 init([]) -> 
     {ok, undefined}.
@@ -22,15 +23,25 @@ malformed_request(ReqData, _) ->
     {RrdSensor, ValidSensor} = rrd_sensor(wrq:path_info(sensor, ReqData)),
     {RrdTime, ValidInterval} = rrd_time(wrq:get_qs_value("interval", ReqData)),
     {RrdFactor, ValidUnit} = rrd_factor(wrq:get_qs_value("unit", ReqData)),
+    {Token, ValidToken} = rrd_sensor(wrq:get_req_header("X-Token", ReqData)),
 
-    State = #state{rrdSensor = RrdSensor, rrdTime = RrdTime, rrdFactor = RrdFactor},
+    State = #state{rrdSensor = RrdSensor, rrdTime = RrdTime, rrdFactor = RrdFactor, token = Token},
 
-    {case {ValidSensor, ValidInterval, ValidUnit}  of
-	{true, true, true} -> false;
+    {case {ValidSensor, ValidInterval, ValidUnit, ValidToken}  of
+	{true, true, true, true} -> false;
 	_ -> true
      end, 
     ReqData, State}.
 
+is_authorized(ReqData, #state{rrdSensor = RrdSensor, token = Token} = State) ->
+    {data, Result} = mysql:execute(pool, permissions, [RrdSensor, Token]),
+
+    {case mysql:get_result_rows(Result) of
+        [[62]] -> true;
+        _ -> "access refused" 
+    end,
+    ReqData, State}.
+
 content_types_provided(ReqData, State) -> 
     {[{"application/json", to_json}], ReqData, State}.
 
@@ -48,7 +59,7 @@ to_json(ReqData, #state{rrdSensor = RrdSensor, rrdTime = RrdTime, rrdFactor = Rr
             Final = lists:merge(Datapoints, Nans),
             {mochijson2:encode(Final), ReqData, State};
 
-        {error, Reason} ->
+        {error, _Reason} ->
             {{halt, 404}, ReqData, State}
     end.