diff --git a/scripts/test.sh b/scripts/test.sh
index b31ea71..0544aa6 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -8,5 +8,5 @@ podman run                \
 	-it                     \
 	-v .:"$wd"              \
 	registry.opensuse.org/home/crameleon/containers/containers/crameleon/pytest-nftables:latest \
-	env PYTHONPATH="$wd" pytest --pdb --pdbcls=IPython.terminal.debugger:Pdb -rA -s -v -x "$wd"/tests
+	env NFT-API-CONFIG="$wd"/tests/config.yaml PYTHONPATH="$wd" pytest --pdb --pdbcls=IPython.terminal.debugger:Pdb -rA -s -v -x "$wd"/tests
 
diff --git a/tests/config.yaml b/tests/config.yaml
new file mode 100644
index 0000000..55a95ae
--- /dev/null
+++ b/tests/config.yaml
@@ -0,0 +1,12 @@
+nft-api:
+  tokens:
+    $2y$05$1g7dRvcw2Jkml7WHIWa1Q.O9qg5shbHA8VHxZhwkmCTVmnkl4GDjW:  # == ICanOnlyGet
+      /set/inet/filter/testset4:
+        - GET
+    $2y$05$7e4Slhr6/SWvaQXGRQywdua0jpm6HxOCiC8tYowpR2ioW2.ZKFdHe:  # == foo
+      /set/inet/filter/testset4:
+        - GET
+        - POST
+      /set/inet/filter/testset6:
+        - GET
+        - POST
diff --git a/tests/test_api_set.py b/tests/test_api_set.py
index da294fd..f9daa3b 100644
--- a/tests/test_api_set.py
+++ b/tests/test_api_set.py
@@ -10,22 +10,60 @@ You may obtain copies of the Licence in any of the official languages at https:/
 
 from json import dumps, loads
 
-from falcon import HTTP_CREATED, HTTP_OK
+from falcon import HTTP_CREATED, HTTP_OK, HTTP_UNAUTHORIZED
 from pytest import mark
 
 vs = [4, 6]
 
+
+def test_get_set_unauthorized_no_token(client):
+  response = client.simulate_get('/set/inet/filter/testset4')
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Authentication required'
+
+
+def test_get_set_unauthorized_wrong_token(client):
+  response = client.simulate_get(
+    '/set/inet/filter/testset4',
+    headers={'X-NFT-API-Token': 'pwned'},
+  )
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Unauthorized'
+
+
+def test_post_set_unauthorized_wrong_token_for_method(client):
+  response = client.simulate_post(
+    '/set/inet/filter/testset4',
+    headers={
+      'content-type': 'application/json',
+      'X-NFT-API-Token': 'ICanOnlyGet',
+    },
+  )
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Unauthorized method for path'
+
+
 @mark.parametrize('v', vs)
 def test_get_set(client, nft_ruleset_populated_sets, v):  # noqa ARG001, nft is not needed here
   want_out = {
     4: ["192.168.0.0/24", "127.0.0.1"],
     6: ["fd80::/64", "fe80::1"],
   }
-  response = client.simulate_get(f'/set/inet/filter/testset{v}')
+  response = client.simulate_get(
+    f'/set/inet/filter/testset{v}',
+    headers={'X-NFT-API-Token': 'foo'},
+  )
   have_out = loads(response.content)
   assert sorted(have_out) == sorted(want_out[v])
   assert response.status == HTTP_OK
 
+
 @mark.parametrize('v', vs)
 @mark.parametrize('plvariant', ['address', 'network'])
 @mark.parametrize('plformat', ['string', 'list'])
@@ -65,6 +103,7 @@ def test_append_to_set(client, nft_ruleset_populated_sets, v, plvariant, plforma
     }),
     headers={
       'content-type': 'application/json',
+      'X-NFT-API-Token': 'foo',
     },
   )
   have_out = loads(response.content)