diff --git a/.env.sample b/.env.sample
index 06dd4f0..ebcd461 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,17 @@ DOMAIN=netdata.example.com
 #EXTRA_DOMAINS=', `www.netdata.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+# This is here so later lines can extend it; you likely don't wanna edit
+COMPOSE_FILE="compose.yml"
+
+#####################################################################
+# General settings                                                  #
+#####################################################################
+
+## Authentication
+# Password Sign-On using traefik http password
+# Use htpasswd to generate the passwords for the user list, then set the below variable to
+# something like 'username:$$passwordhash', comma separated for multiple users. 
+#HTTP_BASIC_AUTH_PASSWORDS=
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
diff --git a/README.md b/README.md
index 927ab7b..13f48e4 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,6 @@
 
 > System monitoring and observability (alternative to Prometheus & Grafana)
 
-TODO: authentication, see https://learn.netdata.cloud/docs/netdata-agent/securing-netdata-agents/
-
 <!-- metadata -->
 
 * **Category**: Apps
@@ -21,6 +19,7 @@ TODO: authentication, see https://learn.netdata.cloud/docs/netdata-agent/securin
 
 * `abra app new netdata --secrets`
 * `abra app config <app-name>`
+* You probably want authentication, see the .env file for instructions.
 * `abra app deploy <app-name>`
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
diff --git a/compose.basicauth.yml b/compose.basicauth.yml
new file mode 100644
index 0000000..30937a7
--- /dev/null
+++ b/compose.basicauth.yml
@@ -0,0 +1,10 @@
+---
+version: "3.8"
+services:
+  app:
+    environment:
+      - HTTP_BASIC_AUTH_PASSWORDS
+    deploy:
+      labels:
+        - "traefik.http.middlewares.${STACK_NAME}_basicauth.basicauth.users=${HTTP_BASIC_AUTH_PASSWORDS}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}_basicauth"