diff --git a/README.md b/README.md
index da43f22..05a8fb3 100644
--- a/README.md
+++ b/README.md
@@ -99,15 +99,34 @@ fabric:
   endpoint: http://localhost:3000/api/events
   timeout: 2
   batching: false
+  auth_token: your-secret-token   # must match FABRIC_AUTH_TOKEN on the server
 ```
 
-Start FABRIC web server, then start NEEDLE workers — events flow automatically:
+Start FABRIC web server with an auth token, then start NEEDLE workers — events flow automatically:
 
 ```bash
-fabric web          # starts on http://localhost:3000
-needle run ...      # workers POST to /api/events
+FABRIC_AUTH_TOKEN=your-secret-token fabric web   # starts on http://localhost:3000
+needle run ...                                    # workers POST to /api/events with Bearer token
 ```
 
+#### Authentication
+
+All POST endpoints (`/api/events`, `/api/events/batch`) require a `Bearer` token when the server is started with an auth token:
+
+```bash
+# Start with auth token (env var or flag)
+FABRIC_AUTH_TOKEN=secret fabric web
+fabric web --auth-token secret
+
+# Manual POST (e.g. for testing)
+curl -X POST http://localhost:3000/api/events \
+  -H 'Authorization: Bearer secret' \
+  -H 'Content-Type: application/json' \
+  -d '{"ts":"2026-04-23T00:00:00Z","event":"worker.started","worker":"w-test"}'
+```
+
+If no auth token is configured, all POST requests are accepted without authentication (suitable for local-only use).
+
 ### Option 2: OTLP (recommended for multi-host or production)
 
 NEEDLE ships with an `otlp` feature (enabled by default in `Cargo.toml`) that exports telemetry over the standard OpenTelemetry OTLP protocol. No rebuild or extra flags are needed — just set two environment variables before launching workers:
diff --git a/scripts/fabric-web.sh b/scripts/fabric-web.sh
index 16418d9..151262d 100755
--- a/scripts/fabric-web.sh
+++ b/scripts/fabric-web.sh
@@ -32,8 +32,13 @@ start() {
     mkdir -p "$HOME/.fabric/logs"
 
     # Start tmux session with FABRIC web server
+    AUTH_ARGS=""
+    if [ -n "${FABRIC_AUTH_TOKEN:-}" ]; then
+        AUTH_ARGS="--auth-token $FABRIC_AUTH_TOKEN"
+    fi
+
     tmux new-session -d -s "$SESSION_NAME" -c "$FABRIC_DIR" \
-        "node dist/cli.js web -p $PORT --source $LOG_SOURCE 2>&1 | tee -a $HOME/.fabric/logs/web.log"
+        "node dist/cli.js web -p $PORT --source $LOG_SOURCE $AUTH_ARGS 2>&1 | tee -a $HOME/.fabric/logs/web.log"
 
     # Save PID for reference
     tmux list-panes -t "$SESSION_NAME" -F '#{pane_pid}' > "$PID_FILE" 2>/dev/null || true
@@ -123,6 +128,7 @@ case "${1:-}" in
         echo "Environment variables:"
         echo "  FABRIC_PORT       - Port to listen on (default: 3000)"
         echo "  FABRIC_LOG_SOURCE - Log directory to watch (default: ~/.needle/logs)"
+        echo "  FABRIC_AUTH_TOKEN - Bearer token required on POST endpoints (optional)"
         exit 1
         ;;
 esac