diff --git a/admission.py b/admission.py
index 0658a85..002b85a 100644
--- a/admission.py
+++ b/admission.py
@@ -45,7 +45,7 @@ def webhook_offline() -> None:
     requests.post(config.WEBHOOK_URL, timeout=10, json=data, headers=config.WEBHOOK_HEADERS)
 
 
-def check_authorized(host, app, stream, source) -> bool:
+def check_authorized(host, app, stream, source, access_key) -> bool:
     # Are we globally disabled?
     if config.DISABLED:
         return False
@@ -57,7 +57,10 @@ def check_authorized(host, app, stream, source) -> bool:
     if f"default:{app}:{stream}" in config.DISABLED_KEYS:
         return False
     # Finally check the provided vhost app/stream
-    return f"{host}:{app}:{stream}" not in config.DISABLED_KEYS
+    if f"{host}:{app}:{stream}" in config.DISABLED_KEYS:
+        return False
+    # Check for an access key requirement
+    return not (config.ACCESS_KEY and access_key != config.ACCESS_KEY)
 
 
 @cherrypy.tools.register("on_end_request")
@@ -124,6 +127,16 @@ class Admission:
         _, _, host, app, path = input_json["request"]["url"].split("/")[:5]
         stream = path.split("?")[0]
 
+        # Tokenize out URL GET parameters
+        params = {}
+        if "?" in path:
+            for pair in path.split("?")[1].split("&"):
+                if "=" in pair:
+                    k, v = pair.split("=", 1)
+                    params[k] = v
+                else:
+                    params[pair] = None
+
         # Populate variables for our on_end_request tool into request object
         cherrypy.request.update_stream = ("default", app, stream)
 
@@ -136,7 +149,7 @@ class Admission:
         ip = input_json["client"]["real_ip"]
 
         # Check if stream is authorized
-        if not check_authorized(host, app, stream, ip):
+        if not check_authorized(host, app, stream, ip, params.get("access_key")):
             cherrypy.log(f"Unauthorized stream key: {app}/{stream}")
             return {"allowed": False}
 
diff --git a/config.py b/config.py
index 0f423f3..084e677 100644
--- a/config.py
+++ b/config.py
@@ -7,6 +7,8 @@ from pathlib import Path
 API_USER = os.getenv("OVENMONITOR_API_USER", "")
 API_PASS = os.getenv("OVENMONITOR_API_PASSWORD", "")
 
+ACCESS_KEY = os.getenv("OVENMONITOR_ACCESS_KEY", "")
+
 WEBHOOK_URL = os.getenv("OVENMONITOR_WEBHOOK_URL", "")
 WEBHOOK_ONLINE = os.getenv("OVENMONITOR_WEBHOOK_ONLINE", "")
 WEBHOOK_OFFLINE = os.getenv("OVENMONITOR_WEBHOOK_OFFLINE", "")
diff --git a/example/ome_access_control.conf b/example/ome_access_control.conf
new file mode 100644
index 0000000..67b63f7
--- /dev/null
+++ b/example/ome_access_control.conf
@@ -0,0 +1,6 @@
+[Service]
+# This is an access key you wish to require in all inbound streams. This must
+# be provided as a GET parameter "access_key". For example:
+# rtmp://example.org/app/stream?access_key=loginkeyhere
+Environment="OVENMONITOR_ACCESS_KEY=loginkeyhere"
+