diff --git a/cmd/rio/main.go b/cmd/rio/main.go
index 8ebc604..3d4c707 100644
--- a/cmd/rio/main.go
+++ b/cmd/rio/main.go
@@ -147,6 +147,7 @@ func runServer(ctx *cli.Context) error {
 	defaultCsp := ctx.String("default-csp")
 	lokiUrl := ctx.String("loki-url")
 	metricsBotList := ctx.String("metrics-bot-list")
+	tokenFile := ctx.String("token-file")
 
 	// Init Logging
 	if ctx.Bool("debug") {
@@ -177,18 +178,28 @@ func runServer(ctx *cli.Context) error {
 		}
 	}
 
+	// If specified, read in an access token
+	token := ""
+	if tokenFile != "" {
+		t, err := readSecret(tokenFile)
+		if err != nil {
+			log.Warnf("Failed to read secret: %v", err)
+		}
+		token = t
+	}
+
 	// Setup the Gitea stuff
 	httpClient := http.Client{Timeout: 10 * time.Second}
 	giteaApiClient, err := gitea.NewClient(
 		giteaUrl,
 		gitea.SetHTTPClient(&httpClient),
-		gitea.SetToken(""),
+		gitea.SetToken(token),
 		gitea.SetUserAgent("rio"),
 	)
 	if err != nil {
 		return err
 	}
-	giteaClient := riogitea.NewGiteaClient(giteaUrl, giteaApiClient)
+	giteaClient := riogitea.NewGiteaClient(giteaUrl, token, giteaApiClient)
 
 	// Listen on the port
 	addr := ctx.String("listen-host") + ":" + ctx.String("listen-port")
@@ -414,6 +425,12 @@ func main() {
 				Value:   "",
 				EnvVars: []string{"METRICS_BOT_LIST"},
 			},
+			&cli.StringFlag{
+				Name:    "token-file",
+				Usage:   "File containing a access token. Required for serving private repositories",
+				Value:   "",
+				EnvVars: []string{"TOKEN_FILE"},
+			},
 		},
 	}
 
diff --git a/cmd/rio/utils.go b/cmd/rio/utils.go
new file mode 100644
index 0000000..ce6bdc5
--- /dev/null
+++ b/cmd/rio/utils.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"os"
+	"strings"
+)
+
+// Read a secret file and return its (cleaned) content.
+func readSecret(path string) (string, error) {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	return strings.Trim(string(content), "\n\r "), nil
+}
diff --git a/internal/gitea/client.go b/internal/gitea/client.go
index 89444b7..3f10bb3 100644
--- a/internal/gitea/client.go
+++ b/internal/gitea/client.go
@@ -38,6 +38,8 @@ type Repository struct {
 }
 
 type GiteaClient struct {
+	Token string
+
 	GetRepository GetRepositoryMethod
 	HasBranch     HasBranchMethod
 	HasUser       HasUserMethod
@@ -46,8 +48,9 @@ type GiteaClient struct {
 	LookupRepoTXT LookupRepoTXTMethod
 }
 
-func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient {
+func NewGiteaClient(giteaUrl string, token string, giteaClient *gitea.Client) GiteaClient {
 	return GiteaClient{
+		Token: token,
 		GetRepository: func(username, repositoryName string) (Repository, error) {
 			repo, _, err := giteaClient.GetRepo(username, repositoryName)
 			if err != nil {
@@ -91,6 +94,11 @@ func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient {
 			if since != nil {
 				sinceFormat := since.Format(time.RFC1123)
 				req.Header.Add("If-Modified-Since", sinceFormat)
+
+				// Add authentication, if we have a token
+				if token != "" {
+					req.Header.Add("Authorization", "token "+token)
+				}
 			}
 			resp, err := client.Do(req)
 			if err != nil {