diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go
index 30ce237..bf5708b 100644
--- a/cmd/rest-server/main.go
+++ b/cmd/rest-server/main.go
@@ -50,6 +50,7 @@ func init() {
 	flags.BoolVar(&server.AppendOnly, "append-only", server.AppendOnly, "enable append only mode")
 	flags.BoolVar(&server.PrivateRepos, "private-repos", server.PrivateRepos, "users can only access their private repo")
 	flags.BoolVar(&server.Prometheus, "prometheus", server.Prometheus, "enable Prometheus metrics")
+	flags.BoolVar(&server.Prometheus, "prometheus-no-auth", server.PrometheusNoAuth, "disable auth for Prometheus /metrics endpoint")
 	flags.BoolVarP(&showVersion, "version", "V", showVersion, "output version and exit")
 }
 
diff --git a/handlers.go b/handlers.go
index 4649ee8..5e1b9fc 100644
--- a/handlers.go
+++ b/handlers.go
@@ -14,20 +14,21 @@ import (
 
 // Server encapsulates the rest-server's settings and repo management logic
 type Server struct {
-	Path         string
-	Listen       string
-	Log          string
-	CPUProfile   string
-	TLSKey       string
-	TLSCert      string
-	TLS          bool
-	NoAuth       bool
-	AppendOnly   bool
-	PrivateRepos bool
-	Prometheus   bool
-	Debug        bool
-	MaxRepoSize  int64
-	PanicOnError bool
+	Path             string
+	Listen           string
+	Log              string
+	CPUProfile       string
+	TLSKey           string
+	TLSCert          string
+	TLS              bool
+	NoAuth           bool
+	AppendOnly       bool
+	PrivateRepos     bool
+	Prometheus       bool
+	PrometheusNoAuth bool
+	Debug            bool
+	MaxRepoSize      int64
+	PanicOnError     bool
 
 	htpasswdFile *HtpasswdFile
 	quotaManager *quota.Manager
diff --git a/mux.go b/mux.go
index 6474401..6ed3e08 100644
--- a/mux.go
+++ b/mux.go
@@ -45,6 +45,16 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	return username, true
 }
 
+func (s *Server) wrapAuth(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if _, ok := s.checkAuth(r); !ok {
+			httpDefaultError(w, http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
+	}
+}
+
 // NewHandler returns the master HTTP multiplexer/router.
 func NewHandler(server *Server) (http.Handler, error) {
 	if !server.NoAuth {
@@ -67,8 +77,11 @@ func NewHandler(server *Server) (http.Handler, error) {
 
 	mux := http.NewServeMux()
 	if server.Prometheus {
-		// FIXME: need auth like in previous version?
-		mux.Handle("/metrics", promhttp.Handler())
+		if server.PrometheusNoAuth {
+			mux.Handle("/metrics", promhttp.Handler())
+		} else {
+			mux.HandleFunc("/metrics", server.wrapAuth(promhttp.Handler().ServeHTTP))
+		}
 	}
 	mux.Handle("/", server)