diff --git a/app/controllers/api_engine/application_controller.rb b/app/controllers/api_engine/application_controller.rb
index df45177..1bb37e9 100644
--- a/app/controllers/api_engine/application_controller.rb
+++ b/app/controllers/api_engine/application_controller.rb
@@ -1,5 +1,7 @@
 module ApiEngine
   class ApplicationController < ActionController::Base
+    before_filter: restrict_access
+
     def index
       @models = model_class.all
       render json: @models, root: plural_model
@@ -61,6 +63,12 @@ def bulk_destroy
 
     private
 
+    def restrict_access
+      authenticate_or_request_with_http_token do |token, options|
+        ApiKey.exists?(access_token: token)
+      end
+    end
+
     def model_class
       params[:model_name].classify.constantize
     end
diff --git a/app/models/api_engine/api_keys.rb b/app/models/api_engine/api_keys.rb
new file mode 100644
index 0000000..02920d4
--- /dev/null
+++ b/app/models/api_engine/api_keys.rb
@@ -0,0 +1,5 @@
+module ApiEngine
+  class ApiKeys < ActiveRecord::Base
+    attr_accessible :access_token
+  end
+end
diff --git a/db/migrate/20130421213945_create_api_engine_api_keys.rb b/db/migrate/20130421213945_create_api_engine_api_keys.rb
new file mode 100644
index 0000000..ee3156f
--- /dev/null
+++ b/db/migrate/20130421213945_create_api_engine_api_keys.rb
@@ -0,0 +1,9 @@
+class CreateApiEngineApiKeys < ActiveRecord::Migration
+  def change
+    create_table :api_engine_api_keys do |t|
+      t.string :access_token
+
+      t.timestamps
+    end
+  end
+end