diff --git a/group_vars/all/vault_aurweb.yml b/group_vars/all/vault_aurweb.yml
new file mode 100644
index 0000000000000000000000000000000000000000..be72b864a4cd2f3312b2af76bbfbdaa48d200c24
--- /dev/null
+++ b/group_vars/all/vault_aurweb.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38383639393932666334353834613134353965333939343530636234353536366138346137613636
+3439373136366635623339626236663338623237313135630a333939303839303738653835316430
+37363337386331323263623837373032646438326334623436313034353032386535656139353264
+3834613539356336310a383230373736346434656361333134353136366430393130396466643561
+61356162353661633736356431646538643138383766333763626335393135343363316166656461
+30663961336136356134333231316232653664343839616235396562376436363837356563616136
+656332343163376332636131333166623362
diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index 1f6c6405311fb4f0278e08c679511acdb8c42831..c409dd2a3dd013e2d9a293b1300f3f3dfeecffd0 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -138,13 +138,23 @@ server {
     }
 
     location / {
+{% block asgi_proxy  %}
         # Proxy over to aurweb's ASGI application.
         proxy_pass http://{{ aurweb_asgi_bind }};
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Ssl on;
+{% endblock %}
 
         limit_req zone=aurweblimit burst=10 nodelay;
     }
+
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_aurweb_metrics_token }}") {
+            return 403;
+        }
+
+{{ self.asgi_proxy() }}
+    }
 }
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index 9faf4c37a11e0199876f77406bbc9e64c22534a3..a0342b56b0a626cc9cb3424fecf8a00cecf5a336 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -134,6 +134,8 @@ scrape_configs:
 
   - job_name: aurweb
     scheme: https
+    authorization:
+      credentials: {{ vault_aurweb_metrics_token }}
     static_configs:
       - targets: ['aur.archlinux.org:443']