diff --git a/config/config.go b/config/config.go
index 269d51a..9290a5b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -110,8 +110,9 @@ type TLSConfig struct {
 }
 
 type PluginConfig struct {
-	Addr string     `json:"addr"`
-	TLS  *TLSConfig `json:"tls"`
+	Addr  string     `json:"addr"`
+	TLS   *TLSConfig `yaml:",omitempty" json:"tls,omitempty"`
+	Token string     `yaml:",omitempty" json:"token,omitempty"`
 }
 
 type AutherConfig struct {
diff --git a/config/parsing/parse.go b/config/parsing/parse.go
index a4a628d..11b834c 100644
--- a/config/parsing/parse.go
+++ b/config/parsing/parse.go
@@ -1,6 +1,7 @@
 package parsing
 
 import (
+	"context"
 	"crypto/tls"
 	"net"
 	"net/url"
@@ -691,5 +692,22 @@ func newPluginConn(cfg *config.PluginConfig) (*grpc.ClientConn, error) {
 	} else {
 		grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	}
+	if cfg.Token != "" {
+		grpcOpts = append(grpcOpts, grpc.WithPerRPCCredentials(&rpcCredentials{token: cfg.Token}))
+	}
 	return grpc.Dial(cfg.Addr, grpcOpts...)
 }
+
+type rpcCredentials struct {
+	token string
+}
+
+func (c *rpcCredentials) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
+	return map[string]string{
+		"token": c.token,
+	}, nil
+}
+
+func (c *rpcCredentials) RequireTransportSecurity() bool {
+	return false
+}