diff --git a/src/allmydata/scripts/magic_folder_cli.py b/src/allmydata/scripts/magic_folder_cli.py
index 4c9a469be..dc26a36b4 100644
--- a/src/allmydata/scripts/magic_folder_cli.py
+++ b/src/allmydata/scripts/magic_folder_cli.py
@@ -217,7 +217,7 @@ class StatusOptions(BasedirOptions):
             self['node-url'] = f.read().strip()
 
 
-def _get_json_for_fragment(options, fragment):
+def _get_json_for_fragment(options, fragment, method='GET'):
     nodeurl = options['node-url']
     if nodeurl.endswith('/'):
         nodeurl = nodeurl[:-1]
@@ -334,7 +334,13 @@ def status(options):
             nice_created = humanize.naturaltime(now - created)
             print "    %s (%s): %s, version=%s, created %s" % (n, nice_size, status, version, nice_created)
 
-    magicdata = _get_json_for_fragment(options, 'magic_folder?t=json')
+    with open(os.path.join(nodedir, u'private', u'api_auth_token'), 'rb') as f:
+        token = f.read()
+    magicdata = _get_json_for_fragment(
+        options,
+        'magic_folder?t=json&token=' + token,
+        method='POST',
+    )
     if len(magicdata):
         uploads = [item for item in magicdata if item['kind'] == 'upload']
         downloads = [item for item in magicdata if item['kind'] == 'download']
diff --git a/src/allmydata/web/magic_folder.py b/src/allmydata/web/magic_folder.py
index 5d2f3e5ed..bf72cc394 100644
--- a/src/allmydata/web/magic_folder.py
+++ b/src/allmydata/web/magic_folder.py
@@ -1,5 +1,7 @@
 import simplejson
 
+from twisted.web.server import UnsupportedMethod
+
 from nevow import rend, url, tags as T
 from nevow.inevow import IRequest
 
@@ -12,7 +14,6 @@ class MagicFolderWebApi(rend.Page):
     """
 
     def __init__(self, client):
-        ##rend.Page.__init__(self, storage)
         super(MagicFolderWebApi, self).__init__(client)
         self.client = client
 
@@ -47,6 +48,13 @@ class MagicFolderWebApi(rend.Page):
     def renderHTTP(self, ctx):
         req = IRequest(ctx)
         t = get_arg(req, "t", None)
+        if req.method != 'POST':
+            raise UnsupportedMethod(('POST',))
+
+        token = get_arg(req, "token", None)
+        # XXX need constant-time comparison?
+        if token is None or token != self.client.get_auth_token():
+            raise WebError("Missing or invalid token.", 400)
 
         if t is None:
             return rend.Page.renderHTTP(self, ctx)