diff --git a/.github/workflows/test-functional.yml b/.github/workflows/test-functional.yml
index 1e67d21..2c0d4b3 100644
--- a/.github/workflows/test-functional.yml
+++ b/.github/workflows/test-functional.yml
@@ -1,4 +1,4 @@
-name: test-functional-database
+name: test-functional
 on:
   pull_request:
 permissions:
diff --git a/cmd/server/main.go b/cmd/server/main.go
index 24f2389..81f2f12 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -22,7 +22,9 @@ func main() {
 	viper.SetEnvPrefix("MM")
 	viper.AutomaticEnv()
 	viper.SetDefault("listen_addr", "0.0.0.0:6789")
-	viper.SetDefault("control_plane_addr", "localhost:9012")
+	viper.SetDefault("control_plane_endpoint", "localhost:9012")
+	viper.SetDefault("control_plane_tls_enabled", true)
+	viper.SetDefault("control_plane_api_token", "")
 	viper.SetDefault("match_interval", "1s")
 	viper.SetDefault("allocate_instance_for_pending_match_after", "15s")
 	viper.SetDefault("remove_inactive_tickets_after", "1m")
diff --git a/internal/server/server.go b/internal/server/server.go
index a147628..1ddb3b9 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log/slog"
 	"net"
@@ -14,7 +15,9 @@ import (
 	mmv1alpha1 "github.com/spacechunks/matchmaking/api/v1alpha1"
 	"github.com/spacechunks/matchmaking/internal/matchmaking"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
 )
 
 type Server struct {
@@ -34,7 +37,9 @@ func New(logger *slog.Logger, config Config, tickets *matchmaking.Store[matchmak
 
 type Config struct {
 	ListeAddr                            string        `mapstructure:"listen_addr"`
-	ControlPlaneAddr                     string        `mapstructure:"control_plane_addr"`
+	ControlPlaneAddr                     string        `mapstructure:"control_plane_endpoint"`
+	ControlPlaneTLSEnabled               bool          `mapstructure:"control_plane_tls_enabled"`
+	ControlPlaneAPIToken                 string        `mapstructure:"control_plane_api_token"`
 	MatchInterval                        time.Duration `mapstructure:"match_interval"`
 	AllocateInstanceForPendingMatchAfter time.Duration `mapstructure:"allocate_instance_for_pending_match_after"`
 	RemoveInactiveTicketsAfter           time.Duration `mapstructure:"remove_inactive_tickets_after"`
@@ -53,7 +58,28 @@ func (s Server) Run(ctx context.Context) error {
 		),
 	)
 
-	conn, err := grpc.NewClient(s.cfg.ControlPlaneAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	creds := insecure.NewCredentials()
+	if s.cfg.ControlPlaneTLSEnabled {
+		creds = credentials.NewTLS(&tls.Config{})
+	}
+
+	conn, err := grpc.NewClient(
+		s.cfg.ControlPlaneAddr,
+		grpc.WithTransportCredentials(creds),
+		grpc.WithUnaryInterceptor(func(
+			ctx context.Context,
+			method string,
+			req any,
+			reply any,
+			cc *grpc.ClientConn,
+			invoker grpc.UnaryInvoker,
+			opts ...grpc.CallOption,
+		) error {
+			md := metadata.Pairs("authorization", s.cfg.ControlPlaneAPIToken)
+			ctx = metadata.NewOutgoingContext(ctx, md)
+			return invoker(ctx, method, req, reply, cc, opts...)
+		}),
+	)
 	if err != nil {
 		return fmt.Errorf("create grpc client: %w", err)
 	}