diff --git a/hub/handler.go b/hub/handler.go
index b7a69b9..50013cf 100644
--- a/hub/handler.go
+++ b/hub/handler.go
@@ -1,6 +1,7 @@
 package hub
 
 import (
+	"crypto/subtle"
 	"errors"
 	"log"
 	"net/http"
@@ -64,7 +65,7 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
 		}
 
 		peer, err := app.api.Peer_GetByAPIKey(apiKey)
-		if err != nil {
+		if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}