diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb
index 73bc228ed..eea4f888c 100644
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@@ -1,5 +1,6 @@
 class CaseLogsController < ApplicationController
-  skip_before_action :verify_authenticity_token
+  skip_before_action :verify_authenticity_token, only: [:create], if: :json_request?
+  before_action :authenticate, only: [:create], if: :json_request?
 
   def index
     @submitted_case_logs = CaseLog.where(status: 1)
@@ -78,6 +79,14 @@ private
     end
   end
 
+  def json_request?
+    request.format.json?
+  end
+
+  def authenticate
+    http_basic_authenticate_or_request_with name: ENV["API_USER"], password: ENV["API_KEY"]
+  end
+
   def create_params
     return {} unless params[:case_log]
 
diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb
index a06d72e01..34d9f98bb 100644
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@@ -2,17 +2,24 @@ require "rails_helper"
 
 RSpec.describe CaseLogsController, type: :request do
   describe "POST #create" do
+    let(:tenant_code) { "T365" }
+    let(:tenant_age) { 35 }
+    let(:property_postcode) { "SE11 6TY" }
+    let(:api_username) { "test_user" }
+    let(:api_password) { "test_password" }
+    let(:basic_credentials) do
+      ActionController::HttpAuthentication::Basic
+                          .encode_credentials(api_username, api_password)
+    end
+
     let(:headers) do
       {
         "Content-Type" => "application/json",
         "Accept" => "application/json",
+        "Authorization" => basic_credentials,
       }
     end
 
-    let(:tenant_code) { "T365" }
-    let(:tenant_age) { 35 }
-    let(:property_postcode) { "SE11 6TY" }
-
     let(:params) do
       {
         "tenant_code": tenant_code,
@@ -22,6 +29,9 @@ RSpec.describe CaseLogsController, type: :request do
     end
 
     before do
+      allow(ENV).to receive(:[])
+      allow(ENV).to receive(:[]).with("API_USER").and_return(api_username)
+      allow(ENV).to receive(:[]).with("API_KEY").and_return(api_password)
       post "/case_logs", headers: headers, params: params.to_json
     end
 
@@ -50,5 +60,15 @@ RSpec.describe CaseLogsController, type: :request do
         expect(json_response["errors"]).to eq(["Tenant age Tenant age must be between 0 and 100"])
       end
     end
+
+    context "request with invalid credentials" do
+      let(:basic_credentials) do
+        ActionController::HttpAuthentication::Basic.encode_credentials(api_username, "Oops")
+      end
+
+      it "returns 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
   end
 end