diff --git a/app.py b/app.py
index 07b7c8d..5c43d2a 100644
--- a/app.py
+++ b/app.py
@@ -1,3 +1,4 @@
+from flask_basicauth import BasicAuth
 import matplotlib.dates as mdates
 import matplotlib.pyplot as plt
 from dateutil.relativedelta import relativedelta
@@ -31,6 +32,11 @@ jinja_partials.register_extensions(app)
 htmx = HTMX(app)
 db = SQLAlchemy(app)
 
+app.config['BASIC_AUTH_USERNAME'] = os.getenv("ADMIN_USERNAME") or 'admin'
+app.config['BASIC_AUTH_PASSWORD'] = os.getenv("ADMIN_PASSWORD") or 'admin'
+
+basic_auth = BasicAuth(app)
+
 
 class User(db.Model):
     __tablename__ = 'users'
@@ -126,6 +132,7 @@ def users():
 
 
 @app.route('/user/<int:user_id>', methods=['DELETE'])
+@basic_auth.required
 def delete_user(user_id):
     user = User.query.get(user_id)
     if user:
@@ -210,7 +217,7 @@ def workouts(user_id):
         return jsonify({'message': 'Workout created successfully.'}), 201
 
 
-@app.route('/user/<int:user_id>/workout/<int:workout_id>/<string:graph_type>', methods=['GET', 'DELETE'])
+@app.route('/user/<int:user_id>/workout/<int:workout_id>/<string:graph_type>', methods=['GET'])
 def workout(user_id, workout_id, graph_type):
     workout = Workout.query.filter_by(user_id=user_id, id=workout_id).join(
         Workout.cadence_readings).join(Workout.heart_rate_readings).first()
@@ -254,6 +261,7 @@ def view_workout(user_id, workout_id):
 
 
 @app.route('/user/<int:user_id>/workout/<int:workout_id>/delete', methods=['DELETE'])
+@basic_auth.required
 def delete_workout(user_id, workout_id):
     # Delete the workout and its associated cadence readings
     CadenceReading.query.filter_by(workout_id=workout_id).delete()
diff --git a/requirements.txt b/requirements.txt
index 2606b43..5223b9f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,4 +10,5 @@ Flask-SQLAlchemy==3.0.3
 matplotlib==3.5.2
 sparklines==0.4.2
 humanize==4.8.0
-Werkzeug==2.2.2
\ No newline at end of file
+Werkzeug==2.2.2
+Flask-BasicAuth==0.2.0
\ No newline at end of file