diff --git a/conf/vanilla-server.json b/conf/vanilla-server.json
index 5e5da12..41e90b8 100644
--- a/conf/vanilla-server.json
+++ b/conf/vanilla-server.json
@@ -18,6 +18,8 @@
     }
   },
 
+  "skey": "",
+
   "user": {
     "session": {
       "handler": {
diff --git a/src/server/daemon/Daemon.js b/src/server/daemon/Daemon.js
index 4b80e43..282197f 100644
--- a/src/server/daemon/Daemon.js
+++ b/src/server/daemon/Daemon.js
@@ -112,7 +112,8 @@ module.exports = AbstractClass( 'Daemon',
         return Promise.all( [
             this._createDebugLog(),
             this._createAccessLog(),
-        ] ).then( ([ debug_log, access_log ]) =>
+            this._conf.get( 'skey' ),
+        ] ).then( ([ debug_log, access_log, skey ]) =>
         {
             this._debugLog   = debug_log;
             this._accessLog  = access_log;
@@ -121,7 +122,7 @@ module.exports = AbstractClass( 'Daemon',
             this._rater      = liza.server.rater.ProcessManager();
             this._encService = this.getEncryptionService();
             this._memcache   = this.getMemcacheClient();
-            this._routers    = this.getRouters();
+            this._routers    = this.getRouters( skey );
         } )
             .then( () => this._startDaemon() );
     },
@@ -181,11 +182,16 @@ module.exports = AbstractClass( 'Daemon',
     },
 
 
-    'protected getProgramController': function()
+    'protected getProgramController': function( skey )
     {
         var controller = require( './controller' );
         controller.rater = this._rater;
 
+        if ( skey )
+        {
+            controller.skey  = skey;
+        }
+
         return controller;
     },
 
@@ -270,10 +276,10 @@ module.exports = AbstractClass( 'Daemon',
     'abstract protected getEncryptionService': [],
 
 
-    'protected getRouters': function()
+    'protected getRouters': function( skey )
     {
         return [
-            this.getProgramController(),
+            this.getProgramController( skey ),
             this.getScriptsController(),
             this.getClientErrorController(),
         ];
diff --git a/src/server/daemon/controller.js b/src/server/daemon/controller.js
index 1cca831..e6571f2 100644
--- a/src/server/daemon/controller.js
+++ b/src/server/daemon/controller.js
@@ -94,6 +94,7 @@ var sflag = {};
 
 // TODO: kluge to get liza somewhat decoupled from lovullo (rating module)
 exports.rater = {};
+exports.skey  = "";
 
 
 exports.init = function( logger, enc_service, conf )
@@ -619,12 +620,24 @@ function createQuoteQuick( id )
 }
 
 
+/**
+ * Check whether the proper skey (session key) was provided
+ *
+ * This is a basic authentication token that allows bypassing authentication
+ * for internal tasks (like creating quotes).
+ *
+ * XXX: A single shared secret is a terrible idea; this was intended to
+ * be a temporary solution.  Fix this crap in favor of proper authentication
+ * between services.
+ */
 function has_skey( user_request )
 {
-    // a basic authentication token that allows our systems to bypass
-    // authentication...this isn't really secure, but it doesn't need to be,
-    // because for our uses, they really cannot do any damage
-    return ( user_request.getGetData().skey === 'fd29d02ac1' )
+    if ( !exports.skey )
+    {
+        return false;
+    }
+
+    return ( user_request.getGetData().skey === exports.skey );
 }