diff --git a/check-email b/check-email
index 6503bb9..222e598 100755
--- a/check-email
+++ b/check-email
@@ -7,6 +7,8 @@ import subprocess
 
 import smolcgi
 
+smolcgi.require_cool_client("This script is not publicly available, sorry!")
+
 if not smolcgi.query_string_dec:
     smolcgi.require_input("Provide an email address to check.")
 
diff --git a/smolcgi.py b/smolcgi.py
index cc1a9ae..88e0634 100644
--- a/smolcgi.py
+++ b/smolcgi.py
@@ -142,6 +142,14 @@ def cert_not_authorised(reason=""):
     exit_with_header(61, reason)
 
 
+def require_cool_client(reason=""):
+    require_client_cert()
+    with open(get_storage_path() / "cool_hashes", "rt") as f:
+        cool_hashes = f.read().rstrip().split("\n")
+    if tls_client_hash not in cool_hashes:
+        cert_not_authorised(reason)
+
+
 def cert_not_valid(reason=""):
     exit_with_header(62, reason)