diff --git a/Dockerfile b/Dockerfile
index 932f48d..c12c8b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,7 @@ ENV DERP_STUN true
 ENV DERP_STUN_PORT 3478
 ENV DERP_HTTP_PORT 80
 ENV DERP_VERIFY_CLIENTS false
+ENV DERP_VERIFY_CLIENT_URL ""
 
 COPY --from=builder /go/bin/derper .
 
@@ -32,5 +33,6 @@ CMD /app/derper --hostname=$DERP_DOMAIN \
     --stun=$DERP_STUN  \
     --stun-port=$DERP_STUN_PORT \
     --http-port=$DERP_HTTP_PORT \
-    --verify-clients=$DERP_VERIFY_CLIENTS
+    --verify-clients=$DERP_VERIFY_CLIENTS \
+    --verify-client-url=$DERP_VERIFY_CLIENT_URL
 
diff --git a/README.md b/README.md
index 6d5da9e..2e33c58 100644
--- a/README.md
+++ b/README.md
@@ -12,16 +12,17 @@
 docker run -e DERP_DOMAIN=derper.your-domain.com -p 80:80 -p 443:443 -p 3478:3478/udp fredliang/derper
 ```
 
-| env                 | required | description                                                            | default value     |
-| ------------------- | -------- | ---------------------------------------------------------------------- | ----------------- |
-| DERP_DOMAIN         | true     | derper server hostname                                                 | your-hostname.com |
-| DERP_CERT_DIR       | false    | directory to store LetsEncrypt certs(if addr's port is :443)           | /app/certs        |
-| DERP_CERT_MODE      | false    | mode for getting a cert. possible options: manual, letsencrypt         | letsencrypt       |
-| DERP_ADDR           | false    | listening server address                                               | :443              |
-| DERP_STUN           | false    | also run a STUN server                                                 | true              |
-| DERP_STUN_PORT      | false    | The UDP port on which to serve STUN.                                   | 3478              |
-| DERP_HTTP_PORT      | false    | The port on which to serve HTTP. Set to -1 to disable                  | 80                |
-| DERP_VERIFY_CLIENTS | false    | verify clients to this DERP server through a local tailscaled instance | false             |
+| env                    | required | description                                                                 | default value     |
+| -------------------    | -------- | ----------------------------------------------------------------------      | ----------------- |
+| DERP_DOMAIN            | true     | derper server hostname                                                      | your-hostname.com |
+| DERP_CERT_DIR          | false    | directory to store LetsEncrypt certs(if addr's port is :443)                | /app/certs        |
+| DERP_CERT_MODE         | false    | mode for getting a cert. possible options: manual, letsencrypt              | letsencrypt       |
+| DERP_ADDR              | false    | listening server address                                                    | :443              |
+| DERP_STUN              | false    | also run a STUN server                                                      | true              |
+| DERP_STUN_PORT         | false    | The UDP port on which to serve STUN.                                        | 3478              |
+| DERP_HTTP_PORT         | false    | The port on which to serve HTTP. Set to -1 to disable                       | 80                |
+| DERP_VERIFY_CLIENTS    | false    | verify clients to this DERP server through a local tailscaled instance      | false             |
+| DERP_VERIFY_CLIENT_URL | false    | if non-empty, an admission controller URL for permitting client connections | ""                |
 
 # Usage