diff --git a/jupyter_server/base/handlers.py b/jupyter_server/base/handlers.py
index bad31513d7..363230b1de 100755
--- a/jupyter_server/base/handlers.py
+++ b/jupyter_server/base/handlers.py
@@ -842,10 +842,12 @@ def get(self):
 
 class PrometheusMetricsHandler(JupyterHandler):
     """
-    Return prometheus metrics for this Jupyter server
+    Return prometheus metrics for this notebook server
     """
-    @web.authenticated
     def get(self):
+        if self.settings['authenticate_prometheus'] and not self.logged_in:
+            raise web.HTTPError(403)
+
         self.set_header('Content-Type', prometheus_client.CONTENT_TYPE_LATEST)
         self.write(prometheus_client.generate_latest(prometheus_client.REGISTRY))
 
diff --git a/jupyter_server/serverapp.py b/jupyter_server/serverapp.py
index 13bc0940be..6e6b9aafab 100755
--- a/jupyter_server/serverapp.py
+++ b/jupyter_server/serverapp.py
@@ -246,6 +246,7 @@ def init_settings(self, jupyter_app, kernel_manager, contents_manager,
             disable_check_xsrf=jupyter_app.disable_check_xsrf,
             allow_remote_access=jupyter_app.allow_remote_access,
             local_hostnames=jupyter_app.local_hostnames,
+            authenticate_prometheus=jupyter_app.authenticate_prometheus,
 
             # managers
             kernel_manager=kernel_manager,
@@ -1199,6 +1200,14 @@ def _update_server_extensions(self, change):
          is not available.
          """))
 
+    authenticate_prometheus = Bool(
+        True,
+        help=""""
+        Require authentication to access prometheus metrics.
+        """,
+        config=True
+    )
+
     def parse_command_line(self, argv=None):
 
         super(ServerApp, self).parse_command_line(argv)