diff --git a/app/vmauth/README.md b/app/vmauth/README.md
index 6340d2275..335c2804e 100644
--- a/app/vmauth/README.md
+++ b/app/vmauth/README.md
@@ -109,6 +109,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable
 
 Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`.
 
+It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload.
+
 
 ## Monitoring
 
@@ -232,6 +234,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
     	Auth key for /metrics. It overrides httpAuth settings
   -pprofAuthKey string
     	Auth key for /debug/pprof. It overrides httpAuth settings
+  -reloadAuthKey string
+    	Auth key for /-/reload http endpoint. It must be passed as authKey=...
   -tls
     	Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set
   -tlsCertFile string
diff --git a/app/vmauth/main.go b/app/vmauth/main.go
index 2d3b5e15f..2825a93dc 100644
--- a/app/vmauth/main.go
+++ b/app/vmauth/main.go
@@ -20,6 +20,7 @@ import (
 var (
 	httpListenAddr         = flag.String("httpListenAddr", ":8427", "TCP address to listen for http connections")
 	maxIdleConnsPerBackend = flag.Int("maxIdleConnsPerBackend", 100, "The maximum number of idle connections vmauth can open per each backend host")
+	reloadAuthKey          = flag.String("reloadAuthKey", "", "Auth key for /-/reload http endpoint. It must be passed as authKey=...")
 )
 
 func main() {
@@ -51,6 +52,11 @@ func main() {
 func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 	switch r.URL.Path {
 	case "/-/reload":
+		authKey := r.FormValue("authKey")
+		if authKey != *reloadAuthKey {
+			httpserver.Errorf(w, r, "invalid authKey %q. It must match the value from -reloadAuthKey command line flag", authKey)
+			return true
+		}
 		configReloadRequests.Inc()
 		procutil.SelfSIGHUP()
 		w.WriteHeader(http.StatusOK)
diff --git a/docs/vmauth.md b/docs/vmauth.md
index 2245da966..48c597c62 100644
--- a/docs/vmauth.md
+++ b/docs/vmauth.md
@@ -113,6 +113,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable
 
 Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`.
 
+It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload.
+
 
 ## Monitoring
 
@@ -236,6 +238,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
     	Auth key for /metrics. It overrides httpAuth settings
   -pprofAuthKey string
     	Auth key for /debug/pprof. It overrides httpAuth settings
+  -reloadAuthKey string
+    	Auth key for /-/reload http endpoint. It must be passed as authKey=...
   -tls
     	Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set
   -tlsCertFile string