diff --git a/cmd/tokidoki/main.go b/cmd/tokidoki/main.go
index 0c3f4b1..a8fea6a 100644
--- a/cmd/tokidoki/main.go
+++ b/cmd/tokidoki/main.go
@@ -92,10 +92,14 @@ func main() {
 		debug      bool
 		jsonLog    bool
 		storageURL string
+		cert       string
+		key        string
 	)
 	flag.StringVar(&addr, "addr", ":8080", "listening address")
 	flag.StringVar(&authURL, "auth.url", "", "auth backend URL (required)")
 	flag.StringVar(&storageURL, "storage.url", "", "storage backend URL (required)")
+	flag.StringVar(&cert, "cert", "", "certificate file for TLS")
+	flag.StringVar(&key, "key", "", "key file for TLS")
 	flag.BoolVar(&debug, "log.debug", false, "enable debug logs")
 	flag.BoolVar(&jsonLog, "log.json", false, "enable structured logs")
 	flag.Parse()
@@ -140,6 +144,10 @@ func main() {
 		log.Fatal().Err(err).Msg("failed to load storage backend")
 	}
 
+	if (cert != "") != (key != "") {
+		log.Fatal().Msg("provide both cert and key for TLS")
+	}
+
 	carddavHandler := carddav.Handler{Backend: carddavBackend}
 	caldavHandler := caldav.Handler{Backend: caldavBackend}
 	handler := tokidokiHandler{
@@ -163,7 +171,11 @@ func main() {
 	log.Info().Str("address", addr).Msg("starting server")
 	log.Debug().Msg("debug output enabled")
 
-	err = server.ListenAndServe()
+	if (cert != "") && (key != "") {
+		err = server.ListenAndServeTLS(cert, key)
+	} else {
+		err = server.ListenAndServe()
+	}
 	if err != http.ErrServerClosed {
 		log.Fatal().Err(err).Msg("ListenAndServe() error")
 	}