diff --git a/service/firewall/api.go b/service/firewall/api.go
index 949e168f..244ec2b8 100644
--- a/service/firewall/api.go
+++ b/service/firewall/api.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
@@ -164,6 +165,12 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
 			default: // normal process
 				// Check if the requesting process is in database root / updates dir.
 				if realPath, err := filepath.EvalSymlinks(proc.Path); err == nil {
+
+					// check if the client has been allowed by flag
+					if slices.Contains(allowedClients, realPath) {
+						return false, nil
+					}
+
 					if strings.HasPrefix(realPath, authenticatedPath) {
 						return false, nil
 					}
diff --git a/service/firewall/module.go b/service/firewall/module.go
index 73292967..168ee7b8 100644
--- a/service/firewall/module.go
+++ b/service/firewall/module.go
@@ -2,7 +2,9 @@ package firewall
 
 import (
 	"context"
+	"flag"
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/safing/portbase/config"
@@ -16,7 +18,21 @@ import (
 	"github.com/safing/portmaster/spn/captain"
 )
 
-var module *modules.Module
+type stringSliceFlag []string
+
+func (ss *stringSliceFlag) String() string {
+	return strings.Join(*ss, ":")
+}
+
+func (ss *stringSliceFlag) Set(value string) error {
+	*ss = append(*ss, filepath.Clean(value))
+	return nil
+}
+
+var (
+	module         *modules.Module
+	allowedClients stringSliceFlag
+)
 
 func init() {
 	module = modules.Register("filter", prep, start, stop, "core", "interception", "intel", "netquery")
@@ -28,6 +44,8 @@ func init() {
 		"config:filter/",
 		nil,
 	)
+
+	flag.Var(&allowedClients, "allowed-clients", "A list of binaries that are allowed to connect to the Portmaster API")
 }
 
 func prep() error {