diff --git a/client/control.go b/client/control.go
index 84f7af2b..170d00ff 100644
--- a/client/control.go
+++ b/client/control.go
@@ -140,7 +140,8 @@ func (ctl *Control) HandleReqWorkConn(inMsg *msg.ReqWorkConn) {
 	}
 
 	m := &msg.NewWorkConn{
-		RunId: ctl.runId,
+		RunId:     ctl.runId,
+		Timestamp: time.Now().Unix(),
 	}
 	if err = ctl.authSetter.SetNewWorkConn(m); err != nil {
 		xl.Warn("error during NewWorkConn authentication: %v", err)
@@ -292,7 +293,9 @@ func (ctl *Control) msgHandler() {
 		case <-hbSend.C:
 			// send heartbeat to server
 			xl.Debug("send heartbeat to server")
-			pingMsg := &msg.Ping{}
+			pingMsg := &msg.Ping{
+				Timestamp: time.Now().Unix(),
+			}
 			if err := ctl.authSetter.SetPing(pingMsg); err != nil {
 				xl.Warn("error during ping authentication: %v", err)
 				return
diff --git a/models/auth/token.go b/models/auth/token.go
index 71eea3f7..6155a8d7 100644
--- a/models/auth/token.go
+++ b/models/auth/token.go
@@ -69,13 +69,21 @@ func (auth *TokenAuthSetterVerifier) SetLogin(loginMsg *msg.Login) (err error) {
 	return nil
 }
 
-func (auth *TokenAuthSetterVerifier) SetPing(*msg.Ping) error {
-	// Ping doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) SetPing(pingMsg *msg.Ping) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	pingMsg.PrivilegeKey = util.GetAuthKey(auth.token, pingMsg.Timestamp)
 	return nil
 }
 
-func (auth *TokenAuthSetterVerifier) SetNewWorkConn(*msg.NewWorkConn) error {
-	// NewWorkConn doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	newWorkConnMsg.PrivilegeKey = util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp)
 	return nil
 }
 
@@ -86,12 +94,24 @@ func (auth *TokenAuthSetterVerifier) VerifyLogin(loginMsg *msg.Login) error {
 	return nil
 }
 
-func (auth *TokenAuthSetterVerifier) VerifyPing(*msg.Ping) error {
-	// Ping doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) VerifyPing(pingMsg *msg.Ping) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	if util.GetAuthKey(auth.token, pingMsg.Timestamp) != pingMsg.PrivilegeKey {
+		return fmt.Errorf("token in heartbeat doesn't match token from configuration")
+	}
 	return nil
 }
 
-func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(*msg.NewWorkConn) error {
-	// NewWorkConn doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error {
+	if !auth.AuthenticateNewWorkConns {
+		return nil
+	}
+
+	if util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp) != newWorkConnMsg.PrivilegeKey {
+		return fmt.Errorf("token in NewWorkConn doesn't match token from configuration")
+	}
 	return nil
 }
diff --git a/models/msg/msg.go b/models/msg/msg.go
index c416bf97..0acce5b1 100644
--- a/models/msg/msg.go
+++ b/models/msg/msg.go
@@ -122,6 +122,7 @@ type CloseProxy struct {
 type NewWorkConn struct {
 	RunId        string `json:"run_id"`
 	PrivilegeKey string `json:"privilege_key"`
+	Timestamp    int64  `json:"timestamp"`
 }
 
 type ReqWorkConn struct {
@@ -133,6 +134,7 @@ type StartWorkConn struct {
 	DstAddr   string `json:"dst_addr"`
 	SrcPort   uint16 `json:"src_port"`
 	DstPort   uint16 `json:"dst_port"`
+	Error     string `json:"error"`
 }
 
 type NewVisitorConn struct {
@@ -150,9 +152,11 @@ type NewVisitorConnResp struct {
 
 type Ping struct {
 	PrivilegeKey string `json:"privilege_key"`
+	Timestamp    int64  `json:"timestamp"`
 }
 
 type Pong struct {
+	Error string `json:"error"`
 }
 
 type UdpPacket struct {