diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -2840,6 +2840,8 @@
 
 swh::deploy::indexer_journal_client::content_mimetype::config_file: "content_mimetype.yml"
 swh::deploy::indexer_journal_client::content_mimetype::loglevel: INFO
+swh::deploy::indexer_journal_client::content_mimetype::journal_authentication: true
+
 # Contains a password: in private data
 swh::deploy::indexer_journal_client::content_mimetype::config:
   # FIXME: Required by BaseIndexer class code, unused in this context though
@@ -2860,6 +2862,7 @@
 
 swh::deploy::indexer_journal_client::content_fossology_license::config_file: "content_fossology_license.yml"
 swh::deploy::indexer_journal_client::content_fossology_license::loglevel: INFO
+swh::deploy::indexer_journal_client::content_fossology_license::journal_authentication: true
 # Contains a password: in private data
 swh::deploy::indexer_journal_client::content_fossology_license::config:
   # FIXME: Required by BaseIndexer class code, unused in this context though
@@ -2880,6 +2883,7 @@
 
 swh::deploy::indexer_journal_client::extrinsic_metadata::config_file: "extrinsic_metadata.yml"
 swh::deploy::indexer_journal_client::extrinsic_metadata::loglevel: INFO
+swh::deploy::indexer_journal_client::extrinsic_metadata::journal_authentication: true
 swh::deploy::indexer_journal_client::extrinsic_metadata::config:
   # FIXME: Required by BaseIndexer class code, unused in this context though
   scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}"
@@ -2898,6 +2902,7 @@
 swh::deploy::indexer_journal_client::origin_intrinsic_metadata::config_file: "origin_intrinsic_metadata.yml"
 swh::deploy::indexer_journal_client::origin_intrinsic_metadata::batch_size: 200
 swh::deploy::indexer_journal_client::origin_intrinsic_metadata::loglevel: INFO
+swh::deploy::indexer_journal_client::origin_intrinsic_metadata::journal_authentication: true
 swh::deploy::indexer_journal_client::origin_intrinsic_metadata::config:
   # FIXME: Required by BaseIndexer class code, unused in this context though
   scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}"
diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml
--- a/data/deployments/staging/common.yaml
+++ b/data/deployments/staging/common.yaml
@@ -390,4 +390,9 @@
 swh::deploy::maven_index_exporter::url: maven-exporter.internal.staging.swh.network
 swh::deploy::indexer_journal_client::origin_intrinsic_metadata::batch_size: 100
 
+swh::deploy::indexer_journal_client::content_mimetype::journal_authentication: false
+swh::deploy::indexer_journal_client::content_fossology_license::journal_authentication: false
+swh::deploy::indexer_journal_client::extrinsic_metadata::journal_authentication: false
+swh::deploy::indexer_journal_client::origin_intrinsic_metadata::journal_authentication: false
+
 cassandra::default_cluster_name: archive_staging
diff --git a/site-modules/profile/manifests/swh/deploy/indexer_journal_client.pp b/site-modules/profile/manifests/swh/deploy/indexer_journal_client.pp
--- a/site-modules/profile/manifests/swh/deploy/indexer_journal_client.pp
+++ b/site-modules/profile/manifests/swh/deploy/indexer_journal_client.pp
@@ -24,12 +24,35 @@
       $sentry_environment = lookup("swh::deploy::indexer::sentry_environment", Optional[String], "first", undef)
       $sentry_swh_package = lookup("swh::deploy::indexer::sentry_swh_package", Optional[String], "first", undef)
 
+      # Optional authentication
+      $journal_authentication = lookup("swh::deploy::indexer_journal_client::${instance_name}::journal_authentication")
+
+      if $journal_authentication {
+        $username = lookup('swh::deploy::indexer_journal_client::journal::username')
+        $password = lookup('swh::deploy::indexer_journal_client::journal::password')
+        # Integrate authentication configuration entries into the $config dict
+        $suffix_group_id = $config["journal"]["group_id"]
+        # Subtility about ACL which requires the group id to be prefixed by the username
+        $group_id = "${username}-${suffix_group_id}"
+        $full_config = deep_merge($config, {
+          "journal" => {
+            "group_id"          => $group_id,
+            "sasl.mechanism"    => "SCRAM-SHA-512",
+            "security.protocol" => "SASL_SSL",
+            "sasl.username"     => $username,
+            "sasl.password"     => $password,
+          },
+        })
+      } else {
+        $full_config = $config
+      }
+
       file {$config_path:
         ensure  => present,
         owner   => "root",
         group   => $::profile::swh::deploy::base_indexer::group,
         mode    => "0640",
-        content => inline_yaml($config),
+        content => inline_yaml($full_config),
         notify  => Service[$service_name],
         require => File[$config_directory],
       }