diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index 0b3c0c8da8..f624fa5a74 100644
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -315,6 +315,7 @@
         <!-- <param name="NDLB-received-in-nat-reg-contact" value="true"/> -->
         <param name="auth-calls" value="$${internal_auth_calls}"/>
         <!-- <param name="auth-messages" value="false"/> -->
+        <!-- <param name="auth-subscriptions" value="false"/> -->
         <!-- Force the user and auth-user to match. -->
         <param name="inbound-reg-force-matching-username" value="true"/>
         <!-- on authed calls, authenticate *all* the packets not just invite -->
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index dd14a3a8e3..cd148d99e8 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -275,6 +275,7 @@ typedef enum {
 	PFLAG_TLS_ALWAYS_NAT,
 	PFLAG_TCP_ALWAYS_NAT,
 	PFLAG_ENABLE_CHAT,
+	PFLAG_AUTH_SUBSCRIPTIONS,
 	/* No new flags below this line */
 	PFLAG_MAX
 } PFLAGS;
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index 1df2d5f58f..625fcb64e4 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -4724,6 +4724,10 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 						if (switch_true(val)) {
 							sofia_set_pflag(profile, PFLAG_AUTH_MESSAGES);
 						}
+					} else if (!strcasecmp(var, "auth-subscriptions")) {
+						if (switch_true(val)) {
+							sofia_set_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
+						}
 					} else if (!strcasecmp(var, "extended-info-parsing")) {
 						if (switch_true(val)) {
 							sofia_set_pflag(profile, PFLAG_EXTENDED_INFO_PARSING);
diff --git a/src/mod/endpoints/mod_sofia/sofia_presence.c b/src/mod/endpoints/mod_sofia/sofia_presence.c
index 1cd8556d4c..83942c2806 100644
--- a/src/mod/endpoints/mod_sofia/sofia_presence.c
+++ b/src/mod/endpoints/mod_sofia/sofia_presence.c
@@ -3768,6 +3768,42 @@ void sofia_presence_handle_sip_i_subscribe(int status,
 			goto end;
 		}
 
+		if ((auth_res != AUTH_OK && auth_res != AUTH_RENEWED)) {
+			nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());
+			goto end;
+		}
+	} else if (sofia_test_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS)) {
+		sip_authorization_t const *authorization = NULL;
+		auth_res_t auth_res = AUTH_FORBIDDEN;
+		char keybuf[128] = "";
+		char *key;
+		size_t keylen;
+		switch_event_t *v_event = NULL;
+
+		key = keybuf;
+		keylen = sizeof(keybuf);
+
+		if (sip->sip_authorization) {
+			authorization = sip->sip_authorization;
+		} else if (sip->sip_proxy_authorization) {
+			authorization = sip->sip_proxy_authorization;
+		}
+
+		if (authorization) {
+			char network_ip[80];
+			int network_port;
+			sofia_glue_get_addr(de->data->e_msg, network_ip, sizeof(network_ip), &network_port);
+			auth_res = sofia_reg_parse_auth(profile, authorization, sip, de,
+											(char *) sip->sip_request->rq_method_name, key, keylen, network_ip, network_port, NULL, 0,
+											REG_INVITE, NULL, NULL, NULL, NULL);
+		} else if ( sofia_reg_handle_register(nua, profile, nh, sip, de, REG_INVITE, key, (uint32_t)keylen, &v_event, NULL, NULL, NULL)) {
+			if (v_event) {
+				switch_event_destroy(&v_event);
+			}
+
+			goto end;
+		}
+
 		if ((auth_res != AUTH_OK && auth_res != AUTH_RENEWED)) {
 			nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());
 			goto end;