diff --git a/services/blob/src/config.rs b/services/blob/src/config.rs
--- a/services/blob/src/config.rs
+++ b/services/blob/src/config.rs
@@ -20,6 +20,10 @@
   #[arg(env = S3_BUCKET_ENV_VAR)]
   #[arg(long, default_value_t = DEFAULT_S3_BUCKET_NAME.to_string())]
   pub s3_bucket_name: String,
+  /// Identity service endpoint
+  #[arg(env = "IDENTITY_SERVICE_ENDPOINT")]
+  #[arg(long, default_value = "http://localhost:50054")]
+  pub identity_endpoint: String,
 }
 
 /// Stores configuration parsed from command-line arguments
diff --git a/services/blob/src/http/mod.rs b/services/blob/src/http/mod.rs
--- a/services/blob/src/http/mod.rs
+++ b/services/blob/src/http/mod.rs
@@ -2,6 +2,7 @@
 
 use actix_web::{web, App, HttpServer};
 use anyhow::Result;
+use comm_services_lib::auth::AuthService;
 use tracing::info;
 
 mod errors;
@@ -11,7 +12,10 @@
   pub(super) mod blob;
 }
 
-pub async fn run_http_server(blob_service: BlobService) -> Result<()> {
+pub async fn run_http_server(
+  blob_service: BlobService,
+  auth_service: AuthService,
+) -> Result<()> {
   info!(
     "Starting HTTP server listening at port {}",
     CONFIG.http_port
@@ -22,6 +26,7 @@
       .wrap(comm_services_lib::http::cors_config(
         CONFIG.localstack_endpoint.is_some(),
       ))
+      .app_data(auth_service.to_owned())
       .app_data(web::Data::new(blob_service.to_owned()))
       .service(
         web::resource("/blob/{holder}")
diff --git a/services/blob/src/main.rs b/services/blob/src/main.rs
--- a/services/blob/src/main.rs
+++ b/services/blob/src/main.rs
@@ -7,6 +7,7 @@
 pub mod tools;
 
 use anyhow::Result;
+use comm_services_lib::auth::AuthService;
 use tracing_subscriber::filter::{EnvFilter, LevelFilter};
 
 use crate::service::BlobServiceConfig;
@@ -25,13 +26,14 @@
 #[tokio::main]
 async fn main() -> Result<()> {
   configure_logging()?;
-  config::parse_cmdline_args()?;
+  let config = config::parse_cmdline_args()?;
 
   let aws_config = config::load_aws_config().await;
   let db = database::DatabaseClient::new(&aws_config);
   let s3 = s3::S3Client::new(&aws_config);
+  let auth_service = AuthService::new(&aws_config, &config.identity_endpoint);
 
-  let service = service::BlobService::new(
+  let blob_service = service::BlobService::new(
     db,
     s3,
     BlobServiceConfig {
@@ -40,5 +42,5 @@
     },
   );
 
-  crate::http::run_http_server(service).await
+  crate::http::run_http_server(blob_service, auth_service).await
 }
diff --git a/services/reports/src/config.rs b/services/reports/src/config.rs
--- a/services/reports/src/config.rs
+++ b/services/reports/src/config.rs
@@ -31,6 +31,11 @@
   #[arg(long, default_value = "http://localhost:50053")]
   pub blob_service_url: Url,
 
+  /// Identity service endpoint
+  #[arg(env = "IDENTITY_SERVICE_ENDPOINT")]
+  #[arg(long, default_value = "http://localhost:50054")]
+  pub identity_endpoint: String,
+
   /// Should reports be encrypted? Note that this flag disables encryption
   /// which is enabled by default.
   #[arg(long = "no-encrypt", action = ArgAction::SetFalse)]
diff --git a/services/reports/src/http/mod.rs b/services/reports/src/http/mod.rs
--- a/services/reports/src/http/mod.rs
+++ b/services/reports/src/http/mod.rs
@@ -4,6 +4,7 @@
 };
 use actix_web::{web, App, HttpResponse, HttpServer, ResponseError};
 use anyhow::Result;
+use comm_services_lib::auth::AuthService;
 use http::StatusCode;
 use tracing::{debug, error, info, trace, warn};
 
@@ -13,7 +14,10 @@
 
 mod handlers;
 
-pub async fn run_http_server(service: ReportsService) -> Result<()> {
+pub async fn run_http_server(
+  reports_service: ReportsService,
+  auth_service: AuthService,
+) -> Result<()> {
   use actix_web::middleware::{Logger, NormalizePath};
   use comm_services_lib::http::cors_config;
   use tracing_actix_web::TracingLogger;
@@ -27,7 +31,8 @@
       web::JsonConfig::default().limit(REQUEST_BODY_JSON_SIZE_LIMIT);
     App::new()
       .app_data(json_cfg)
-      .app_data(service.to_owned())
+      .app_data(reports_service.to_owned())
+      .app_data(auth_service.to_owned())
       .wrap(Logger::default())
       .wrap(TracingLogger::default())
       .wrap(NormalizePath::trim())
diff --git a/services/reports/src/main.rs b/services/reports/src/main.rs
--- a/services/reports/src/main.rs
+++ b/services/reports/src/main.rs
@@ -8,7 +8,7 @@
 pub mod service;
 
 use anyhow::Result;
-use comm_services_lib::blob::client::BlobServiceClient;
+use comm_services_lib::{auth::AuthService, blob::client::BlobServiceClient};
 use service::ReportsService;
 use tracing_subscriber::filter::{EnvFilter, LevelFilter};
 
@@ -36,7 +36,8 @@
 
   let db = database::client::DatabaseClient::new(&aws_config);
   let blob_client = BlobServiceClient::new(cfg.blob_service_url.clone());
-  let service = ReportsService::new(db, blob_client, email_config);
+  let reports_service = ReportsService::new(db, blob_client, email_config);
+  let auth_service = AuthService::new(&aws_config, &cfg.identity_endpoint);
 
-  crate::http::run_http_server(service).await
+  crate::http::run_http_server(reports_service, auth_service).await
 }