diff --git a/core/traefik/traefik.nomad b/core/traefik/traefik.nomad
index a3e0d34..47025ec 100644
--- a/core/traefik/traefik.nomad
+++ b/core/traefik/traefik.nomad
@@ -114,6 +114,14 @@ job "traefik" {
         }
       }
 
+      env = {
+        TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TOKEN = "${NOMAD_TOKEN}"
+      }
+
+      identity {
+        env = true
+      }
+
       template {
         # Avoid conflict with TOML lists [[ ]] and Go templates {{ }}
         left_delimiter = "<<"
@@ -166,7 +174,7 @@ job "traefik" {
   exposedByDefault = false
   defaultRule = "Host(`{{normalize .Name}}.<< with nomadVar "nomad/jobs" >><< .base_hostname >><< end >>`)"
   [providers.nomad.endpoint]
-  address = "http://127.0.0.1:4646"
+  address = "unix:///secrets/api.sock"
         EOH
         destination = "${NOMAD_TASK_DIR}/config/traefik.toml"
       }
diff --git a/core/traefik/traefik.tf b/core/traefik/traefik.tf
index 9a98e66..46094fa 100644
--- a/core/traefik/traefik.tf
+++ b/core/traefik/traefik.tf
@@ -21,3 +21,16 @@ EOH
     job_id = resource.nomad_job.traefik.id
   }
 }
+
+resource "nomad_acl_policy" "traefik_query_jobs" {
+  name        = "traefik-query-jobs"
+  description = "Allow traefik to query jobs"
+  rules_hcl   = <<EOH
+namespace "default" {
+  capabilities = ["list-jobs", "read-job"]
+}
+EOH
+  job_acl {
+    job_id = resource.nomad_job.traefik.id
+  }
+}