diff --git a/lib/omnibus/fetchers/net_fetcher.rb b/lib/omnibus/fetchers/net_fetcher.rb
index c5a6655d2..6f9cee62a 100644
--- a/lib/omnibus/fetchers/net_fetcher.rb
+++ b/lib/omnibus/fetchers/net_fetcher.rb
@@ -171,6 +171,7 @@ def download
 
       # Set the cookie if one was given
       options["Cookie"] = source[:cookie] if source[:cookie]
+      options["Authorization"] = source[:authorization] if source[:authorization]
 
       download_file!(download_url, downloaded_file, options)
     end
diff --git a/lib/omnibus/software.rb b/lib/omnibus/software.rb
index be9fd1ebb..a564d658f 100644
--- a/lib/omnibus/software.rb
+++ b/lib/omnibus/software.rb
@@ -263,6 +263,8 @@ def dependency(val)
     #
     # @option val [String] :cookie (nil)
     #   a cookie to set
+    # @option val [String] :authorization (nil)
+    #   an authorization header to set
     # @option val [String] :warning (nil)
     #   a warning message to print when downloading
     # @option val [Symbol] :extract (nil)
@@ -294,7 +296,7 @@ def source(val = NULL)
         extra_keys = val.keys - [
           :git, :file, :path, :url, # fetcher types
           :md5, :sha1, :sha256, :sha512, # hash type - common to all fetchers
-          :cookie, :warning, :unsafe, :extract, :cached_name, # used by net_fetcher
+          :cookie, :warning, :unsafe, :extract, :cached_name, :authorization, # used by net_fetcher
           :options, # used by path_fetcher
           :submodules # used by git_fetcher
         ]
diff --git a/spec/unit/fetchers/net_fetcher_spec.rb b/spec/unit/fetchers/net_fetcher_spec.rb
index 8a3d43bd0..d062a4efd 100644
--- a/spec/unit/fetchers/net_fetcher_spec.rb
+++ b/spec/unit/fetchers/net_fetcher_spec.rb
@@ -25,6 +25,34 @@ module Omnibus
 
     subject { described_class.new(manifest_entry, project_dir, build_dir) }
 
+    describe "authorization" do
+      context "when none passed" do
+        it "does not get passed" do
+          expect(subject).to receive(:download_file!) do |url_arg, path_arg, options_arg|
+            expect(options_arg).to_not have_key("Authorization")
+          end
+
+          subject.send(:download)
+        end
+      end
+
+      context "when passed" do
+        let(:auth_header) { "a fake auth header" }
+        let(:source) do
+          { url: "https://get.example.com/file.tar.gz", md5: "abcd1234", authorization: auth_header }
+        end
+
+        it "does get passed" do
+          expect(subject).to receive(:download_file!) do |url_arg, path_arg, options_arg|
+            expect(options_arg).to have_key("Authorization")
+            expect(options_arg["Authorization"]).to eq(auth_header)
+          end
+
+          subject.send(:download)
+        end
+      end
+    end
+
     describe "#fetch_required?" do
       context "when file is not downloaded" do
         before { allow(File).to receive(:exist?).and_return(false) }