diff --git a/command/compile.go b/command/compile.go
index 749e828..60ff77c 100644
--- a/command/compile.go
+++ b/command/compile.go
@@ -214,6 +214,9 @@ func registerCompile(app *kingpin.Application) {
 	cmd.Flag("tmate-server-ed25519-fingerprint", "tmate server rsa fingerprint").
 		StringVar(&c.Tmate.ED25519)
 
+	cmd.Flag("tmate-authorized-keys", "tmate authorized keys").
+		StringVar(&c.Tmate.AuthorizedKeys)
+
 	// shared pipeline flags
 	c.Flags = internal.ParseFlags(cmd)
 }
diff --git a/command/daemon/config.go b/command/daemon/config.go
index 8accf3b..ac7012e 100644
--- a/command/daemon/config.go
+++ b/command/daemon/config.go
@@ -108,12 +108,13 @@ type Config struct {
 	}
 
 	Tmate struct {
-		Enabled bool   `envconfig:"DRONE_TMATE_ENABLED" default:"false"`
-		Image   string `envconfig:"DRONE_TMATE_IMAGE"   default:"drone/drone-runner-docker:1"`
-		Server  string `envconfig:"DRONE_TMATE_HOST"`
-		Port    string `envconfig:"DRONE_TMATE_PORT"`
-		RSA     string `envconfig:"DRONE_TMATE_FINGERPRINT_RSA"`
-		ED25519 string `envconfig:"DRONE_TMATE_FINGERPRINT_ED25519"`
+		Enabled        bool   `envconfig:"DRONE_TMATE_ENABLED" default:"false"`
+		Image          string `envconfig:"DRONE_TMATE_IMAGE"   default:"drone/drone-runner-docker:1"`
+		Server         string `envconfig:"DRONE_TMATE_HOST"`
+		Port           string `envconfig:"DRONE_TMATE_PORT"`
+		RSA            string `envconfig:"DRONE_TMATE_FINGERPRINT_RSA"`
+		ED25519        string `envconfig:"DRONE_TMATE_FINGERPRINT_ED25519"`
+		AuthorizedKeys string `envconfig:"DRONE_TMATE_AUTHORIZED_KEYS"`
 	}
 }
 
diff --git a/command/daemon/daemon.go b/command/daemon/daemon.go
index 7d4cade..015f3d2 100644
--- a/command/daemon/daemon.go
+++ b/command/daemon/daemon.go
@@ -142,12 +142,13 @@ func (c *daemonCommand) run(*kingpin.ParseContext) error {
 				ShmSize:    config.Resources.ShmSize,
 			},
 			Tmate: compiler.Tmate{
-				Image:   config.Tmate.Image,
-				Enabled: config.Tmate.Enabled,
-				Server:  config.Tmate.Server,
-				Port:    config.Tmate.Port,
-				RSA:     config.Tmate.RSA,
-				ED25519: config.Tmate.ED25519,
+				Image:          config.Tmate.Image,
+				Enabled:        config.Tmate.Enabled,
+				Server:         config.Tmate.Server,
+				Port:           config.Tmate.Port,
+				RSA:            config.Tmate.RSA,
+				ED25519:        config.Tmate.ED25519,
+				AuthorizedKeys: config.Tmate.AuthorizedKeys,
 			},
 			Environ: provider.Combine(
 				provider.Static(config.Runner.Environ),
diff --git a/command/exec.go b/command/exec.go
index 5927704..c623002 100644
--- a/command/exec.go
+++ b/command/exec.go
@@ -348,6 +348,9 @@ func registerExec(app *kingpin.Application) {
 	cmd.Flag("tmate-server-ed25519-fingerprint", "tmate server rsa fingerprint").
 		StringVar(&c.Tmate.ED25519)
 
+	cmd.Flag("tmate-authorized-keys", "tmate authorized keys").
+		StringVar(&c.Tmate.AuthorizedKeys)
+
 	cmd.Flag("debug", "enable debug logging").
 		BoolVar(&c.Debug)
 
diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
index 63ce176..1a68691 100644
--- a/engine/compiler/compiler.go
+++ b/engine/compiler/compiler.go
@@ -56,12 +56,13 @@ type Resources struct {
 
 // Tmate defines tmate settings.
 type Tmate struct {
-	Image   string
-	Enabled bool
-	Server  string
-	Port    string
-	RSA     string
-	ED25519 string
+	Image          string
+	Enabled        bool
+	Server         string
+	Port           string
+	RSA            string
+	ED25519        string
+	AuthorizedKeys string
 }
 
 // Compiler compiles the Yaml configuration file to an
@@ -247,6 +248,10 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti
 		envs["DRONE_TMATE_PORT"] = c.Tmate.Port
 		envs["DRONE_TMATE_FINGERPRINT_RSA"] = c.Tmate.RSA
 		envs["DRONE_TMATE_FINGERPRINT_ED25519"] = c.Tmate.ED25519
+
+		if c.Tmate.AuthorizedKeys != "" {
+			envs["DRONE_TMATE_AUTHORIZED_KEYS"] = c.Tmate.AuthorizedKeys
+		}
 	}
 
 	// create the .netrc environment variables if not
diff --git a/engine/compiler/shell/shell.go b/engine/compiler/shell/shell.go
index a064a12..0df4389 100644
--- a/engine/compiler/shell/shell.go
+++ b/engine/compiler/shell/shell.go
@@ -63,14 +63,18 @@ remote_debug() {
 	fi
 }
 
-if [ ! -z "${DRONE_TMATE_HOST}" ]; then
-	echo "set -g tmate-server-host $DRONE_TMATE_HOST" >> $HOME/.tmate.conf
-	echo "set -g tmate-server-port $DRONE_TMATE_PORT" >> $HOME/.tmate.conf
-	echo "set -g tmate-server-rsa-fingerprint $DRONE_TMATE_FINGERPRINT_RSA" >> $HOME/.tmate.conf
-	echo "set -g tmate-server-ed25519-fingerprint $DRONE_TMATE_FINGERPRINT_ED25519" >> $HOME/.tmate.conf
-fi
-
 if [ "${DRONE_BUILD_DEBUG}" = "true" ]; then
+	if [ ! -z "${DRONE_TMATE_HOST}" ]; then
+		echo "set -g tmate-server-host $DRONE_TMATE_HOST" >> $HOME/.tmate.conf
+		echo "set -g tmate-server-port $DRONE_TMATE_PORT" >> $HOME/.tmate.conf
+		echo "set -g tmate-server-rsa-fingerprint $DRONE_TMATE_FINGERPRINT_RSA" >> $HOME/.tmate.conf
+		echo "set -g tmate-server-ed25519-fingerprint $DRONE_TMATE_FINGERPRINT_ED25519" >> $HOME/.tmate.conf
+
+		if [ ! -z "${DRONE_TMATE_AUTHORIZED_KEYS}" ]; then
+			echo "$DRONE_TMATE_AUTHORIZED_KEYS" > $HOME/.tmate.authorized_keys
+			echo "set -g tmate-authorized-keys \"$HOME/.tmate.authorized_keys\"" >> $HOME/.tmate.conf
+		fi
+	fi
 	trap remote_debug EXIT
 fi
 `