diff --git a/config/bridge.go b/config/bridge.go
index 8a513e3..7a3ad63 100644
--- a/config/bridge.go
+++ b/config/bridge.go
@@ -66,8 +66,9 @@ type BridgeConfig struct {
 	Encryption bridgeconfig.EncryptionConfig `yaml:"encryption"`
 
 	Provisioning struct {
-		Prefix       string `yaml:"prefix"`
-		SharedSecret string `yaml:"shared_secret"`
+		Prefix         string `yaml:"prefix"`
+		SharedSecret   string `yaml:"shared_secret"`
+		DebugEndpoints bool   `yaml:"debug_endpoints"`
 	} `yaml:"provisioning"`
 
 	Permissions bridgeconfig.PermissionConfig `yaml:"permissions"`
diff --git a/config/upgrade.go b/config/upgrade.go
index 78734da..ecb1e22 100644
--- a/config/upgrade.go
+++ b/config/upgrade.go
@@ -92,6 +92,7 @@ func DoUpgrade(helper *up.Helper) {
 	} else {
 		helper.Copy(up.Str, "bridge", "provisioning", "shared_secret")
 	}
+	helper.Copy(up.Bool, "bridge", "provisioning", "debug_endpoints")
 	helper.Copy(up.Map, "bridge", "permissions")
 }
 
diff --git a/example-config.yaml b/example-config.yaml
index 160cf7a..63b7849 100644
--- a/example-config.yaml
+++ b/example-config.yaml
@@ -276,6 +276,8 @@ bridge:
         # Shared secret for authentication. If set to "generate", a random secret will be generated,
         # or if set to "disable", the provisioning API will be disabled.
         shared_secret: generate
+        # Enable debug API at /debug with provisioning authentication.
+        debug_endpoints: false
 
     # Permissions for using the bridge.
     # Permitted values:
diff --git a/provisioning.go b/provisioning.go
index edd96ea..890b667 100644
--- a/provisioning.go
+++ b/provisioning.go
@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	_ "net/http/pprof"
 	"strings"
 	"time"
 
@@ -59,6 +60,13 @@ func (prov *ProvisioningAPI) Init() {
 	prov.bridge.AS.Router.HandleFunc("/_matrix/app/com.beeper.asmux/ping", prov.BridgeStatePing).Methods(http.MethodPost)
 	prov.bridge.AS.Router.HandleFunc("/_matrix/app/com.beeper.bridge_state", prov.BridgeStatePing).Methods(http.MethodPost)
 
+	if prov.bridge.Config.Bridge.Provisioning.DebugEndpoints {
+		prov.zlog.Debug().Msg("Enabling debug API at /debug")
+		r := prov.bridge.AS.Router.PathPrefix("/debug").Subrouter()
+		r.Use(prov.AuthMiddleware)
+		r.PathPrefix("/pprof").Handler(http.DefaultServeMux)
+	}
+
 	// Deprecated, just use /disconnect
 	r.HandleFunc("/v1/delete_connection", prov.Disconnect).Methods(http.MethodPost)
 }