diff --git a/jail2ban/__init__.py b/jail2ban/__init__.py
index 3de0a2f..04ea791 100644
--- a/jail2ban/__init__.py
+++ b/jail2ban/__init__.py
@@ -3,14 +3,12 @@ from flask_httpauth import HTTPBasicAuth
 from werkzeug.security import check_password_hash
 from ipaddress import ip_address
 import re
-from pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
+from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
+from jail2ban.auth import get_users
 
 
 auth = HTTPBasicAuth()
 
-users = {
-    "erg.verweg.com": 'pbkdf2:sha256:260000$leXVKkMYNu60eQZR$0893397beb241931d33d2c996e66447a375d3b7923aa32fc4af6b80eec716fbe'
-}
 
 PAT_PORT = r'^any(?:\s+port\s+{\w+(?:,\w+)*})?$'
 PAT_PROT = r'^(?:tcp|udp)$'
@@ -28,11 +26,19 @@ def untaint(pattern, string):
         raise ValueError(f'"{string}" is tainted')
 
 
-def create_app():
+def create_app(config=None):
     app = Flask(__name__, instance_relative_config=True)
 
+    if config is None:
+        # load the instance config, if it exists, when not testing
+        app.config.from_pyfile('config.py', silent=False)
+    else:
+        # load the test config if passed in
+        app.config.from_pyfile(config, silent=True)
+
     @auth.verify_password
     def verify_password(username, password):
+        users = get_users()
         if username in users and \
                 check_password_hash(users.get(username), password):
             return username
diff --git a/jail2ban/auth.py b/jail2ban/auth.py
new file mode 100644
index 0000000..15f577d
--- /dev/null
+++ b/jail2ban/auth.py
@@ -0,0 +1,14 @@
+from flask import current_app, g
+import os
+
+
+def get_users():
+    if 'users' not in g:
+        users = {}
+        authfile = current_app.config['AUTHFILE']
+        with current_app.open_resource(os.path.join(current_app.instance_path,
+                                                    authfile)) as f:
+            for entry in f:
+                users.update({tuple(entry.split(b':', 1))})
+            g.users = users
+    return g.users