diff --git a/cmd/frostfs-node/config/tree/config_test.go b/cmd/frostfs-node/config/tree/config_test.go
index a39aa4553..898f7e715 100644
--- a/cmd/frostfs-node/config/tree/config_test.go
+++ b/cmd/frostfs-node/config/tree/config_test.go
@@ -7,6 +7,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
 	configtest "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/test"
 	treeconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/tree"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 )
 
@@ -21,10 +22,19 @@ func TestTreeSection(t *testing.T) {
 		require.Equal(t, 0, treeSec.ReplicationChannelCapacity())
 		require.Equal(t, 0, treeSec.ReplicationWorkerCount())
 		require.Equal(t, time.Duration(0), treeSec.ReplicationTimeout())
+		require.Equal(t, 0, len(treeSec.AuthorizedKeys()))
 	})
 
 	const path = "../../../../config/example/node"
 
+	var expectedKeys keys.PublicKeys
+	key, err := keys.NewPublicKeyFromString("0397d207ea77909f7d66fa6f36d08daae22ace672be7ea4f53513484dde8a142a0")
+	require.NoError(t, err)
+	expectedKeys = append(expectedKeys, key)
+	key, err = keys.NewPublicKeyFromString("02053819235c20d784132deba10bb3061629e3a5c819a039ef091841d9d35dad56")
+	require.NoError(t, err)
+	expectedKeys = append(expectedKeys, key)
+
 	var fileConfigTest = func(c *config.Config) {
 		treeSec := treeconfig.Tree(c)
 
@@ -34,6 +44,7 @@ func TestTreeSection(t *testing.T) {
 		require.Equal(t, 32, treeSec.ReplicationWorkerCount())
 		require.Equal(t, 5*time.Second, treeSec.ReplicationTimeout())
 		require.Equal(t, time.Hour, treeSec.SyncInterval())
+		require.Equal(t, expectedKeys, treeSec.AuthorizedKeys())
 	}
 
 	configtest.ForEachFileType(path, fileConfigTest)
diff --git a/config/example/node.env b/config/example/node.env
index 143bf0388..089021767 100644
--- a/config/example/node.env
+++ b/config/example/node.env
@@ -36,6 +36,7 @@ FROSTFS_TREE_REPLICATION_CHANNEL_CAPACITY=32
 FROSTFS_TREE_REPLICATION_WORKER_COUNT=32
 FROSTFS_TREE_REPLICATION_TIMEOUT=5s
 FROSTFS_TREE_SYNC_INTERVAL=1h
+FROSTFS_TREE_AUTHORIZED_KEYS="0397d207ea77909f7d66fa6f36d08daae22ace672be7ea4f53513484dde8a142a0 02053819235c20d784132deba10bb3061629e3a5c819a039ef091841d9d35dad56"
 
 # gRPC section
 ## 0 server
diff --git a/config/example/node.json b/config/example/node.json
index 04aabdd42..e4b85bc81 100644
--- a/config/example/node.json
+++ b/config/example/node.json
@@ -75,7 +75,11 @@
     "replication_channel_capacity": 32,
     "replication_worker_count": 32,
     "replication_timeout": "5s",
-    "sync_interval": "1h"
+    "sync_interval": "1h",
+    "authorized_keys": [
+      "0397d207ea77909f7d66fa6f36d08daae22ace672be7ea4f53513484dde8a142a0",
+      "02053819235c20d784132deba10bb3061629e3a5c819a039ef091841d9d35dad56"
+    ]
   },
   "control": {
     "authorized_keys": [
diff --git a/config/example/node.yaml b/config/example/node.yaml
index bc665a688..897f4e15b 100644
--- a/config/example/node.yaml
+++ b/config/example/node.yaml
@@ -62,6 +62,9 @@ tree:
   replication_channel_capacity: 32
   replication_timeout: 5s
   sync_interval: 1h
+  authorized_keys:  # list of hex-encoded public keys that have rights to use the Tree Service with frostfs-cli
+    - 0397d207ea77909f7d66fa6f36d08daae22ace672be7ea4f53513484dde8a142a0
+    - 02053819235c20d784132deba10bb3061629e3a5c819a039ef091841d9d35dad56
 
 control:
   authorized_keys:  # list of hex-encoded public keys that have rights to use the Control Service