diff --git a/cmd/litestream/main.go b/cmd/litestream/main.go
index 9698bf50..0f803aa4 100644
--- a/cmd/litestream/main.go
+++ b/cmd/litestream/main.go
@@ -169,6 +169,7 @@ type Config struct {
 	// Global S3 settings
 	AccessKeyID     string `yaml:"access-key-id"`
 	SecretAccessKey string `yaml:"secret-access-key"`
+	SessionToken    string `yaml:"session-token"`
 
 	// Logging
 	Logging LoggingConfig `yaml:"logging"`
@@ -191,6 +192,9 @@ func (c *Config) propagateGlobalSettings() {
 			if rc.SecretAccessKey == "" {
 				rc.SecretAccessKey = c.SecretAccessKey
 			}
+			if rc.SessionToken == "" {
+				rc.SessionToken = c.SessionToken
+			}
 		}
 	}
 }
@@ -347,6 +351,7 @@ type ReplicaConfig struct {
 	// S3 settings
 	AccessKeyID     string `yaml:"access-key-id"`
 	SecretAccessKey string `yaml:"secret-access-key"`
+	SessionToken    string `yaml:"session-token"`
 	Region          string `yaml:"region"`
 	Bucket          string `yaml:"bucket"`
 	Endpoint        string `yaml:"endpoint"`
@@ -525,6 +530,7 @@ func newS3ReplicaClientFromConfig(c *ReplicaConfig, r *litestream.Replica) (_ *s
 	client := s3.NewReplicaClient()
 	client.AccessKeyID = c.AccessKeyID
 	client.SecretAccessKey = c.SecretAccessKey
+	client.SessionToken = c.SessionToken
 	client.Bucket = bucket
 	client.Path = path
 	client.Region = region
@@ -680,6 +686,11 @@ func applyLitestreamEnv() {
 			os.Setenv("AWS_SECRET_ACCESS_KEY", v)
 		}
 	}
+	if v, ok := os.LookupEnv("LITESTREAM_SESSION_TOKEN"); ok {
+		if _, ok := os.LookupEnv("AWS_SESSION_TOKEN"); !ok {
+			os.Setenv("AWS_SESSION_TOKEN", v)
+		}
+	}
 }
 
 // ParseReplicaURL parses a replica URL.
diff --git a/s3/replica_client.go b/s3/replica_client.go
index e03b4288..168718fb 100644
--- a/s3/replica_client.go
+++ b/s3/replica_client.go
@@ -44,6 +44,7 @@ type ReplicaClient struct {
 	// AWS authentication keys.
 	AccessKeyID     string
 	SecretAccessKey string
+	SessionToken    string
 
 	// S3 bucket information
 	Region         string
@@ -108,7 +109,7 @@ func (c *ReplicaClient) config() *aws.Config {
 	config := &aws.Config{}
 
 	if c.AccessKeyID != "" || c.SecretAccessKey != "" {
-		config.Credentials = credentials.NewStaticCredentials(c.AccessKeyID, c.SecretAccessKey, "")
+		config.Credentials = credentials.NewStaticCredentials(c.AccessKeyID, c.SecretAccessKey, c.SessionToken)
 	}
 	if c.Endpoint != "" {
 		config.Endpoint = aws.String(c.Endpoint)