diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index 238fbe8f939c4ddb0c78b9a34e106dbea8e39921..c6340af16b50c18c2eaaaaa6fcc1a5a08bea87f4 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -127,6 +127,16 @@ in
             # Want a regex instead? try locations."~ /v\d+/"
             proxyPass = "http://unix:${cfg.unixSocket}";
           };
+          locations."/metrics" = {
+            proxyPass = "http://unix:${cfg.unixSocket}";
+            # Only allow our monitoringvpn subnet
+            extraConfig = ''
+              allow 172.23.23.0/24;
+              allow 127.0.0.1;
+              allow ::1;
+              deny all;
+            '';
+          };
           locations."/" = {
             # Return a 404 error for any paths not specified above.
             extraConfig = ''
diff --git a/nixos/pkgs/zkap-spending-service/repo.json b/nixos/pkgs/zkap-spending-service/repo.json
index 39aeb8404c890e4781ee77f2a93d85d68acee5c3..69f7a30053de661f2c7829384e9496e49077cfd9 100644
--- a/nixos/pkgs/zkap-spending-service/repo.json
+++ b/nixos/pkgs/zkap-spending-service/repo.json
@@ -1,9 +1,9 @@
 {
   "owner": "privatestorage",
   "repo": "zkap-spending-service",
-  "rev": "e0d63b79213d16f2de6629167ea8f1236ba22e14",
+  "rev": "cbf7509f429ffd6e6cf37a73e4ff84a9c5ce1141",
   "branch": "main",
   "domain": "whetstone.privatestorage.io",
-  "outputHash": "30abb0g9xxn4lp493kj5wmz8kj5q2iqvw40m8llqvb3zamx60gd8cy451ii7z15qbrbx9xmjdfw0k4gviij46fkx1s8nbich5c8qx57",
+  "outputHash": "04g7pcykc2525cg3z7wg5834s7vqn82xaqjvf52l6dnxv3mb9xr93kk505dvxcwhgfbqpim5i479s9kqd8gi7q3lq5wn5fq7rf7lkrj",
   "outputHashAlgo": "sha512"
 }
diff --git a/nixos/tests/spending.nix b/nixos/tests/spending.nix
index c970157b9375e0d99e2be8d4f782992163a6c948..ef88b682d3945117494d77655d1d27b0340acd7f 100644
--- a/nixos/tests/spending.nix
+++ b/nixos/tests/spending.nix
@@ -28,5 +28,9 @@
       with subtest("Ensure that the spending service version matches the expected version"):
         output = spending.succeed("${curl} http://localhost/v1/_version")
         assert json.loads(output)["revision"] == "${revision}", "Spending service revision does not match."
+      with subtest("Ensure that the spending service generates metrics"):
+        # TODO: We should pass "-H 'accept: application/openmetrics-text'" here.
+        # See https://github.com/prometheus/prometheus/issues/8932
+        output = spending.succeed("${curl} http://localhost/metrics | ${pkgs.prometheus}/bin/promtool check metrics")
     '';
 }