From 46dda918dedef77d8e6145f15871b0f0626d54f8 Mon Sep 17 00:00:00 2001
From: Abiba <abiba@sysloggh.com>
Date: Tue, 19 May 2026 19:13:52 +0000
Subject: [PATCH] security: reject requests without valid API key (401 instead
 of defaulting to starter)

---
 router/router.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/router/router.py b/router/router.py
index e0a1b1d..e600365 100644
--- a/router/router.py
+++ b/router/router.py
@@ -248,7 +248,10 @@ def chat():
     try:
         rd = request.get_json(force=True)
         ak = request.headers.get("Authorization","").replace("Bearer ","")
-        ki = API_KEYS.get(ak, {"tier":"starter","agent":"unknown"})
+        if not ak or ak not in API_KEYS:
+            log.warning("AUTH_REJECTED: no/invalid API key from %s", request.remote_addr)
+            return jsonify({"error": "Unauthorized — valid API key required"}), 401
+        ki = API_KEYS[ak]
         tier, agent = ki["tier"], ki["agent"]
         
         # Allow agent to override queue timeout via header