diff --git a/router/router.py b/router/router.py
index e0a1b1d..e600365 100644
--- a/router/router.py
+++ b/router/router.py
@@ -248,7 +248,10 @@ def chat():
     try:
         rd = request.get_json(force=True)
         ak = request.headers.get("Authorization","").replace("Bearer ","")
-        ki = API_KEYS.get(ak, {"tier":"starter","agent":"unknown"})
+        if not ak or ak not in API_KEYS:
+            log.warning("AUTH_REJECTED: no/invalid API key from %s", request.remote_addr)
+            return jsonify({"error": "Unauthorized — valid API key required"}), 401
+        ki = API_KEYS[ak]
         tier, agent = ki["tier"], ki["agent"]
         
         # Allow agent to override queue timeout via header