bearerToken(); if (! $token) { return $this->unauthorized('API token required. Use Authorization: Bearer '); } $expectedToken = config('services.commerce.api_secret'); if (! $expectedToken) { return response()->json([ 'error' => 'configuration_error', 'message' => 'Commerce API not configured', ], 500); } if (! hash_equals($expectedToken, $token)) { return $this->unauthorized('Invalid API token'); } $request->attributes->set('auth_type', 'commerce_api'); return $next($request); } /** * Return 401 Unauthorized response. */ protected function unauthorized(string $message): Response { return response()->json([ 'error' => 'unauthorized', 'message' => $message, ], 401); } }