extractKey($request); if (! $key) { return response()->json([ 'error' => 'Missing API key', 'hint' => 'Provide via Authorization: Bearer or X-API-Key header', ], 401); } $apiKey = ApiKey::findByPlainKey($key); if (! $apiKey) { return response()->json([ 'error' => 'Invalid API key', ], 401); } if ($apiKey->isExpired()) { return response()->json([ 'error' => 'API key has expired', ], 401); } // Check server-level access for tool calls if ($request->is('*/tools/call') && $request->isMethod('POST')) { $serverId = $request->input('server'); if ($serverId && ! $apiKey->hasServerAccess($serverId)) { return response()->json([ 'error' => 'Access denied to server: '.$serverId, 'allowed_servers' => $apiKey->getAllowedServers(), ], 403); } } // Record usage $apiKey->recordUsage(); // Attach to request for controller access $request->attributes->set('api_key', $apiKey); $request->attributes->set('workspace', $apiKey->workspace); return $next($request); } protected function extractKey(Request $request): ?string { // Try Authorization: Bearer $authHeader = $request->header('Authorization'); if ($authHeader && str_starts_with($authHeader, 'Bearer ')) { return substr($authHeader, 7); } // Try X-API-Key $apiKeyHeader = $request->header('X-API-Key'); if ($apiKeyHeader) { return $apiKeyHeader; } return null; } }