Update app.py

app.py

@@ -1,37 +1,61 @@
 import os
 import requests
-from fastapi import FastAPI, HTTPException
+from fastapi import FastAPI, HTTPException, Header, Depends
 from fastapi.responses import JSONResponse
+from fastapi.security.api_key import APIKeyHeader
 
 # -------------------------------------------------
 # CONFIGURATION
 # -------------------------------------------------
 HUGGINGFACE_BACKEND = os.getenv("SAP_BACKEND_URL", "https://pd03-agentkit.hf.space/purchase-orders")
+AGENTKIT_API_KEY = os.getenv("AGENTKIT_API_KEY", None)
 
 app = FastAPI(
     title="SAP MCP Server",
-    description=(
-        "Minimal MCP-compatible FastAPI server that exposes a tool to fetch SAP "
-        "purchase orders from the Hugging Face backend."
-    ),
-    version="1.0.0",
+    description="MCP-compatible server exposing SAP purchase order API for AgentKit.",
+    version="1.1.0",
 )
 
+# -------------------------------------------------
+# AUTH SETUP
+# -------------------------------------------------
+api_key_header = APIKeyHeader(name="x-agentkit-api-key", auto_error=False)
+
+def verify_api_key(api_key: str = Depends(api_key_header)):
+    """Check for valid API key in request headers."""
+    if AGENTKIT_API_KEY is None:
+        # Running in open mode
+        return True
+    if api_key != AGENTKIT_API_KEY:
+        raise HTTPException(status_code=401, detail="Invalid or missing API key")
+    return True
+
 # -------------------------------------------------
 # MCP Manifest (for AgentKit autodiscovery)
 # -------------------------------------------------
 @app.get("/.well-known/mcp/manifest.json", include_in_schema=False)
 async def get_manifest():
-    """Returns MCP manifest so AgentKit can auto-discover the tool."""
+    """
+    Returns the MCP manifest so AgentKit can auto-discover the tool.
+    Includes auth metadata for API key header usage.
+    """
     manifest = {
         "name": "sap_mcp_server",
         "description": "MCP server exposing a tool for retrieving SAP purchase orders.",
-        "version": "1.0.0",
+        "version": "1.1.0",
+        "auth": {
+            "type": "api_key",
+            "location": "header",
+            "header_name": "x-agentkit-api-key",
+            "description": "Custom header used to authenticate MCP requests."
+        },
         "tools": [
             {
                 "name": "get_purchase_orders",
-                "description": "Fetches the top 50 purchase orders from the SAP Sandbox API "
-                               "via the Hugging Face backend.",
+                "description": (
+                    "Fetches the top 50 purchase orders from the SAP Sandbox API "
+                    "via the Hugging Face backend."
+                ),
                 "input_schema": {"type": "object", "properties": {}},
                 "output_schema": {"type": "object"},
                 "http": {
@@ -43,15 +67,14 @@ async def get_manifest():
     }
     return JSONResponse(content=manifest)
 
-
 # -------------------------------------------------
-# Tool Endpoint
+# TOOL ENDPOINT
 # -------------------------------------------------
 @app.get("/tools/get_purchase_orders", tags=["MCP Tools"])
-async def get_purchase_orders():
+async def get_purchase_orders(auth=Depends(verify_api_key)):
     """
-    Fetch the top 50 SAP purchase orders from your Hugging Face backend.
-    This endpoint is exposed as an MCP tool for AgentKit.
+    Fetch the top 50 SAP purchase orders from the backend.
+    Requires a valid AgentKit API key (if configured).
     """
     try:
         resp = requests.get(HUGGINGFACE_BACKEND, timeout=30)
@@ -60,9 +83,8 @@ async def get_purchase_orders():
     except requests.exceptions.RequestException as e:
         raise HTTPException(status_code=500, detail=f"Failed to call backend: {e}")
 
-
 # -------------------------------------------------
-# Health Route
+# HEALTH CHECK
 # -------------------------------------------------
 @app.get("/health", tags=["System"])
 async def health():