app/security.py

from fastapi import Header, HTTPException

from .config import settings


def require_api_key(x_api_key: str | None = Header(default=None, alias="X-API-Key")) -> None:
    # If backend_api_key is not set, auth is disabled (useful for local dev)
    if not settings.backend_api_key:
        return

    if not x_api_key or x_api_key != settings.backend_api_key:
        raise HTTPException(status_code=401, detail="Unauthorized")