diff --git a/no-reply-api/server.mjs b/no-reply-api/server.mjs
index 4e999fc..f56a1dd 100644
--- a/no-reply-api/server.mjs
+++ b/no-reply-api/server.mjs
@@ -2,12 +2,19 @@ import http from "node:http";
 
 const port = Number(process.env.PORT || 8787);
 const modelName = process.env.NO_REPLY_MODEL || "whispergate-no-reply-v1";
+const authToken = process.env.AUTH_TOKEN || "";
 
 function sendJson(res, status, payload) {
   res.writeHead(status, { "Content-Type": "application/json; charset=utf-8" });
   res.end(JSON.stringify(payload));
 }
 
+function isAuthorized(req) {
+  if (!authToken) return true;
+  const header = req.headers.authorization || "";
+  return header === `Bearer ${authToken}`;
+}
+
 function noReplyChatCompletion(reqBody) {
   return {
     id: `chatcmpl_whispergate_${Date.now()}`,
@@ -42,15 +49,38 @@ function noReplyResponses(reqBody) {
   };
 }
 
+function listModels() {
+  return {
+    object: "list",
+    data: [
+      {
+        id: modelName,
+        object: "model",
+        created: Math.floor(Date.now() / 1000),
+        owned_by: "whispergate"
+      }
+    ]
+  };
+}
+
 const server = http.createServer((req, res) => {
   if (req.method === "GET" && req.url === "/health") {
-    return sendJson(res, 200, { ok: true, service: "whispergate-no-reply-api" });
+    return sendJson(res, 200, { ok: true, service: "whispergate-no-reply-api", model: modelName });
+  }
+
+  if (req.method === "GET" && req.url === "/v1/models") {
+    if (!isAuthorized(req)) return sendJson(res, 401, { error: "unauthorized" });
+    return sendJson(res, 200, listModels());
   }
 
   if (req.method !== "POST") {
     return sendJson(res, 404, { error: "not_found" });
   }
 
+  if (!isAuthorized(req)) {
+    return sendJson(res, 401, { error: "unauthorized" });
+  }
+
   let body = "";
   req.on("data", (chunk) => {
     body += chunk;