From 62dd4411940965d32750116bb027cbe72a89f6aa Mon Sep 17 00:00:00 2001
From: nav <nav@mgr.hangman-lab.top>
Date: Wed, 13 May 2026 08:17:50 +0000
Subject: [PATCH] chore(guild): require CENTER_API_KEY when introspecting
 center

---
 .env.example              | 1 +
 src/common/center-auth.ts | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 5cfdc17..9288d56 100644
--- a/.env.example
+++ b/.env.example
@@ -18,3 +18,4 @@ GUILD_PUBLIC_ENDPOINT=http://localhost:7002
 # Center handshake
 CENTER_BASE_URL=http://backend-center:7001
 CENTER_SHARED_SECRET=change-me-center-secret
+CENTER_API_KEY=
diff --git a/src/common/center-auth.ts b/src/common/center-auth.ts
index fdb3a9d..ecfd3bf 100644
--- a/src/common/center-auth.ts
+++ b/src/common/center-auth.ts
@@ -2,8 +2,9 @@ export async function introspectGuildToken(token: string): Promise<{ active: boo
   const centerBaseUrl = process.env.CENTER_BASE_URL;
   const sharedSecret = process.env.CENTER_SHARED_SECRET;
   const guildNodeId = process.env.GUILD_NODE_ID;
+  const centerApiKey = process.env.CENTER_API_KEY;
 
-  if (!centerBaseUrl || !sharedSecret || !guildNodeId) {
+  if (!centerBaseUrl || !sharedSecret || !guildNodeId || !centerApiKey) {
     return { active: false };
   }
 
@@ -12,6 +13,7 @@ export async function introspectGuildToken(token: string): Promise<{ active: boo
     headers: {
       'content-type': 'application/json',
       'x-center-shared-secret': sharedSecret,
+      'x-api-key': centerApiKey,
     },
     body: JSON.stringify({ token, guildNodeId }),
   });
@@ -25,4 +27,3 @@ export async function introspectGuildToken(token: string): Promise<{ active: boo
     user: data.user,
   };
 }
-