diff --git a/app/api/routers/users.py b/app/api/routers/users.py
index 58906c6..7c9d128 100644
--- a/app/api/routers/users.py
+++ b/app/api/routers/users.py
@@ -39,7 +39,11 @@ def _user_response(user: models.User) -> dict:
     return data
 
 
-def require_admin(current_user: models.User = Depends(get_current_user)):
+def require_admin(current_user: models.User = Depends(get_current_user_or_apikey)):
+    # Accept either OAuth2 JWT or X-API-Key (incl. Bearer-as-apikey fallback)
+    # so CLI clients using their provisioned api-key can hit admin-gated user
+    # routes (list / get / update / patch). The admin gate still reads
+    # User.is_admin — only the auth carrier broadens.
     if not current_user.is_admin:
         raise HTTPException(status_code=403, detail="Admin required")
     return current_user