From a207b3057e5ac0cf94c287e5a252be14a96d5d56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20P=C3=B6ttker?= <bjoern@poettker-holtrup.de>
Date: Sat, 9 May 2026 09:37:55 +0200
Subject: [PATCH] feat: add support for API keys in Authorization header for
 SSE clients

---
 paperless-backend/src/auth/api-key.guard.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/paperless-backend/src/auth/api-key.guard.ts b/paperless-backend/src/auth/api-key.guard.ts
index 8ce3a24..8bdef25 100644
--- a/paperless-backend/src/auth/api-key.guard.ts
+++ b/paperless-backend/src/auth/api-key.guard.ts
@@ -10,12 +10,20 @@ export class ApiKeyGuard implements CanActivate {
     
     // Check header (X-API-Key)
     let apiKey = request.headers['x-api-key'] || request.headers['X-API-Key'];
-    
+
     // Fallback to query parameter (apiKey)
     if (!apiKey) {
       apiKey = request.query['apiKey'];
     }
 
+    // Fallback to Authorization: Bearer (used by SSE clients that can't set X-API-Key)
+    if (!apiKey) {
+      const auth: string | undefined = request.headers['authorization'];
+      if (auth?.startsWith('Bearer ')) {
+        apiKey = auth.slice(7);
+      }
+    }
+
     if (!apiKey) {
       throw new UnauthorizedException('API Key missing');
     }