diff --git a/.env.example b/.env.example
index d744df7..39cb44c 100644
--- a/.env.example
+++ b/.env.example
@@ -3,4 +3,5 @@ EMAIL_PASSWORD=my_email_password
 EMAIL=my_email
 MAIL_NAME=my_name
 SMTP_DOMAIN=smtp.gmail.com
-SMTP_PORT=587
\ No newline at end of file
+SMTP_PORT=587
+X_API_KEY=my_x_api_key
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index ef05d47..7ff2ae4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ data
 .env
 .env.local
 private_key.pem
+.errorviz-version
\ No newline at end of file
diff --git a/compose.yaml b/compose.yaml
index b29f5dd..2b40e3c 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -18,6 +18,7 @@ services:
       MAIL_NAME: ${MAIL_NAME}
       SMTP_DOMAIN: ${SMTP_DOMAIN}
       SMTP_PORT: ${SMTP_PORT}
+      X_API_KEY: ${X_API_KEY}
     volumes:
       - ./src:/app/src
 
diff --git a/src/main.rs b/src/main.rs
index 073ddd7..a2945f2 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,6 +1,7 @@
 use axum::{extract::State, middleware, routing::get, Router};
 use dotenv::dotenv;
 use middlewares::res_log::main_response_mapper;
+use middlewares::with_api_key::with_api_key;
 use mongodb::Client;
 use std::error::Error;
 
@@ -35,7 +36,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
         .merge(routes::user_routes::routes(State(app_state.clone())))
         .merge(routes::password_routes::routes(State(app_state.clone())))
         .merge(routes::session_routes::routes(State(app_state.clone())))
-        .layer(middleware::map_response(main_response_mapper));
+        .layer(middleware::map_response(main_response_mapper))
+        .route_layer(middleware::from_fn(with_api_key));
 
     let app = Router::new().nest("/api", routes);
 
diff --git a/src/middlewares/mod.rs b/src/middlewares/mod.rs
index 808edb1..e2ed9ba 100644
--- a/src/middlewares/mod.rs
+++ b/src/middlewares/mod.rs
@@ -1 +1,2 @@
-pub mod res_log;
\ No newline at end of file
+pub mod res_log;
+pub mod with_api_key;
\ No newline at end of file
diff --git a/src/middlewares/with_api_key.rs b/src/middlewares/with_api_key.rs
new file mode 100644
index 0000000..5003ab6
--- /dev/null
+++ b/src/middlewares/with_api_key.rs
@@ -0,0 +1,33 @@
+use axum::{
+    body::Body,
+    http::{Request, StatusCode},
+    middleware::Next,
+    response::Response,
+};
+use std::env;
+
+pub async fn with_api_key(req: Request<Body>, next: Next) -> Result<Response, StatusCode> {
+    println!("Checking for API key...");
+
+    let api_key = req
+        .headers()
+        .get("x-api-key")
+        .and_then(|key| key.to_str().ok());
+
+    let expected_api_key = env::var("X_API_KEY").expect("X_API_KEY must be set");
+
+
+    if let Some(key) = api_key {
+        if key == expected_api_key {
+            return Ok(next.run(req).await);
+        }
+    }
+    // error with message of x-api-key not match
+    
+    Ok(Response::builder()
+        .status(StatusCode::UNAUTHORIZED)
+        .body(Body::from("Invalid API key"))
+        .unwrap())
+    
+
+}