diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index 8e03e7c..41e7687 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -163,6 +163,7 @@ in
           proxyPass = "http://192.168.0.23:8002/";
           proxyWebsockets = true;
           extraConfig = ''
+            include ${config.sops.templates."nginx-mcp-auth.conf".path};
             proxy_read_timeout 300s;
             proxy_send_timeout 300s;
           '';
diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix
index 3572a8b..43b75f6 100644
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@@ -26,6 +26,16 @@
     owner = "nginx";
   };
 
+  # MCP endpoint auth — validates X-API-Key header
+  sops.templates."nginx-mcp-auth.conf" = {
+    content = ''
+      if ($http_x_api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") {
+        return 401 '{"error": "Unauthorized"}';
+      }
+    '';
+    owner = "nginx";
+  };
+
   modules.system = {
     nginx = {
       enable = true;