bearerToken() ?? $request->query('api_key'); if (empty($key)) { return response()->json([ 'error' => 'API key is required. Use Authorization: Bearer or ?api_key=', ], 401); } $apiKey = RadioApiKeyModel::active()->where('key', $key)->first(); if (! $apiKey) { return response()->json([ 'error' => 'API key is invalid or expired', ], 401); } if (! $apiKey->isAllowedIp($request->ip())) { return response()->json([ 'error' => 'IP address not allowed for this API key', ], 403); } if (! $apiKey->hasPermission($permission)) { return response()->json([ 'error' => 'No permission for this action', ], 403); } $apiKey->touchLastUsed(); $request->merge(['radio_api_key_id' => $apiKey->id]); return $next($request); } }