diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2eea525
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
\ No newline at end of file
diff --git a/go.mod b/go.mod
index f79ed81..0b09e9f 100644
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,8 @@ toolchain go1.24.10
 
 require (
 	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
diff --git a/go.sum b/go.sum
index 485eee9..6166e7c 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,9 @@
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
diff --git a/main.go b/main.go
index 9173001..48aa16c 100644
--- a/main.go
+++ b/main.go
@@ -3,18 +3,34 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"os"
 	"strings"
 	"sync"
 	"time"
 
 	pb "forth.rd/tbm-gateway/registry"
 	"github.com/go-chi/chi/v5"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/joho/godotenv"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// var jwtSecret = []byte(os.Getenv("JWT_SECRET"))
+// var apiKey = os.Getenv("API_KEY")
+
+var (
+	jwtSecret      string
+	apiKey         string
+	registrySecret string
+	devMode        bool
 )
 
 type Instance struct {
@@ -100,6 +116,11 @@ type registryServer struct {
 }
 
 func (s *registryServer) Register(ctx context.Context, info *pb.ServiceInfo) (*pb.RegisterResponse, error) {
+
+	if info.Token != registrySecret {
+		return nil, status.Error(codes.PermissionDenied, "invalid token")
+	}
+
 	s.r.Register(info.Name, info.Url)
 	return &pb.RegisterResponse{Ok: true}, nil
 }
@@ -139,7 +160,61 @@ func startGRPCServer(reg *Registry) {
 	go s.Serve(lis)
 }
 
+func verifyJWT(tokenString string) error {
+	token, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return jwtSecret, nil
+	})
+	if err != nil || !token.Valid {
+		return fmt.Errorf("invalid token")
+	}
+	return nil
+}
+
+func authMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/healthz") || strings.HasPrefix(r.URL.Path, "/__registry") {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		authHeader := r.Header.Get("Authorization")
+		if strings.HasPrefix(authHeader, "Bearer ") {
+			token := strings.TrimPrefix(authHeader, "Bearer ")
+			if err := verifyJWT(token); err == nil {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
+
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+	})
+}
+
 func main() {
+	godotenv.Load()
+	jwtSecret = os.Getenv("JWT_SECRET")
+	apiKey = os.Getenv("API_KEY")
+
+	if jwtSecret == "" || apiKey == "" {
+		fmt.Errorf("env value not ok")
+		os.Exit(1)
+	}
+
+	registrySecret = os.Getenv("REGISTRY_SECRET")
+	if registrySecret == "" {
+		devMode = true
+	} else {
+		devMode = false
+	}
+
 	reg := NewRegistry()
 	startGRPCServer(reg)
 
@@ -161,6 +236,9 @@ func main() {
 	}()
 
 	r := chi.NewRouter()
+
+	r.Use(authMiddleware)
+
 	r.Get("/healthz", func(w http.ResponseWriter, _ *http.Request) {
 		w.Write([]byte("gateway ok"))
 	})
diff --git a/registry/registry.pb.go b/registry/registry.pb.go
index 2ed72df..8f7164b 100644
--- a/registry/registry.pb.go
+++ b/registry/registry.pb.go
@@ -62,6 +62,7 @@ type ServiceInfo struct {
 	Name          string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	Url           string                 `protobuf:"bytes,2,opt,name=url,proto3" json:"url,omitempty"`
 	Healthz       string                 `protobuf:"bytes,3,opt,name=healthz,proto3" json:"healthz,omitempty"`
+	Token         string                 `protobuf:"bytes,4,opt,name=token,proto3" json:"token,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -117,6 +118,13 @@ func (x *ServiceInfo) GetHealthz() string {
 	return ""
 }
 
+func (x *ServiceInfo) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
 type ServiceHeartbeat struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Name          string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
@@ -402,11 +410,12 @@ var File_registry_proto protoreflect.FileDescriptor
 const file_registry_proto_rawDesc = "" +
 	"\n" +
 	"\x0eregistry.proto\x12\bregistry\"\a\n" +
-	"\x05Empty\"M\n" +
+	"\x05Empty\"c\n" +
 	"\vServiceInfo\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x10\n" +
 	"\x03url\x18\x02 \x01(\tR\x03url\x12\x18\n" +
-	"\ahealthz\x18\x03 \x01(\tR\ahealthz\"8\n" +
+	"\ahealthz\x18\x03 \x01(\tR\ahealthz\x12\x14\n" +
+	"\x05token\x18\x04 \x01(\tR\x05token\"8\n" +
 	"\x10ServiceHeartbeat\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x10\n" +
 	"\x03url\x18\x02 \x01(\tR\x03url\"1\n" +