security: harden session endpoints

- Atomic balance deduction prevents race condition double-spend
- Auth required on close/status endpoints (API key or dashboard session)
- Token sent via Authorization header, not URL query string
- Remove timestamp from token generation (pure CSPRNG UUIDs)
- Rate limit session open (30s/req, burst 3)
- Raise minimum deposit from 1000 to 10000 zatoshis
- Validate refund address format on session open
- Return 503 on session validation failure instead of silent fallthrough
- Purge closed/depleted sessions in periodic data cleanup

Author: Kenbak

scripts/seed_mock_events.sh

@@ -0,0 +1,169 @@
+#!/usr/bin/env bash
+# Seeds mock events, invoices, and tickets into the local DB for UI testing.
+# Usage:  ./scripts/seed_mock_events.sh          (seed)
+#         ./scripts/seed_mock_events.sh --clean   (remove seeded data)
+set -euo pipefail
+
+DB="${1:-cipherpay.db}"
+MERCHANT="a3567834-b9dc-4acb-b379-bd506f976060"
+
+# Deterministic IDs so we can clean up reliably
+PROD_SOLDOUT="mock-prod-soldout"
+PROD_PAST="mock-prod-past"
+PROD_CANCEL="mock-prod-cancel"
+
+EVT_SOLDOUT="mock-evt-soldout"
+EVT_PAST="mock-evt-past"
+EVT_CANCEL="mock-evt-cancel"
+
+PRC_SOLDOUT_GA="mock-prc-soldout-ga"
+PRC_SOLDOUT_VIP="mock-prc-soldout-vip"
+PRC_PAST_GA="mock-prc-past-ga"
+PRC_CANCEL_GA="mock-prc-cancel-ga"
+PRC_CANCEL_VIP="mock-prc-cancel-vip"
+
+ADDR="utest1mockaddress000000000000000000000000000000000000000000000000000000000000000000000000000000"
+RECV="deadbeefcafe0000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+if [ "${1:-}" = "--clean" ]; then
+  echo "Cleaning mock data..."
+  sqlite3 "$DB" <<'SQL'
+DELETE FROM tickets  WHERE id LIKE 'mock-tkt-%';
+DELETE FROM invoices WHERE id LIKE 'mock-inv-%';
+DELETE FROM prices   WHERE id LIKE 'mock-prc-%';
+DELETE FROM events   WHERE id LIKE 'mock-evt-%';
+DELETE FROM products WHERE id LIKE 'mock-prod-%';
+SQL
+  echo "Done."
+  exit 0
+fi
+
+echo "Seeding mock events for merchant $MERCHANT ..."
+
+sqlite3 "$DB" <<SQL
+
+-- ═══════════════════════════════════════════════════════════════
+-- 1. SOLD-OUT EVENT  ─  "Privacy Masterclass" (capacity 3 GA + 2 VIP, all sold)
+-- ═══════════════════════════════════════════════════════════════
+
+INSERT OR REPLACE INTO products (id, merchant_id, slug, name, active)
+VALUES ('$PROD_SOLDOUT', '$MERCHANT', 'privacy-masterclass', 'Privacy Masterclass', 1);
+
+INSERT OR REPLACE INTO events (id, merchant_id, product_id, title, description, event_date, event_location, status)
+VALUES ('$EVT_SOLDOUT', '$MERCHANT', '$PROD_SOLDOUT',
+        'Privacy Masterclass', 'Hands-on workshop covering CoinJoin, zk proofs, and metadata resistance.',
+        '2026-05-15T14:00:00Z', 'Berlin, Germany', 'active');
+
+INSERT OR REPLACE INTO prices (id, product_id, currency, unit_amount, label, max_quantity, active)
+VALUES ('$PRC_SOLDOUT_GA', '$PROD_SOLDOUT', 'EUR', 15.0, 'General Admission', 3, 1);
+
+INSERT OR REPLACE INTO prices (id, product_id, currency, unit_amount, label, max_quantity, active)
+VALUES ('$PRC_SOLDOUT_VIP', '$PROD_SOLDOUT', 'EUR', 40.0, 'VIP', 2, 1);
+
+-- 3 GA confirmed invoices
+INSERT OR REPLACE INTO invoices (id, merchant_id, memo_code, product_id, product_name, price_eur, price_zec, zec_rate_at_creation, payment_address, status, expires_at, diversifier_index, orchard_receiver_hex, price_zatoshis, received_zatoshis, price_id, confirmed_at)
+VALUES
+  ('mock-inv-so-ga1', '$MERCHANT', 'CP-MOCK-SO1', '$PROD_SOLDOUT', 'Privacy Masterclass', 15.0, 0.3, 50.0, '$ADDR', 'confirmed', '2026-04-01T00:00:00Z', 1001, '$RECV', 30000000, 30000000, '$PRC_SOLDOUT_GA', '2026-03-10T10:00:00Z'),
+  ('mock-inv-so-ga2', '$MERCHANT', 'CP-MOCK-SO2', '$PROD_SOLDOUT', 'Privacy Masterclass', 15.0, 0.3, 50.0, '$ADDR', 'confirmed', '2026-04-01T00:00:00Z', 1002, '$RECV', 30000000, 30000000, '$PRC_SOLDOUT_GA', '2026-03-11T10:00:00Z'),
+  ('mock-inv-so-ga3', '$MERCHANT', 'CP-MOCK-SO3', '$PROD_SOLDOUT', 'Privacy Masterclass', 15.0, 0.3, 50.0, '$ADDR', 'confirmed', '2026-04-01T00:00:00Z', 1003, '$RECV', 30000000, 30000000, '$PRC_SOLDOUT_GA', '2026-03-12T10:00:00Z');
+
+-- 2 VIP confirmed invoices
+INSERT OR REPLACE INTO invoices (id, merchant_id, memo_code, product_id, product_name, price_eur, price_zec, zec_rate_at_creation, payment_address, status, expires_at, diversifier_index, orchard_receiver_hex, price_zatoshis, received_zatoshis, price_id, confirmed_at)
+VALUES
+  ('mock-inv-so-vip1', '$MERCHANT', 'CP-MOCK-SO4', '$PROD_SOLDOUT', 'Privacy Masterclass', 40.0, 0.8, 50.0, '$ADDR', 'confirmed', '2026-04-01T00:00:00Z', 1004, '$RECV', 80000000, 80000000, '$PRC_SOLDOUT_VIP', '2026-03-13T10:00:00Z'),
+  ('mock-inv-so-vip2', '$MERCHANT', 'CP-MOCK-SO5', '$PROD_SOLDOUT', 'Privacy Masterclass', 40.0, 0.8, 50.0, '$ADDR', 'confirmed', '2026-04-01T00:00:00Z', 1005, '$RECV', 80000000, 80000000, '$PRC_SOLDOUT_VIP', '2026-03-14T10:00:00Z');
+
+-- Tickets for all 5 sold
+INSERT OR REPLACE INTO tickets (id, invoice_id, product_id, price_id, merchant_id, code, status)
+VALUES
+  ('mock-tkt-so1', 'mock-inv-so-ga1', '$PROD_SOLDOUT', '$PRC_SOLDOUT_GA', '$MERCHANT', 'tkt_mock_so_ga_001', 'valid'),
+  ('mock-tkt-so2', 'mock-inv-so-ga2', '$PROD_SOLDOUT', '$PRC_SOLDOUT_GA', '$MERCHANT', 'tkt_mock_so_ga_002', 'valid'),
+  ('mock-tkt-so3', 'mock-inv-so-ga3', '$PROD_SOLDOUT', '$PRC_SOLDOUT_GA', '$MERCHANT', 'tkt_mock_so_ga_003', 'valid'),
+  ('mock-tkt-so4', 'mock-inv-so-vip1', '$PROD_SOLDOUT', '$PRC_SOLDOUT_VIP', '$MERCHANT', 'tkt_mock_so_vip_001', 'valid'),
+  ('mock-tkt-so5', 'mock-inv-so-vip2', '$PROD_SOLDOUT', '$PRC_SOLDOUT_VIP', '$MERCHANT', 'tkt_mock_so_vip_002', 'used');
+
+
+-- ═══════════════════════════════════════════════════════════════
+-- 2. PAST EVENT  ─  "Zcash Dev Summit 2025" (event date in the past)
+-- ═══════════════════════════════════════════════════════════════
+
+INSERT OR REPLACE INTO products (id, merchant_id, slug, name, active)
+VALUES ('$PROD_PAST', '$MERCHANT', 'zcash-dev-summit-2025', 'Zcash Dev Summit 2025', 0);
+
+INSERT OR REPLACE INTO events (id, merchant_id, product_id, title, description, event_date, event_location, status)
+VALUES ('$EVT_PAST', '$MERCHANT', '$PROD_PAST',
+        'Zcash Dev Summit 2025', 'Annual developer summit. Zebra, librustzcash, wallet SDK deep dives.',
+        '2025-11-20T09:00:00Z', 'Denver, CO', 'past');
+
+INSERT OR REPLACE INTO prices (id, product_id, currency, unit_amount, label, max_quantity, active)
+VALUES ('$PRC_PAST_GA', '$PROD_PAST', 'USD', 50.0, 'General Admission', 30, 0);
+
+-- 8 confirmed invoices (historical attendance)
+INSERT OR REPLACE INTO invoices (id, merchant_id, memo_code, product_id, product_name, price_eur, price_zec, zec_rate_at_creation, payment_address, status, expires_at, diversifier_index, orchard_receiver_hex, price_zatoshis, received_zatoshis, price_id, confirmed_at)
+VALUES
+  ('mock-inv-past1', '$MERCHANT', 'CP-MOCK-P1', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1010, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-15T10:00:00Z'),
+  ('mock-inv-past2', '$MERCHANT', 'CP-MOCK-P2', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1011, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-16T10:00:00Z'),
+  ('mock-inv-past3', '$MERCHANT', 'CP-MOCK-P3', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1012, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-17T10:00:00Z'),
+  ('mock-inv-past4', '$MERCHANT', 'CP-MOCK-P4', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1013, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-18T10:00:00Z'),
+  ('mock-inv-past5', '$MERCHANT', 'CP-MOCK-P5', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1014, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-19T10:00:00Z'),
+  ('mock-inv-past6', '$MERCHANT', 'CP-MOCK-P6', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1015, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-20T10:00:00Z'),
+  ('mock-inv-past7', '$MERCHANT', 'CP-MOCK-P7', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1016, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-21T10:00:00Z'),
+  ('mock-inv-past8', '$MERCHANT', 'CP-MOCK-P8', '$PROD_PAST', 'Zcash Dev Summit 2025', 45.0, 1.0, 45.0, '$ADDR', 'confirmed', '2025-10-01T00:00:00Z', 1017, '$RECV', 100000000, 100000000, '$PRC_PAST_GA', '2025-09-22T10:00:00Z');
+
+-- All 8 tickets used (past event, everyone checked in)
+INSERT OR REPLACE INTO tickets (id, invoice_id, product_id, price_id, merchant_id, code, status, used_at)
+VALUES
+  ('mock-tkt-past1', 'mock-inv-past1', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_001', 'used', '2025-11-20T09:15:00Z'),
+  ('mock-tkt-past2', 'mock-inv-past2', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_002', 'used', '2025-11-20T09:20:00Z'),
+  ('mock-tkt-past3', 'mock-inv-past3', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_003', 'used', '2025-11-20T09:25:00Z'),
+  ('mock-tkt-past4', 'mock-inv-past4', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_004', 'used', '2025-11-20T09:30:00Z'),
+  ('mock-tkt-past5', 'mock-inv-past5', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_005', 'used', '2025-11-20T09:35:00Z'),
+  ('mock-tkt-past6', 'mock-inv-past6', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_006', 'used', '2025-11-20T09:40:00Z'),
+  ('mock-tkt-past7', 'mock-inv-past7', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_007', 'used', '2025-11-20T09:45:00Z'),
+  ('mock-tkt-past8', 'mock-inv-past8', '$PROD_PAST', '$PRC_PAST_GA', '$MERCHANT', 'tkt_mock_past_008', 'used', '2025-11-20T09:50:00Z');
+
+
+-- ═══════════════════════════════════════════════════════════════
+-- 3. CANCELLED EVENT  ─  "Crypto Privacy Workshop" (refund queue scenario)
+-- ═══════════════════════════════════════════════════════════════
+
+INSERT OR REPLACE INTO products (id, merchant_id, slug, name, active)
+VALUES ('$PROD_CANCEL', '$MERCHANT', 'crypto-privacy-workshop', 'Crypto Privacy Workshop', 0);
+
+INSERT OR REPLACE INTO events (id, merchant_id, product_id, title, description, event_date, event_location, status)
+VALUES ('$EVT_CANCEL', '$MERCHANT', '$PROD_CANCEL',
+        'Crypto Privacy Workshop', 'Cancelled due to venue issues.',
+        '2026-06-10T18:00:00Z', 'Lisbon, Portugal', 'cancelled');
+
+INSERT OR REPLACE INTO prices (id, product_id, currency, unit_amount, label, max_quantity, active)
+VALUES ('$PRC_CANCEL_GA', '$PROD_CANCEL', 'EUR', 20.0, 'General Admission', 15, 0);
+
+INSERT OR REPLACE INTO prices (id, product_id, currency, unit_amount, label, max_quantity, active)
+VALUES ('$PRC_CANCEL_VIP', '$PROD_CANCEL', 'EUR', 55.0, 'VIP', 5, 0);
+
+-- 4 confirmed invoices: 2 have refund_address (refund queue), 1 already refunded, 1 without refund address
+INSERT OR REPLACE INTO invoices (id, merchant_id, memo_code, product_id, product_name, price_eur, price_zec, zec_rate_at_creation, payment_address, status, expires_at, diversifier_index, orchard_receiver_hex, price_zatoshis, received_zatoshis, price_id, confirmed_at, refund_address)
+VALUES
+  ('mock-inv-cx-ga1', '$MERCHANT', 'CP-MOCK-CX1', '$PROD_CANCEL', 'Crypto Privacy Workshop', 20.0, 0.4, 50.0, '$ADDR', 'confirmed', '2026-05-01T00:00:00Z', 1020, '$RECV', 40000000, 40000000, '$PRC_CANCEL_GA', '2026-04-10T10:00:00Z', 'u1refund_alice_0000000000000000000000000000000000000000000000000000000000000000000000000000000000'),
+  ('mock-inv-cx-ga2', '$MERCHANT', 'CP-MOCK-CX2', '$PROD_CANCEL', 'Crypto Privacy Workshop', 20.0, 0.4, 50.0, '$ADDR', 'confirmed', '2026-05-01T00:00:00Z', 1021, '$RECV', 40000000, 40000000, '$PRC_CANCEL_GA', '2026-04-11T10:00:00Z', 'u1refund_bob_000000000000000000000000000000000000000000000000000000000000000000000000000000000000'),
+  ('mock-inv-cx-vip1', '$MERCHANT', 'CP-MOCK-CX3', '$PROD_CANCEL', 'Crypto Privacy Workshop', 55.0, 1.1, 50.0, '$ADDR', 'refunded', '2026-05-01T00:00:00Z', 1022, '$RECV', 110000000, 110000000, '$PRC_CANCEL_VIP', '2026-04-12T10:00:00Z', 'u1refund_carol_00000000000000000000000000000000000000000000000000000000000000000000000000000000000'),
+  ('mock-inv-cx-ga3', '$MERCHANT', 'CP-MOCK-CX4', '$PROD_CANCEL', 'Crypto Privacy Workshop', 20.0, 0.4, 50.0, '$ADDR', 'confirmed', '2026-05-01T00:00:00Z', 1023, '$RECV', 40000000, 40000000, '$PRC_CANCEL_GA', '2026-04-13T10:00:00Z', NULL);
+
+-- All tickets voided (event was cancelled)
+INSERT OR REPLACE INTO tickets (id, invoice_id, product_id, price_id, merchant_id, code, status)
+VALUES
+  ('mock-tkt-cx1', 'mock-inv-cx-ga1', '$PROD_CANCEL', '$PRC_CANCEL_GA', '$MERCHANT', 'tkt_mock_cx_001', 'void'),
+  ('mock-tkt-cx2', 'mock-inv-cx-ga2', '$PROD_CANCEL', '$PRC_CANCEL_GA', '$MERCHANT', 'tkt_mock_cx_002', 'void'),
+  ('mock-tkt-cx3', 'mock-inv-cx-vip1', '$PROD_CANCEL', '$PRC_CANCEL_VIP', '$MERCHANT', 'tkt_mock_cx_003', 'void'),
+  ('mock-tkt-cx4', 'mock-inv-cx-ga3', '$PROD_CANCEL', '$PRC_CANCEL_GA', '$MERCHANT', 'tkt_mock_cx_004', 'void');
+
+SQL
+
+echo ""
+echo "Seeded:"
+echo "  3 events  (sold-out, past, cancelled)"
+echo "  5 products/prices"
+echo "  17 invoices"
+echo "  17 tickets"
+echo ""
+echo "To clean up:  ./scripts/seed_mock_events.sh --clean"

src/api/mod.rs

@@ -28,6 +28,12 @@ pub fn configure(cfg: &mut web::ServiceConfig) {
         .finish()
         .expect("Failed to build auth rate limiter");
 
+    let session_rate_limit = GovernorConfigBuilder::default()
+        .seconds_per_request(30)
+        .burst_size(3)
+        .finish()
+        .expect("Failed to build session rate limiter");
+
     cfg.service(
         web::scope("/api")
             .route("/health", web::get().to(health))
@@ -106,10 +112,13 @@ pub fn configure(cfg: &mut web::ServiceConfig) {
             // x402 facilitator
             .route("/x402/verify", web::post().to(x402::verify))
             // Session endpoints (agentic prepaid credit)
-            .route("/sessions/open", web::post().to(sessions::open))
-            .route("/sessions/validate", web::get().to(sessions::validate))
-            .route("/sessions/{id}", web::get().to(sessions::get_status))
-            .route("/sessions/{id}/close", web::post().to(sessions::close))
+            .service(
+                web::scope("/sessions")
+                    .route("/open", web::post().to(sessions::open).wrap(Governor::new(&session_rate_limit)))
+                    .route("/validate", web::get().to(sessions::validate))
+                    .route("/{id}", web::get().to(sessions::get_status))
+                    .route("/{id}/close", web::post().to(sessions::close))
+            )
             // Admin endpoints (protected by ADMIN_KEY)
             .route("/admin/auth", web::post().to(admin::auth_check))
             .route("/admin/stats", web::get().to(admin::stats))

src/api/sessions.rs

@@ -26,6 +26,14 @@ pub async fn open(
         }));
     }
 
+    if let Some(ref addr) = body.refund_address {
+        if !addr.is_empty() {
+            if let Err(e) = crate::validation::validate_zcash_address("refund_address", addr) {
+                return HttpResponse::BadRequest().json(e.to_json());
+            }
+        }
+    }
+
     if crate::sessions::txid_already_used(pool.get_ref(), &body.txid).await {
         return HttpResponse::Conflict().json(serde_json::json!({
             "error": "This transaction has already been used to open a session"
@@ -84,9 +92,9 @@ pub async fn open(
         .map(|o| o.amount_zatoshis as i64)
         .sum();
 
-    if total_zatoshis < 1000 {
+    if total_zatoshis < 10_000 {
         return HttpResponse::BadRequest().json(serde_json::json!({
-            "error": "Deposit too small — minimum 1000 zatoshis (0.00001 ZEC)"
+            "error": "Deposit too small — minimum 10,000 zatoshis (0.0001 ZEC)"
         }));
     }
 
@@ -115,12 +123,51 @@ pub async fn open(
     }
 }
 
+/// Resolve the merchant owning this session, requiring API key or dashboard auth.
+async fn require_session_owner(
+    req: &HttpRequest,
+    pool: &SqlitePool,
+    session_id: &str,
+) -> Result<(), HttpResponse> {
+    let session = crate::sessions::get_session(pool, session_id).await
+        .map_err(|_| HttpResponse::InternalServerError().json(serde_json::json!({"error": "Internal error"})))?
+        .ok_or_else(|| HttpResponse::NotFound().json(serde_json::json!({"error": "Session not found"})))?;
+
+    // Try dashboard session auth
+    if let Some(merchant) = crate::api::auth::resolve_session(req, &web::Data::new(pool.clone())).await {
+        if merchant.id == session.merchant_id {
+            return Ok(());
+        }
+    }
+
+    // Try API key auth
+    if let Some(auth_header) = req.headers().get("Authorization") {
+        if let Ok(auth_str) = auth_header.to_str() {
+            let key = auth_str.strip_prefix("Bearer ").unwrap_or(auth_str).trim();
+            let enc_key = req.app_data::<web::Data<Config>>()
+                .map(|c| c.encryption_key.clone()).unwrap_or_default();
+            if let Ok(Some(merchant)) = crate::merchants::authenticate(pool, key, &enc_key).await {
+                if merchant.id == session.merchant_id {
+                    return Ok(());
+                }
+            }
+        }
+    }
+
+    Err(HttpResponse::Unauthorized().json(serde_json::json!({"error": "Not authorized for this session"})))
+}
+
 pub async fn get_status(
+    req: HttpRequest,
     pool: web::Data<SqlitePool>,
     path: web::Path<String>,
 ) -> HttpResponse {
     let session_id = path.into_inner();
 
+    if let Err(resp) = require_session_owner(&req, pool.get_ref(), &session_id).await {
+        return resp;
+    }
+
     match crate::sessions::get_summary(pool.get_ref(), &session_id).await {
         Ok(Some(summary)) => {
             HttpResponse::Ok().json(serde_json::json!({
@@ -144,11 +191,16 @@ pub async fn get_status(
 }
 
 pub async fn close(
+    req: HttpRequest,
     pool: web::Data<SqlitePool>,
     path: web::Path<String>,
 ) -> HttpResponse {
     let session_id = path.into_inner();
 
+    if let Err(resp) = require_session_owner(&req, pool.get_ref(), &session_id).await {
+        return resp;
+    }
+
     match crate::sessions::close_session(pool.get_ref(), &session_id).await {
         Ok(Some(summary)) => {
             let mut resp = serde_json::json!({
@@ -246,18 +298,26 @@ pub async fn validate(
     req: HttpRequest,
     pool: web::Data<SqlitePool>,
 ) -> HttpResponse {
-    let token = req.query_string()
-        .split('&')
-        .find_map(|pair| {
-            let (k, v) = pair.split_once('=')?;
-            if k == "token" { Some(v.to_string()) } else { None }
+    // Accept token from Authorization: Bearer header (preferred) or query param (legacy)
+    let token = req.headers().get("Authorization")
+        .and_then(|v| v.to_str().ok())
+        .and_then(|s| s.strip_prefix("Bearer "))
+        .map(|s| s.trim().to_string())
+        .filter(|s| s.starts_with("cps_"))
+        .or_else(|| {
+            req.query_string()
+                .split('&')
+                .find_map(|pair| {
+                    let (k, v) = pair.split_once('=')?;
+                    if k == "token" { Some(v.to_string()) } else { None }
+                })
         });
 
     let token = match token {
         Some(t) if !t.is_empty() => t,
         _ => {
             return HttpResponse::BadRequest().json(serde_json::json!({
-                "error": "token query parameter required"
+                "error": "Bearer token required — use Authorization: Bearer header or token query parameter"
             }));
         }
     };