# API Key Authentication

## Overview
All `/api/face/*` routes require API key authentication via the `X-API-KEY` header.

## Middleware
**Class:** `App\Http\Middleware\AuthenticateApiKey`  
**Alias:** `api.key`

## Authentication Flow
1. Extract `X-API-KEY` header from request
2. Validate against `clients` table
3. Check `is_active = true`
4. Reject with 401 if invalid or revoked

## Usage

### Protected Routes
```php
// All routes under /api/face/* are protected
Route::prefix('face')->middleware('api.key')->group(function () {
    Route::get('verify', ...);
    Route::post('recognize', ...);
});
```

### Request Example
```bash
curl http://localhost:8000/api/face/verify \
  -H "X-API-KEY: face_vsPYSuwIQ7iDvZHCK60cB9Ui5tbw1NPwpk2zhnoW"
```

### Success Response (200)
```json
{
  "message": "API key valid",
  "client": "Test Client"
}
```

### Error Responses (401)

**Missing API Key:**
```json
{
  "error": "API key required"
}
```

**Invalid or Revoked Key:**
```json
{
  "error": "Invalid API key"
}
```

## Testing Scenarios

### ✅ Valid Active Key
```bash
curl http://localhost:8000/api/face/verify \
  -H "X-API-KEY: face_vsPYSuwIQ7iDvZHCK60cB9Ui5tbw1NPwpk2zhnoW"
# Response: 200 OK
```

### ❌ No API Key
```bash
curl http://localhost:8000/api/face/verify
# Response: 401 Unauthorized - "API key required"
```

### ❌ Invalid Key
```bash
curl http://localhost:8000/api/face/verify \
  -H "X-API-KEY: invalid_key"
# Response: 401 Unauthorized - "Invalid API key"
```

### ❌ Revoked Key (is_active = false)
```bash
curl http://localhost:8000/api/face/verify \
  -H "X-API-KEY: face_revoked_key"
# Response: 401 Unauthorized - "Invalid API key"
```

## Accessing Client in Controller
```php
Route::middleware('api.key')->get('face/data', function (Request $request) {
    $client = $request->get('client');
    
    return response()->json([
        'client_id' => $client->id,
        'client_name' => $client->name
    ]);
});
```