diff --git a/apps/agents/src/app/main.py b/apps/agents/src/app/main.py
index cd784367..86cf9201 100644
--- a/apps/agents/src/app/main.py
+++ b/apps/agents/src/app/main.py
@@ -27,7 +27,8 @@ def require_api_key(f):
             return jsonify({'error': 'Missing or invalid authorization header'}), 401
 
         token = auth_header.split('Bearer ')[1]
-        if token != os.environ.get('API_KEY', 'test'):
+        actual = os.environ.get('API_KEY', '').strip()
+        if actual and token != actual:
             return jsonify({'error': 'Invalid API key'}), 403
 
         return f(*args, **kwargs)
diff --git a/apps/copilot/app.py b/apps/copilot/app.py
index 5be23c48..3da6384f 100644
--- a/apps/copilot/app.py
+++ b/apps/copilot/app.py
@@ -34,7 +34,8 @@ def require_api_key(f):
             return jsonify({'error': 'Missing or invalid authorization header'}), 401
 
         token = auth_header.split('Bearer ')[1]
-        if token != os.environ.get('API_KEY', 'test'):
+        actual = os.environ.get('API_KEY', '').strip()
+        if actual and token != actual:
             return jsonify({'error': 'Invalid API key'}), 403
 
         return f(*args, **kwargs)