diff --git a/backend/app/core/mcp_auth.py b/backend/app/core/mcp_auth.py
new file mode 100644
index 0000000..ff01f72
--- /dev/null
+++ b/backend/app/core/mcp_auth.py
@@ -0,0 +1,26 @@
+import json
+from starlette.types import ASGIApp, Receive, Scope, Send
+from app.core.config import settings
+
+
+class MCPAuthMiddleware:
+    def __init__(self, app: ASGIApp) -> None:
+        self.app = app
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        if scope["type"] == "http" and scope.get("path", "").startswith("/mcp"):
+            headers = dict(scope.get("headers", []))
+            auth = headers.get(b"authorization", b"").decode()
+            if auth != f"Bearer {settings.mcp_api_key}":
+                body = json.dumps({"detail": "Unauthorized"}).encode()
+                await send({
+                    "type": "http.response.start",
+                    "status": 401,
+                    "headers": [
+                        (b"content-type", b"application/json"),
+                        (b"content-length", str(len(body)).encode()),
+                    ],
+                })
+                await send({"type": "http.response.body", "body": body})
+                return
+        await self.app(scope, receive, send)