diff --git a/backend/secuscan/auth.py b/backend/secuscan/auth.py
new file mode 100644
index 00000000..0cf70bb7
--- /dev/null
+++ b/backend/secuscan/auth.py
@@ -0,0 +1,79 @@
+"""
+API key authentication for SecuScan backend.
+
+A random key is generated at startup and written to <data_dir>/.api_key.
+Clients must supply it via:
+  - Authorization: Bearer <key>
+  - X-Api-Key: <key>
+"""
+
+import os
+import secrets
+from pathlib import Path
+
+from fastapi import Depends, HTTPException, Security, status
+from fastapi.security import APIKeyHeader, HTTPAuthorizationCredentials, HTTPBearer
+
+_bearer_scheme = HTTPBearer(auto_error=False)
+_api_key_header = APIKeyHeader(name="X-Api-Key", auto_error=False)
+
+_api_key: str | None = None
+
+
+def init_api_key(data_dir: str) -> str:
+    """
+    Load the persisted API key, or generate and persist a new one.
+
+    Called once during application startup; the returned key is also stored in
+    the module-level ``_api_key`` variable so the FastAPI dependency can reach it.
+    """
+    global _api_key
+    # Allow operators to redirect the key file via env var (e.g. Docker secrets).
+    custom_path = os.environ.get("SECUSCAN_API_KEY_FILE", "").strip()
+    key_file = Path(custom_path) if custom_path else Path(data_dir) / ".api_key"
+    if key_file.exists():
+        _api_key = key_file.read_text().strip()
+    else:
+        _api_key = secrets.token_hex(32)
+        key_file.parent.mkdir(parents=True, exist_ok=True)
+        key_file.write_text(_api_key)
+        key_file.chmod(0o600)
+    return _api_key
+
+
+async def require_api_key(
+    bearer: HTTPAuthorizationCredentials | None = Depends(_bearer_scheme),
+    x_api_key: str | None = Security(_api_key_header),
+) -> str:
+    """
+    FastAPI dependency — rejects requests that do not carry the correct API key.
+
+    Accepts the key in either:
+    - ``Authorization: Bearer <key>``
+    - ``X-Api-Key: <key>``
+    """
+    if _api_key is None:
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Authentication service not initialised",
+        )
+
+    candidate: str | None = None
+    if bearer is not None:
+        candidate = bearer.credentials
+    elif x_api_key is not None:
+        candidate = x_api_key
+
+    if candidate is None or not secrets.compare_digest(candidate, _api_key):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing API key",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    return candidate
+
+
+def get_api_key() -> str | None:
+    """Return the current API key, or None if not yet initialised."""
+    return _api_key
diff --git a/backend/secuscan/main.py b/backend/secuscan/main.py
index c579b47c..36e3208c 100644
--- a/backend/secuscan/main.py
+++ b/backend/secuscan/main.py
@@ -14,6 +14,7 @@
 from fastapi.staticfiles import StaticFiles
 
 from .config import settings
+from .auth import init_api_key
 from .cache import init_cache, cache as global_cache
 from .database import init_db, db as global_db
 from .plugins import init_plugins
@@ -51,6 +52,10 @@ async def lifespan(app: FastAPI):
     # Ensure directories exist
     settings.ensure_directories()
     logger.info("✓ Directories initialized")
+
+    # Initialize API key authentication
+    api_key = init_api_key(settings.data_dir)
+    logger.info("✓ API key authentication ready (key file: %s/.api_key)", settings.data_dir)
     
     # Initialize database
     await init_db(settings.database_path)
@@ -128,6 +133,7 @@ async def redirect_api_openapi():
 app.include_router(router)
 app.include_router(saved_views_router)
 
+
 # Health check endpoint
 @app.get("/api/v1/health")
 async def health_check():
diff --git a/backend/secuscan/routes.py b/backend/secuscan/routes.py
index 7e536707..1fba3ee2 100644
--- a/backend/secuscan/routes.py
+++ b/backend/secuscan/routes.py
@@ -55,6 +55,11 @@ def _serialize_workflow(row: Dict[str, Any], queued_task_ids: Optional[List[str]
 
 
 def is_filesystem_target(target: str) -> bool:
+    """Best-effort detection for path-based targets that should bypass host validation."""
+    # Absolute or relative filesystem roots only — not CIDR notation (e.g. 8.8.8.8/32)
+    if target.startswith(("/", "./", "../", "~/")):
+        return True
+    # Windows drive paths (C:\ or C:/)
     """
     Return True only for genuine local filesystem paths.
 
@@ -121,10 +126,11 @@ def build_report_filename(task: Dict[str, Any], extension: str) -> str:
 from .reporting import reporting
 from .vault import VaultCrypto
 from .workflows import scheduler
+from .auth import require_api_key
 
 from sse_starlette.sse import EventSourceResponse
 
-router = APIRouter(prefix="/api/v1")
+router = APIRouter(prefix="/api/v1", dependencies=[Depends(require_api_key)])
 SSE_RAW_OUTPUT_CHUNK_SIZE = 64 * 1024
 
 _EMAIL_PATTERN = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
diff --git a/docs/api-authentication.md b/docs/api-authentication.md
new file mode 100644
index 00000000..75167b9b
--- /dev/null
+++ b/docs/api-authentication.md
@@ -0,0 +1,84 @@
+# API Authentication
+
+All `/api/v1/*` routes require a valid API key. The only unauthenticated endpoints
+are `/` (API info) and `/api/v1/health` (health checks).
+
+## How the key is generated
+
+On first startup the backend generates a cryptographically random 64-character hex key,
+writes it to `<data_dir>/.api_key` (mode `0600`), and prints it to the console:
+
+```
+✓ API key authentication ready (key file: backend/data/.api_key)
+```
+
+On every subsequent start the same key is loaded from the file.
+
+To rotate the key, delete the file and restart the backend:
+
+```bash
+rm backend/data/.api_key
+python -m secuscan   # a new key is generated on startup
+```
+
+## Frontend / UI
+
+The web UI does **not** fetch the key from the backend. You must configure it
+manually once after starting the backend:
+
+1. Read the key from the key file:
+   ```bash
+   cat backend/data/.api_key
+   ```
+2. Open the SecuScan UI → **Settings** → **API Key** section.
+3. Paste the key into the **Backend API Key** field and click **Save**.
+
+The key is stored in the browser's `localStorage` under `secuscan_api_key` and
+sent automatically on every subsequent API request via the `X-Api-Key` header.
+No server-side session or cookie is involved — only the operator's browser retains
+the key.
+
+## External / scripted access
+
+Read the key from the file and pass it in either of two header formats:
+
+```bash
+API_KEY=$(cat backend/data/.api_key)
+
+# Option A — X-Api-Key header
+curl -H "X-Api-Key: $API_KEY" http://localhost:8000/api/v1/plugins
+
+# Option B — Bearer token
+curl -H "Authorization: Bearer $API_KEY" http://localhost:8000/api/v1/plugins
+```
+
+## Environment variable override
+
+Set `SECUSCAN_API_KEY_FILE` to point to a different key file path if you need to
+store the key outside the default data directory:
+
+```bash
+export SECUSCAN_API_KEY_FILE=/run/secrets/secuscan_api_key
+python -m secuscan
+```
+
+## Unauthenticated endpoints
+
+| Path | Reason |
+|---|---|
+| `GET /` | API info / root |
+| `GET /api/v1/health` | Health checks and monitoring |
+
+All other `/api/v1/*` routes require a valid `X-Api-Key` or `Authorization: Bearer`
+header. Requests without a valid key receive `HTTP 401`.
+
+## Security considerations
+
+- The key file is written with mode `0600` so only the process owner can read it.
+- Key comparison uses `secrets.compare_digest` to prevent timing-oracle attacks.
+- There is no unauthenticated endpoint that exposes the key over the network.
+  The only way to retrieve the key is to read the file from the filesystem where
+  the backend is running — which requires local access to that machine.
+- If the backend is not yet initialised (key file missing and startup not complete),
+  protected routes return `HTTP 503` rather than `401` to distinguish between
+  an uninitialised service and a bad credential.
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 90a66524..dfbba48a 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -24,6 +24,7 @@
       },
       "devDependencies": {
         "@playwright/test": "^1.58.2",
+        "@testing-library/dom": "^10.4.1",
         "@testing-library/jest-dom": "^6.9.1",
         "@testing-library/react": "^16.3.2",
         "@testing-library/user-event": "^14.6.1",
@@ -143,7 +144,6 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -505,7 +505,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=20.19.0"
       },
@@ -554,7 +553,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=20.19.0"
       }
@@ -564,7 +562,6 @@
       "resolved": "https://registry.npmjs.org/@emotion/is-prop-valid/-/is-prop-valid-1.4.0.tgz",
       "integrity": "sha512-QgD4fyscGcbbKwJmqNvUMSE02OsHUa+lAWKdEUIJKgqe5IwRSKd7+KhibEWdaKwgjLj0DRSHA9biAIqGBk05lw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@emotion/memoize": "^0.9.0"
       }
@@ -1581,7 +1578,6 @@
       "integrity": "sha512-o4PXJQidqJl82ckFaXUeoAW+XysPLauYI43Abki5hABd853iMhitooc6znOnczgbTYmEP6U6/y1ZyKAIsvMKGg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.10.4",
         "@babel/runtime": "^7.12.5",
@@ -1793,7 +1789,6 @@
       "integrity": "sha512-z+pdZyxE+RTQE9AcboAZCb4otwcrvgHD+GlBpPgn0emDVt0ohrTMhAwlr2Wd9nZ+nihhYFxO2pThz3C5qSu2Eg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~7.21.0"
       }
@@ -1824,7 +1819,6 @@
       "integrity": "sha512-WeqMfGJLGuLCqHGYRGHxnKrXcTitc6L/nBUWfWPcTarG3t9PsquqUMuVeXZeca+mglY4Vo5GZjCi0A3Or2lnxA==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/prop-types": "*",
         "csstype": "^3.0.2"
@@ -1836,7 +1830,6 @@
       "integrity": "sha512-EhwApuTmMBmXuFOikhQLIBUn6uFg81SwLMOAUgodJF14SOBOCMdU04gDoYi0WOJJHD144TL32z4yDqCW3dnkQg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/react": "*"
       }
@@ -2147,7 +2140,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.10.12",
         "caniuse-lite": "^1.0.30001782",
@@ -3090,7 +3082,6 @@
       "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "jiti": "bin/jiti.js"
       }
@@ -3551,7 +3542,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -3761,7 +3751,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
       "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0"
       },
@@ -3774,7 +3763,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
       "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0",
         "scheduler": "^0.23.2"
@@ -3793,9 +3781,9 @@
       }
     },
     "node_modules/react-is": {
-      "version": "19.2.6",
-      "resolved": "https://registry.npmjs.org/react-is/-/react-is-19.2.6.tgz",
-      "integrity": "sha512-XjBR15BhXuylgWGuslhDKqlSayuqvqBX91BP8pauG8kd1zY8kotkNWbXksTCNRarse4kuGbe2kIY05ARtwNIvw==",
+      "version": "19.2.7",
+      "resolved": "https://registry.npmjs.org/react-is/-/react-is-19.2.7.tgz",
+      "integrity": "sha512-kZFnouyVv7eP/Phmrlo9FK+zcAdriZJvzxXHF1Sl1P377WSGe2G/JxVolhTrB/jeV47lKImhNUsijjHAAbcl/A==",
       "license": "MIT",
       "peer": true
     },
@@ -3804,7 +3792,6 @@
       "resolved": "https://registry.npmjs.org/react-redux/-/react-redux-9.2.0.tgz",
       "integrity": "sha512-ROY9fvHhwOD9ySfrF0wmvu//bKCQ6AeZZq1nJNtbDC+kk5DuSuNX/n6YWYF/SYy7bSba4D4FSz8DJeKY/S/r+g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/use-sync-external-store": "^0.0.6",
         "use-sync-external-store": "^1.4.0"
@@ -3935,8 +3922,7 @@
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/redux/-/redux-5.0.1.tgz",
       "integrity": "sha512-M9/ELqF6fy8FwmkpnF0S3YKOqMyoWJ4+CS5Efg2ct3oY9daQvd/Pc71FpGZsVsbl3Cpb+IIcjBDUnnyBdQbq4w==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/redux-thunk": {
       "version": "3.1.0",
@@ -4432,7 +4418,6 @@
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -4657,7 +4642,6 @@
       "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.4.4",
@@ -5294,7 +5278,6 @@
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -5846,7 +5829,6 @@
       "integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.21.3",
         "postcss": "^8.4.43",
diff --git a/frontend/package.json b/frontend/package.json
index 8bf47eec..0a9e3c3e 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -32,6 +32,7 @@
   },
   "devDependencies": {
     "@playwright/test": "^1.58.2",
+    "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index f4f6b39f..2d327482 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -1,4 +1,4 @@
-import React from 'react'
+import React, { useEffect, useState } from 'react'
 import { BrowserRouter as Router, Routes, Route, Navigate } from 'react-router-dom'
 import AppShell from './components/AppShell'
 import Dashboard from './pages/Dashboard'
@@ -10,11 +10,13 @@ import Settings from './pages/Settings'
 import Scans from './pages/Scans'
 import TaskDetails from './pages/TaskDetails'
 import Workflows from './pages/Workflows'
+import ApiKeySetupScreen from './components/ApiKeySetupScreen'
 
 import { ThemeProvider } from './components/ThemeContext'
-import { ToastProvider, ToastContainer } from './components/ToastContext'
+import { ToastProvider } from './components/ToastContext'
 import { I18nProvider } from './components/I18nContext'
 import { routes } from './routes'
+import { AUTH_REQUIRED_EVENT, getStoredApiKey } from './api'
 
 export function AppRoutes() {
   return (
@@ -35,15 +37,32 @@ export function AppRoutes() {
 }
 
 export default function App() {
+  // True when setup is needed: no key stored, or any request got a 401.
+  const [needsKey, setNeedsKey] = useState(() => !getStoredApiKey())
+
+  useEffect(() => {
+    function onAuthRequired() {
+      setNeedsKey(true)
+    }
+    window.addEventListener(AUTH_REQUIRED_EVENT, onAuthRequired)
+    return () => window.removeEventListener(AUTH_REQUIRED_EVENT, onAuthRequired)
+  }, [])
+
   return (
     <ThemeProvider>
       <I18nProvider>
         <ToastProvider>
-          <Router>
-            <AppShell>
-              <AppRoutes />
-            </AppShell>
-          </Router>
+          {needsKey ? (
+            // Render ONLY the setup screen — no page routes are mounted, so no
+            // API calls can fire and spam 401 failures before the key is saved.
+            <ApiKeySetupScreen onSaved={() => setNeedsKey(false)} />
+          ) : (
+            <Router>
+              <AppShell>
+                <AppRoutes />
+              </AppShell>
+            </Router>
+          )}
         </ToastProvider>
       </I18nProvider>
     </ThemeProvider>
diff --git a/frontend/src/api.ts b/frontend/src/api.ts
index a683815a..b3cb9fcf 100644
--- a/frontend/src/api.ts
+++ b/frontend/src/api.ts
@@ -83,15 +83,55 @@ export interface TaskStartResponse {
   stream_url: string
 }
 
+const API_KEY_STORAGE_KEY = 'secuscan_api_key'
+
+export function getStoredApiKey(): string | null {
+  try {
+    return localStorage.getItem(API_KEY_STORAGE_KEY) || null
+  } catch {
+    return null
+  }
+}
+
+export function setStoredApiKey(key: string): void {
+  try {
+    localStorage.setItem(API_KEY_STORAGE_KEY, key)
+  } catch {
+    // ignore storage errors
+  }
+}
+
+function getApiKey(): string | null {
+  return getStoredApiKey()
+}
+
+/** Fired on the window when any API request receives HTTP 401. */
+export const AUTH_REQUIRED_EVENT = 'secuscan:auth-required'
+
 async function request<T>(path: string, init?: RequestInit): Promise<T> {
   const controller = new AbortController()
   const timeoutId = window.setTimeout(() => controller.abort(), 10000)
 
+  const apiKey = getApiKey()
+  const authHeaders: Record<string, string> = apiKey ? { 'X-Api-Key': apiKey } : {}
+
   const response = await fetch(`${API_BASE}${path}`, {
     ...init,
+    headers: {
+      ...authHeaders,
+      ...(init?.headers as Record<string, string> | undefined),
+    },
     signal: controller.signal,
   })
   window.clearTimeout(timeoutId)
+
+  if (response.status === 401) {
+    // Notify the app so it can show the API-key setup UI without every
+    // caller needing to handle auth independently.
+    window.dispatchEvent(new CustomEvent(AUTH_REQUIRED_EVENT))
+    throw new Error('AUTH_REQUIRED')
+  }
+
   if (!response.ok) {
     throw new Error(`Request failed: ${response.status}`)
   }
diff --git a/frontend/src/components/ApiKeySetupModal.tsx b/frontend/src/components/ApiKeySetupModal.tsx
new file mode 100644
index 00000000..60ab4c10
--- /dev/null
+++ b/frontend/src/components/ApiKeySetupModal.tsx
@@ -0,0 +1,125 @@
+import React, { useState } from 'react'
+import { setStoredApiKey } from '../api'
+
+interface Props {
+  onSaved: () => void
+}
+
+/**
+ * First-run / 401 modal.
+ *
+ * Shown when the app receives HTTP 401 or detects no stored API key.
+ * The operator reads the key from `backend/data/.api_key`, pastes it here,
+ * and clicks Save. The key is written only to localStorage (secuscan_api_key);
+ * it is never sent to any server other than as the X-Api-Key request header.
+ */
+export default function ApiKeySetupModal({ onSaved }: Props) {
+  const [key, setKey] = useState('')
+  const [visible, setVisible] = useState(false)
+  const [error, setError] = useState('')
+
+  function handleSave() {
+    const trimmed = key.trim()
+    if (!trimmed) {
+      setError('Please enter the API key.')
+      return
+    }
+    setStoredApiKey(trimmed)
+    setKey('')
+    setError('')
+    onSaved()
+  }
+
+  return (
+    <div
+      role="dialog"
+      aria-modal="true"
+      aria-label="API key required"
+      style={{
+        position: 'fixed',
+        inset: 0,
+        zIndex: 9999,
+        background: 'rgba(0,0,0,0.6)',
+        display: 'flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+      }}
+    >
+      <div
+        style={{
+          background: '#1e2130',
+          borderRadius: 8,
+          padding: '2rem',
+          maxWidth: 480,
+          width: '100%',
+          boxShadow: '0 8px 32px rgba(0,0,0,0.5)',
+        }}
+      >
+        <h2 style={{ marginTop: 0, color: '#e2e8f0' }}>API Key Required</h2>
+        <p style={{ color: '#94a3b8', fontSize: 14 }}>
+          SecuScan requires an API key to communicate with the backend. Read the key
+          from the key file on the server and paste it below:
+        </p>
+        <pre
+          style={{
+            background: '#0f1117',
+            color: '#7dd3fc',
+            padding: '0.5rem 0.75rem',
+            borderRadius: 4,
+            fontSize: 12,
+            overflowX: 'auto',
+          }}
+        >
+          cat backend/data/.api_key
+        </pre>
+        <label style={{ display: 'block', marginTop: '1rem', color: '#cbd5e1', fontSize: 13 }}>
+          Backend API Key
+          <input
+            type="password"
+            value={key}
+            onChange={(e) => { setKey(e.target.value); setError('') }}
+            onKeyDown={(e) => e.key === 'Enter' && handleSave()}
+            placeholder="Paste API key here"
+            aria-label="Backend API Key"
+            style={{
+              display: 'block',
+              width: '100%',
+              marginTop: 6,
+              padding: '0.5rem 0.75rem',
+              borderRadius: 4,
+              border: '1px solid #334155',
+              background: '#0f1117',
+              color: '#e2e8f0',
+              fontSize: 14,
+              boxSizing: 'border-box',
+            }}
+          />
+        </label>
+        {error && (
+          <p role="alert" style={{ color: '#f87171', fontSize: 13, marginTop: 6 }}>
+            {error}
+          </p>
+        )}
+        <button
+          onClick={handleSave}
+          style={{
+            marginTop: '1.25rem',
+            padding: '0.5rem 1.25rem',
+            background: '#3b82f6',
+            color: '#fff',
+            border: 'none',
+            borderRadius: 4,
+            cursor: 'pointer',
+            fontSize: 14,
+          }}
+        >
+          Save and connect
+        </button>
+        <p style={{ marginTop: '1rem', color: '#64748b', fontSize: 12 }}>
+          The key is stored only in your browser's localStorage and sent exclusively
+          as the <code>X-Api-Key</code> request header — it is never stored server-side.
+        </p>
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/src/components/ApiKeySetupScreen.tsx b/frontend/src/components/ApiKeySetupScreen.tsx
new file mode 100644
index 00000000..955ead32
--- /dev/null
+++ b/frontend/src/components/ApiKeySetupScreen.tsx
@@ -0,0 +1,138 @@
+import React, { useState } from 'react'
+import { setStoredApiKey } from '../api'
+
+interface Props {
+  onSaved: () => void
+}
+
+/**
+ * Full-page first-run / 401 gate.
+ *
+ * Replaces the entire app until the operator provides the API key.
+ * Because this component renders instead of the normal route tree, no page
+ * component mounts and no protected API call fires before the key is saved.
+ *
+ * The operator reads the key from the server key file and pastes it here.
+ * The key is stored only in localStorage under `secuscan_api_key` and sent
+ * exclusively as the `X-Api-Key` request header — never logged or stored
+ * server-side.
+ */
+export default function ApiKeySetupScreen({ onSaved }: Props) {
+  const [key, setKey] = useState('')
+  const [error, setError] = useState('')
+
+  function handleSave() {
+    const trimmed = key.trim()
+    if (!trimmed) {
+      setError('Please enter the API key.')
+      return
+    }
+    setStoredApiKey(trimmed)
+    setKey('')
+    setError('')
+    onSaved()
+  }
+
+  return (
+    <div
+      role="main"
+      aria-label="API key setup"
+      style={{
+        minHeight: '100vh',
+        background: '#0f1117',
+        display: 'flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+        padding: '1rem',
+      }}
+    >
+      <div
+        style={{
+          background: '#1e2130',
+          borderRadius: 8,
+          padding: '2rem',
+          maxWidth: 500,
+          width: '100%',
+          boxShadow: '0 8px 32px rgba(0,0,0,0.5)',
+        }}
+      >
+        <h1 style={{ marginTop: 0, fontSize: 22, color: '#e2e8f0' }}>
+          Connect to SecuScan
+        </h1>
+        <p style={{ color: '#94a3b8', fontSize: 14, lineHeight: 1.6 }}>
+          The backend requires an API key. Read the key from the server key
+          file and paste it below to get started:
+        </p>
+        <pre
+          style={{
+            background: '#0a0d14',
+            color: '#7dd3fc',
+            padding: '0.6rem 0.85rem',
+            borderRadius: 4,
+            fontSize: 12,
+            overflowX: 'auto',
+            margin: '0.75rem 0',
+          }}
+        >
+          cat backend/data/.api_key
+        </pre>
+        <label
+          htmlFor="api-key-input"
+          style={{ display: 'block', color: '#cbd5e1', fontSize: 13, marginTop: '1rem' }}
+        >
+          Backend API Key
+        </label>
+        <input
+          id="api-key-input"
+          type="password"
+          value={key}
+          onChange={(e) => { setKey(e.target.value); setError('') }}
+          onKeyDown={(e) => e.key === 'Enter' && handleSave()}
+          placeholder="Paste API key here"
+          aria-label="Backend API Key"
+          autoFocus
+          style={{
+            display: 'block',
+            width: '100%',
+            marginTop: 6,
+            padding: '0.5rem 0.75rem',
+            borderRadius: 4,
+            border: error ? '1px solid #f87171' : '1px solid #334155',
+            background: '#0a0d14',
+            color: '#e2e8f0',
+            fontSize: 14,
+            boxSizing: 'border-box',
+            outline: 'none',
+          }}
+        />
+        {error && (
+          <p role="alert" style={{ color: '#f87171', fontSize: 13, margin: '6px 0 0' }}>
+            {error}
+          </p>
+        )}
+        <button
+          onClick={handleSave}
+          style={{
+            marginTop: '1.25rem',
+            padding: '0.55rem 1.4rem',
+            background: '#3b82f6',
+            color: '#fff',
+            border: 'none',
+            borderRadius: 4,
+            cursor: 'pointer',
+            fontSize: 14,
+            fontWeight: 500,
+          }}
+        >
+          Save and connect
+        </button>
+        <p style={{ marginTop: '1.25rem', color: '#475569', fontSize: 12, lineHeight: 1.5 }}>
+          The key is stored only in your browser's <code>localStorage</code> under{' '}
+          <code>secuscan_api_key</code> and sent as the{' '}
+          <code>X-Api-Key</code> header on every API request. It is never transmitted
+          to any third party or stored on the server beyond the key file.
+        </p>
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/src/pages/Settings.tsx b/frontend/src/pages/Settings.tsx
index 850faab3..89a38bf1 100644
--- a/frontend/src/pages/Settings.tsx
+++ b/frontend/src/pages/Settings.tsx
@@ -2,6 +2,7 @@ import React, { useState, useEffect } from 'react'
 import { motion, AnimatePresence } from 'framer-motion'
 import { useTheme } from '../components/ThemeContext'
 import { useToast } from '../components/ToastContext'
+import { getStoredApiKey, setStoredApiKey } from '../api'
 import { ConfirmModal } from '../components/ConfirmModal'
 
 function getSystemThemeForSettings(): string {
@@ -43,6 +44,27 @@ export default function Settings() {
     const { theme, setTheme, resetToSystem, isSystemControlled } = useTheme()
     const { addToast } = useToast()
 
+    const [apiKey, setApiKey] = useState(() => getStoredApiKey() ?? '')
+    const [apiKeyVisible, setApiKeyVisible] = useState(false)
+
+    const handleSaveApiKey = () => {
+        const trimmed = apiKey.trim()
+        if (!trimmed) {
+            addToast("API key cannot be empty", "error")
+            return
+        }
+        setStoredApiKey(trimmed)
+        addToast("API key saved — all future requests will use this key", "success")
+    }
+
+    const handleClearApiKey = () => {
+        if (window.confirm("Clear the stored API key? The UI will return 401 errors until a valid key is configured.")) {
+            setApiKey('')
+            setStoredApiKey('')
+            addToast("API key cleared", "info")
+        }
+    }
+
     const [config, setConfig] = useState(() => {
         const saved = localStorage.getItem('secuscan-config')
         if (saved) {
@@ -200,6 +222,63 @@ export default function Settings() {
             </header>
             <div className="grid grid-cols-1 xl:grid-cols-4 gap-12 pt-4">
                 <main className="xl:col-span-3 space-y-20">
+
+                    <section className="space-y-8">
+                        <div className="flex items-center gap-4">
+                            <h3 className="text-xs font-black text-silver-bright uppercase tracking-[0.4em] italic">API_Key_Configuration</h3>
+                            <div className="h-0.5 flex-1 bg-black/10"></div>
+                        </div>
+                        <div className="bg-charcoal border-4 border-black p-10 shadow-[8px_8px_0px_0px_rgba(0,0,0,1)] space-y-6">
+                            <div className="space-y-2">
+                                <label className="text-[10px] font-black text-silver-bright uppercase tracking-widest block italic">Backend_API_Key</label>
+                                <p className="text-[10px] text-silver/40 uppercase font-bold italic mb-4 leading-relaxed">
+                                    Read from <span className="text-rag-blue font-mono">backend/data/.api_key</span> after starting the backend. Stored locally in browser — never sent to any remote server.
+                                </p>
+                            </div>
+                            <div className="flex gap-4 items-stretch">
+                                <input
+                                    type={apiKeyVisible ? 'text' : 'password'}
+                                    value={apiKey}
+                                    onChange={(e) => setApiKey(e.target.value)}
+                                    placeholder="PASTE_KEY_HERE"
+                                    className="flex-1 bg-black/40 border-4 border-black p-4 text-xs font-mono text-rag-blue font-bold focus:outline-none focus:border-rag-blue/50 transition-colors uppercase"
+                                    autoComplete="off"
+                                    spellCheck={false}
+                                />
+                                <button
+                                    onClick={() => setApiKeyVisible(v => !v)}
+                                    className="px-4 bg-charcoal-dark border-4 border-black text-[10px] font-black text-silver/40 uppercase tracking-widest hover:text-white transition-colors"
+                                    title={apiKeyVisible ? 'Hide key' : 'Show key'}
+                                >
+                                    {apiKeyVisible ? 'HIDE' : 'SHOW'}
+                                </button>
+                            </div>
+                            <div className="flex gap-4 pt-2">
+                                <button
+                                    onClick={handleSaveApiKey}
+                                    className="bg-rag-blue text-black px-8 py-3 text-[10px] font-black uppercase tracking-[0.3em] shadow-[4px_4px_0px_0px_rgba(0,0,0,1)] hover:shadow-none hover:translate-x-0.5 hover:translate-y-0.5 transition-all italic"
+                                >
+                                    SAVE_KEY
+                                </button>
+                                <button
+                                    onClick={handleClearApiKey}
+                                    className="bg-rag-red text-black px-8 py-3 text-[10px] font-black uppercase tracking-[0.3em] shadow-[4px_4px_0px_0px_rgba(0,0,0,1)] hover:shadow-none hover:translate-x-0.5 hover:translate-y-0.5 transition-all italic"
+                                >
+                                    CLEAR_KEY
+                                </button>
+                            </div>
+                            {getStoredApiKey() ? (
+                                <p className="text-[10px] font-mono text-rag-green uppercase tracking-widest">
+                                    ● KEY_CONFIGURED — requests will authenticate automatically
+                                </p>
+                            ) : (
+                                <p className="text-[10px] font-mono text-rag-red uppercase tracking-widest">
+                                    ● NO_KEY_SET — API requests will return 401 until a key is saved
+                                </p>
+                            )}
+                        </div>
+                    </section>
+
                     <section className="space-y-8">
                         <div className="flex items-center gap-4">
                             <h3 className="text-xs font-black text-silver-bright uppercase tracking-[0.4em] italic">Engine_Parameters</h3>
diff --git a/frontend/testing/unit/App.auth.gate.test.tsx b/frontend/testing/unit/App.auth.gate.test.tsx
new file mode 100644
index 00000000..316e8444
--- /dev/null
+++ b/frontend/testing/unit/App.auth.gate.test.tsx
@@ -0,0 +1,212 @@
+/**
+ * App-level first-run auth gate tests (PR #278).
+ *
+ * The core reviewer requirement: once auth is enabled, the app must NOT let
+ * any protected API call fire before the operator has provided the key.
+ *
+ * Covers:
+ * - No key stored → setup screen is rendered; no fetch() is called.
+ * - Saving a valid key → route tree replaces the setup screen.
+ * - Saving an empty key → validation error; still on setup screen.
+ * - Key already stored → app shell renders immediately; no setup screen.
+ * - AUTH_REQUIRED_EVENT fired → setup screen re-appears; app shell hidden.
+ * - New key saved after 401 → app shell returns; localStorage updated.
+ */
+
+import React from 'react'
+import { render, screen, fireEvent, waitFor, act } from '@testing-library/react'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+// vi.mock calls are hoisted — all factories must be self-contained.
+vi.mock('react-router-dom', () => ({
+  BrowserRouter: ({ children }: { children: React.ReactNode }) =>
+    React.createElement('div', { 'data-testid': 'router' }, children),
+  Routes: ({ children }: { children: React.ReactNode }) =>
+    React.createElement('div', { 'data-testid': 'routes' }, children),
+  Route: () => React.createElement('div', { 'data-testid': 'route' }),
+  Navigate: () => React.createElement('div', { 'data-testid': 'navigate' }),
+}))
+
+vi.mock('../../src/components/AppShell', () => ({
+  default: ({ children }: { children: React.ReactNode }) =>
+    React.createElement('div', { 'data-testid': 'app-shell' }, children),
+}))
+
+vi.mock('../../src/pages/Dashboard', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-dashboard' }),
+}))
+vi.mock('../../src/pages/Toolkit', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-toolkit' }),
+}))
+vi.mock('../../src/pages/ToolConfig', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-toolconfig' }),
+}))
+vi.mock('../../src/pages/Findings', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-findings' }),
+}))
+vi.mock('../../src/pages/Reports', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-reports' }),
+}))
+vi.mock('../../src/pages/Settings', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-settings' }),
+}))
+vi.mock('../../src/pages/Scans', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-scans' }),
+}))
+vi.mock('../../src/pages/TaskDetails', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-taskdetails' }),
+}))
+vi.mock('../../src/pages/Workflows', () => ({
+  default: () => React.createElement('div', { 'data-testid': 'page-workflows' }),
+}))
+
+import App from '../../src/App'
+import { AUTH_REQUIRED_EVENT, setStoredApiKey } from '../../src/api'
+
+// ---------------------------------------------------------------------------
+// Setup / teardown
+// ---------------------------------------------------------------------------
+
+beforeEach(() => {
+  localStorage.clear()
+  vi.unstubAllGlobals()
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllGlobals()
+  localStorage.clear()
+})
+
+// ---------------------------------------------------------------------------
+// First-run: no key stored
+// ---------------------------------------------------------------------------
+
+describe('first-run gate (no key stored)', () => {
+  it('renders the setup screen instead of the app routes', () => {
+    const { container } = render(React.createElement(App))
+    expect(screen.getByRole('main', { name: /api key setup/i })).toBeTruthy()
+    expect(container.querySelector('[data-testid="app-shell"]')).toBeNull()
+  })
+
+  it('does not call fetch() while the setup screen is showing', () => {
+    const fetchSpy = vi.fn()
+    vi.stubGlobal('fetch', fetchSpy)
+    render(React.createElement(App))
+    expect(fetchSpy).not.toHaveBeenCalled()
+  })
+
+  it('shows the app shell after the operator saves a valid key', async () => {
+    render(React.createElement(App))
+    fireEvent.change(screen.getByLabelText(/Backend API Key/i), {
+      target: { value: 'my-operator-key' },
+    })
+    fireEvent.click(screen.getByText(/Save and connect/i))
+
+    await waitFor(() =>
+      expect(screen.queryByRole('main', { name: /api key setup/i })).toBeNull()
+    )
+    expect(screen.getByTestId('app-shell')).toBeTruthy()
+  })
+
+  it('persists the key to localStorage after save', async () => {
+    render(React.createElement(App))
+    fireEvent.change(screen.getByLabelText(/Backend API Key/i), {
+      target: { value: 'stored-key-abc' },
+    })
+    fireEvent.click(screen.getByText(/Save and connect/i))
+
+    await waitFor(() =>
+      expect(localStorage.getItem('secuscan_api_key')).toBe('stored-key-abc')
+    )
+  })
+
+  it('shows a validation error and stays on setup screen for empty key', () => {
+    render(React.createElement(App))
+    fireEvent.click(screen.getByText(/Save and connect/i))
+    expect(screen.getByRole('alert')).toBeTruthy()
+    expect(screen.getByRole('main', { name: /api key setup/i })).toBeTruthy()
+  })
+
+  it('saves key on Enter keypress in the input', async () => {
+    render(React.createElement(App))
+    const input = screen.getByLabelText(/Backend API Key/i)
+    fireEvent.change(input, { target: { value: 'enter-key-test' } })
+    fireEvent.keyDown(input, { key: 'Enter' })
+
+    await waitFor(() =>
+      expect(screen.queryByRole('main', { name: /api key setup/i })).toBeNull()
+    )
+    expect(localStorage.getItem('secuscan_api_key')).toBe('enter-key-test')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// Key already stored: app renders normally
+// ---------------------------------------------------------------------------
+
+describe('key already stored', () => {
+  it('renders the app shell without the setup screen', () => {
+    setStoredApiKey('pre-seeded-key')
+    render(React.createElement(App))
+    expect(screen.queryByRole('main', { name: /api key setup/i })).toBeNull()
+    expect(screen.getByTestId('app-shell')).toBeTruthy()
+  })
+
+  it('does not render the setup screen when a whitespace-trimmed key exists', () => {
+    localStorage.setItem('secuscan_api_key', 'some-valid-key')
+    render(React.createElement(App))
+    expect(screen.queryByRole('main', { name: /api key setup/i })).toBeNull()
+  })
+})
+
+// ---------------------------------------------------------------------------
+// 401 re-triggers the gate
+// ---------------------------------------------------------------------------
+
+describe('401 re-triggers setup screen', () => {
+  it('shows the setup screen when AUTH_REQUIRED_EVENT fires', async () => {
+    setStoredApiKey('valid-key')
+    render(React.createElement(App))
+    expect(screen.getByTestId('app-shell')).toBeTruthy()
+
+    act(() => { window.dispatchEvent(new CustomEvent(AUTH_REQUIRED_EVENT)) })
+
+    await waitFor(() =>
+      expect(screen.getByRole('main', { name: /api key setup/i })).toBeTruthy()
+    )
+    expect(screen.queryByTestId('app-shell')).toBeNull()
+  })
+
+  it('hides the setup screen after a new key is saved post-401', async () => {
+    setStoredApiKey('valid-key')
+    render(React.createElement(App))
+    act(() => { window.dispatchEvent(new CustomEvent(AUTH_REQUIRED_EVENT)) })
+    await waitFor(() => screen.getByRole('main', { name: /api key setup/i }))
+
+    fireEvent.change(screen.getByLabelText(/Backend API Key/i), {
+      target: { value: 'new-key-after-401' },
+    })
+    fireEvent.click(screen.getByText(/Save and connect/i))
+
+    await waitFor(() =>
+      expect(screen.queryByRole('main', { name: /api key setup/i })).toBeNull()
+    )
+    expect(screen.getByTestId('app-shell')).toBeTruthy()
+    expect(localStorage.getItem('secuscan_api_key')).toBe('new-key-after-401')
+  })
+
+  it('does not call fetch() after 401 until the new key is saved', async () => {
+    setStoredApiKey('old-key')
+    render(React.createElement(App))
+
+    const fetchSpy = vi.fn()
+    vi.stubGlobal('fetch', fetchSpy)
+
+    act(() => { window.dispatchEvent(new CustomEvent(AUTH_REQUIRED_EVENT)) })
+    await waitFor(() => screen.getByRole('main', { name: /api key setup/i }))
+
+    // The app shell is gone — no components that would call fetch are mounted.
+    expect(fetchSpy).not.toHaveBeenCalled()
+  })
+})
diff --git a/frontend/testing/unit/api.auth.test.ts b/frontend/testing/unit/api.auth.test.ts
new file mode 100644
index 00000000..2ef7352f
--- /dev/null
+++ b/frontend/testing/unit/api.auth.test.ts
@@ -0,0 +1,201 @@
+/**
+ * Frontend auth tests for PR #278.
+ *
+ * Covers:
+ * - getStoredApiKey returns null when localStorage is empty
+ * - setStoredApiKey persists the key to localStorage
+ * - request() includes X-Api-Key header when a key is stored
+ * - request() omits X-Api-Key when no key is stored
+ * - request() fires AUTH_REQUIRED_EVENT on HTTP 401
+ * - request() throws 'AUTH_REQUIRED' on HTTP 401 (not a generic error)
+ * - request() throws a generic error on other non-200 statuses
+ * - request() succeeds and returns parsed JSON on 200
+ * - The raw key is never logged via console.log/warn/error
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import {
+  AUTH_REQUIRED_EVENT,
+  getStoredApiKey,
+  setStoredApiKey,
+  listPlugins,
+} from '../../src/api'
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function mockResponse(status: number, body: unknown = {}) {
+  return Promise.resolve({
+    ok: status >= 200 && status < 300,
+    status,
+    json: () => Promise.resolve(body),
+  } as Response)
+}
+
+// ---------------------------------------------------------------------------
+// localStorage key storage
+// ---------------------------------------------------------------------------
+
+describe('getStoredApiKey / setStoredApiKey', () => {
+  beforeEach(() => {
+    localStorage.clear()
+  })
+
+  it('returns null when no key is stored', () => {
+    expect(getStoredApiKey()).toBeNull()
+  })
+
+  it('returns the key after setStoredApiKey', () => {
+    setStoredApiKey('my-secret-key')
+    expect(getStoredApiKey()).toBe('my-secret-key')
+  })
+
+  it('overwrites an existing key', () => {
+    setStoredApiKey('old-key')
+    setStoredApiKey('new-key')
+    expect(getStoredApiKey()).toBe('new-key')
+  })
+
+  it('stores the key only under secuscan_api_key', () => {
+    setStoredApiKey('abc123')
+    expect(localStorage.getItem('secuscan_api_key')).toBe('abc123')
+    // No other localStorage entry should be written by setStoredApiKey.
+    expect(localStorage.length).toBe(1)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// request() — header injection
+// ---------------------------------------------------------------------------
+
+describe('request() X-Api-Key header', () => {
+  afterEach(() => {
+    vi.unstubAllGlobals()
+    localStorage.clear()
+  })
+
+  it('includes X-Api-Key header when a key is stored', async () => {
+    setStoredApiKey('test-key-123')
+    const spy = vi.fn().mockReturnValue(mockResponse(200, { plugins: [], total: 0 }))
+    vi.stubGlobal('fetch', spy)
+
+    await listPlugins()
+
+    const [_url, init] = spy.mock.calls[0]
+    const headers = init?.headers as Record<string, string>
+    expect(headers['X-Api-Key']).toBe('test-key-123')
+  })
+
+  it('omits X-Api-Key header when no key is stored', async () => {
+    localStorage.clear()
+    const spy = vi.fn().mockReturnValue(mockResponse(200, { plugins: [], total: 0 }))
+    vi.stubGlobal('fetch', spy)
+
+    await listPlugins()
+
+    const [_url, init] = spy.mock.calls[0]
+    const headers = (init?.headers ?? {}) as Record<string, string>
+    expect(headers['X-Api-Key']).toBeUndefined()
+  })
+})
+
+// ---------------------------------------------------------------------------
+// request() — 401 handling
+// ---------------------------------------------------------------------------
+
+describe('request() 401 handling', () => {
+  afterEach(() => {
+    vi.unstubAllGlobals()
+    localStorage.clear()
+  })
+
+  it('dispatches AUTH_REQUIRED_EVENT on 401', async () => {
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(401)))
+
+    const received: Event[] = []
+    window.addEventListener(AUTH_REQUIRED_EVENT, (e) => received.push(e))
+
+    await listPlugins().catch(() => {})
+
+    window.removeEventListener(AUTH_REQUIRED_EVENT, (e) => received.push(e))
+    expect(received).toHaveLength(1)
+  })
+
+  it('throws AUTH_REQUIRED on 401 — not a generic status error', async () => {
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(401)))
+
+    await expect(listPlugins()).rejects.toThrow('AUTH_REQUIRED')
+  })
+
+  it('throws a generic error on 403 (not 401)', async () => {
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(403)))
+
+    await expect(listPlugins()).rejects.toThrow('Request failed: 403')
+  })
+
+  it('throws a generic error on 500', async () => {
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(500)))
+
+    await expect(listPlugins()).rejects.toThrow('Request failed: 500')
+  })
+
+  it('wrong key triggers AUTH_REQUIRED_EVENT on next request', async () => {
+    setStoredApiKey('wrong-key')
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(401)))
+
+    const fired: boolean[] = []
+    const handler = () => fired.push(true)
+    window.addEventListener(AUTH_REQUIRED_EVENT, handler)
+
+    await listPlugins().catch(() => {})
+
+    window.removeEventListener(AUTH_REQUIRED_EVENT, handler)
+    expect(fired).toHaveLength(1)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// request() — successful authenticated request
+// ---------------------------------------------------------------------------
+
+describe('request() successful authenticated request', () => {
+  afterEach(() => {
+    vi.unstubAllGlobals()
+    localStorage.clear()
+  })
+
+  it('returns parsed JSON on 200 with correct key', async () => {
+    setStoredApiKey('correct-key')
+    const body = { plugins: [{ id: 'nmap' }], total: 1 }
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(200, body)))
+
+    const result = await listPlugins()
+    expect(result).toEqual(body)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// Key must not be logged
+// ---------------------------------------------------------------------------
+
+describe('API key is never logged', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.unstubAllGlobals()
+    localStorage.clear()
+  })
+
+  it('does not pass the raw key to console.log', async () => {
+    const logSpy = vi.spyOn(console, 'log')
+    setStoredApiKey('super-secret-api-key')
+    vi.stubGlobal('fetch', vi.fn().mockReturnValue(mockResponse(200, { plugins: [], total: 0 })))
+
+    await listPlugins()
+
+    for (const call of logSpy.mock.calls) {
+      const text = call.map(String).join(' ')
+      expect(text).not.toContain('super-secret-api-key')
+    }
+  })
+})
diff --git a/testing/backend/conftest.py b/testing/backend/conftest.py
index 22e576b5..e7d30d23 100644
--- a/testing/backend/conftest.py
+++ b/testing/backend/conftest.py
@@ -20,6 +20,7 @@ def anyio_backend():
 from backend.secuscan.main import app
 from backend.secuscan.plugins import init_plugins
 from backend.secuscan.ratelimit import concurrent_limiter, rate_limiter
+from backend.secuscan import auth as auth_module
 
 
 @pytest.fixture(autouse=True)
@@ -66,7 +67,9 @@ async def setup():
 
     asyncio.run(setup())
 
-    with TestClient(app) as client:
+    api_key = auth_module.init_api_key(settings.data_dir)
+
+    with TestClient(app, headers={"X-Api-Key": api_key}) as client:
         yield client
 
     async def teardown():
diff --git a/testing/backend/integration/test_task_cleanup.py b/testing/backend/integration/test_task_cleanup.py
index ef4ab476..797bfe29 100644
--- a/testing/backend/integration/test_task_cleanup.py
+++ b/testing/backend/integration/test_task_cleanup.py
@@ -42,6 +42,8 @@ async def app_client(db_path):
         from backend.secuscan.main import app
         from backend.secuscan import database as db_module
         from backend.secuscan import cache as cache_module
+        from backend.secuscan import auth as auth_module
+        import tempfile
 
         # Initialise a real in-memory cache (it's just a dict, no external deps)
         await cache_module.init_cache()
@@ -49,13 +51,19 @@ async def app_client(db_path):
         # Initialise a fresh DB pointing at our temp file
         test_db = await db_module.init_db(db_path)
 
-        async with AsyncClient(
-            transport=ASGITransport(app=app), base_url="http://test"
-        ) as client:
-            client._mock_executor = mock_executor
-            client._db = test_db
-            client._db_path = db_path
-            yield client
+        # Initialise API key in a temporary directory so the dependency resolves
+        with tempfile.TemporaryDirectory() as tmp_auth_dir:
+            api_key = auth_module.init_api_key(tmp_auth_dir)
+
+            async with AsyncClient(
+                transport=ASGITransport(app=app),
+                base_url="http://test",
+                headers={"X-Api-Key": api_key},
+            ) as client:
+                client._mock_executor = mock_executor
+                client._db = test_db
+                client._db_path = db_path
+                yield client
 
         # Teardown
         await test_db.disconnect()
diff --git a/testing/backend/test_task_pagination.py b/testing/backend/test_task_pagination.py
index dab120a3..000de760 100644
--- a/testing/backend/test_task_pagination.py
+++ b/testing/backend/test_task_pagination.py
@@ -3,62 +3,45 @@
 """
 
 import pytest
-from fastapi.testclient import TestClient
-from backend.secuscan.main import app
-from backend.secuscan.database import init_db
-
-# IMPORTANT: Initialize database before any tests run
-@pytest.fixture(scope="session", autouse=True)
-def setup_database():
-    """Initialize database for testing"""
-    import asyncio
-    asyncio.run(init_db())
-
-client = TestClient(app)
 
 
 class TestTasksPagination:
     """Test pagination metadata for /api/v1/tasks endpoint"""
 
-    def test_pagination_has_next_previous_fields(self):
+    def test_pagination_has_next_previous_fields(self, test_client):
         """Test that next and previous fields exist in response"""
-        response = client.get("/api/v1/tasks")
+        response = test_client.get("/api/v1/tasks")
 
-        # Check if we got a response
         if response.status_code == 200:
             data = response.json()
             assert "pagination" in data
             pagination = data["pagination"]
 
-            # These fields should always exist
             assert "next" in pagination
             assert "previous" in pagination
             assert "page" in pagination
             assert "per_page" in pagination
             assert "total_items" in pagination
             assert "total_pages" in pagination
-            print("✅ All pagination fields present!")
         else:
             pytest.fail(f"API returned {response.status_code}")
 
-    def test_default_pagination_values(self):
+    def test_default_pagination_values(self, test_client):
         """Test default page=1, per_page=25"""
-        response = client.get("/api/v1/tasks")
+        response = test_client.get("/api/v1/tasks")
         assert response.status_code == 200
 
         pagination = response.json()["pagination"]
         assert pagination["page"] == 1
         assert pagination["per_page"] == 25
-        print(f"✅ Default values: page={pagination['page']}, per_page={pagination['per_page']}")
 
-    def test_custom_per_page(self):
+    def test_custom_per_page(self, test_client):
         """Test that per_page parameter is respected"""
-        response = client.get("/api/v1/tasks?page=1&per_page=10")
+        response = test_client.get("/api/v1/tasks?page=1&per_page=10")
         assert response.status_code == 200
 
         pagination = response.json()["pagination"]
         assert pagination["per_page"] == 10
-        print(f"✅ Custom per_page=10 works")
 
     @pytest.mark.parametrize(
         "qs",
@@ -70,22 +53,21 @@ def test_custom_per_page(self):
             "per_page=101",
         ],
     )
-    def test_invalid_pagination_is_rejected(self, qs):
-        response = client.get(f"/api/v1/tasks?{qs}")
+    def test_invalid_pagination_is_rejected(self, test_client, qs):
+        response = test_client.get(f"/api/v1/tasks?{qs}")
         assert response.status_code == 422
 
-    def test_first_page_previous_is_null(self):
+    def test_first_page_previous_is_null(self, test_client):
         """Test that previous is None on first page"""
-        response = client.get("/api/v1/tasks?page=1&per_page=10")
+        response = test_client.get("/api/v1/tasks?page=1&per_page=10")
         assert response.status_code == 200
 
         pagination = response.json()["pagination"]
         assert pagination["previous"] is None
-        print("✅ First page has previous=None")
 
-    def test_next_url_preserves_filters(self):
+    def test_next_url_preserves_filters(self, test_client):
         """Test that next URL keeps filter parameters"""
-        response = client.get(
+        response = test_client.get(
             "/api/v1/tasks?page=1&per_page=5&status=completed&plugin_id=nmap"
         )
         assert response.status_code == 200
@@ -93,10 +75,7 @@ def test_next_url_preserves_filters(self):
         data = response.json()
         next_url = data["pagination"]["next"]
 
-        if next_url:  # If there are more pages
+        if next_url:
             assert "per_page=5" in next_url
             assert "status=completed" in next_url
             assert "plugin_id=nmap" in next_url
-            print(f"✅ Next URL preserves filters: {next_url}")
-        else:
-            print("ℹ️ No next page (database might be empty)")
diff --git a/testing/backend/unit/test_api_auth.py b/testing/backend/unit/test_api_auth.py
new file mode 100644
index 00000000..e0965a28
--- /dev/null
+++ b/testing/backend/unit/test_api_auth.py
@@ -0,0 +1,120 @@
+"""
+Unit tests for API key authentication (issue #199).
+"""
+
+import asyncio
+import tempfile
+from pathlib import Path
+
+import pytest
+from fastapi.testclient import TestClient
+
+from backend.secuscan import auth as auth_module
+from backend.secuscan.main import app
+from backend.secuscan.config import settings
+from backend.secuscan.database import init_db
+from backend.secuscan.plugins import init_plugins
+
+
+@pytest.fixture()
+def client_with_key(setup_test_environment):
+    """TestClient with a valid API key pre-seeded."""
+    asyncio.run(init_db(settings.database_path))
+    asyncio.run(init_plugins(settings.plugins_dir))
+    api_key = auth_module.init_api_key(settings.data_dir)
+    with TestClient(app) as c:
+        yield c, api_key
+
+
+class TestApiKeyInit:
+    def test_key_file_created(self, tmp_path):
+        key = auth_module.init_api_key(str(tmp_path))
+        assert (tmp_path / ".api_key").exists()
+        assert len(key) == 64  # 32 bytes → 64 hex chars
+
+    def test_existing_key_reloaded(self, tmp_path):
+        k1 = auth_module.init_api_key(str(tmp_path))
+        k2 = auth_module.init_api_key(str(tmp_path))
+        assert k1 == k2
+
+    def test_key_file_permissions(self, tmp_path):
+        auth_module.init_api_key(str(tmp_path))
+        mode = (tmp_path / ".api_key").stat().st_mode & 0o777
+        assert mode == 0o600
+
+    def test_secuscan_api_key_file_env_var(self, tmp_path, monkeypatch):
+        custom_path = tmp_path / "secrets" / "my_api_key"
+        monkeypatch.setenv("SECUSCAN_API_KEY_FILE", str(custom_path))
+        key = auth_module.init_api_key(str(tmp_path))
+        assert custom_path.exists()
+        assert custom_path.read_text().strip() == key
+
+    def test_secuscan_api_key_file_loads_existing(self, tmp_path, monkeypatch):
+        custom_path = tmp_path / "my_key"
+        custom_path.write_text("preset-key-abc123")
+        monkeypatch.setenv("SECUSCAN_API_KEY_FILE", str(custom_path))
+        key = auth_module.init_api_key(str(tmp_path))
+        assert key == "preset-key-abc123"
+
+
+class TestAuthDependency:
+    def test_no_credentials_returns_401(self, client_with_key):
+        client, _ = client_with_key
+        resp = client.get("/api/v1/plugins", headers={})
+        assert resp.status_code == 401
+
+    def test_wrong_key_returns_401(self, client_with_key):
+        client, _ = client_with_key
+        resp = client.get("/api/v1/plugins", headers={"X-Api-Key": "wrong-key"})
+        assert resp.status_code == 401
+
+    def test_valid_x_api_key_header(self, client_with_key):
+        client, api_key = client_with_key
+        resp = client.get("/api/v1/plugins", headers={"X-Api-Key": api_key})
+        assert resp.status_code == 200
+
+    def test_valid_bearer_token(self, client_with_key):
+        client, api_key = client_with_key
+        resp = client.get("/api/v1/plugins", headers={"Authorization": f"Bearer {api_key}"})
+        assert resp.status_code == 200
+
+    def test_bearer_wrong_key_returns_401(self, client_with_key):
+        client, _ = client_with_key
+        resp = client.get("/api/v1/plugins", headers={"Authorization": "Bearer bad"})
+        assert resp.status_code == 401
+
+    def test_health_endpoint_not_protected(self, client_with_key):
+        client, _ = client_with_key
+        resp = client.get("/api/v1/health", headers={})
+        # health check is defined on `app` directly, not inside the authenticated router
+        assert resp.status_code == 200
+
+    def test_root_endpoint_not_protected(self, client_with_key):
+        client, _ = client_with_key
+        resp = client.get("/", headers={})
+        assert resp.status_code == 200
+
+
+class TestIsFilesystemTarget:
+    """Regression tests for is_filesystem_target — CIDR must not be treated as a path."""
+
+    from backend.secuscan.routes import is_filesystem_target
+
+    @pytest.mark.parametrize("target,expected", [
+        ("/etc/passwd", True),
+        ("./relative/path", True),
+        ("../parent/path", True),
+        ("~/home/dir", True),
+        ("C:\\Windows\\System32", True),
+        ("C:/Windows/System32", True),
+        # These are NOT filesystem targets
+        ("8.8.8.8/32", False),
+        ("192.168.1.0/24", False),
+        ("example.com", False),
+        ("http://example.com/path", False),
+        ("https://example.com/path", False),
+        ("10.0.0.1", False),
+    ])
+    def test_filesystem_target_detection(self, target, expected):
+        from backend.secuscan.routes import is_filesystem_target
+        assert is_filesystem_target(target) == expected
diff --git a/testing/backend/unit/test_bulk_delete_sqlite_limit.py b/testing/backend/unit/test_bulk_delete_sqlite_limit.py
index f563aaf5..6c1b8c50 100644
--- a/testing/backend/unit/test_bulk_delete_sqlite_limit.py
+++ b/testing/backend/unit/test_bulk_delete_sqlite_limit.py
@@ -43,17 +43,24 @@ async def app_client(db_path):
         from backend.secuscan.main import app
         from backend.secuscan import database as db_module
         from backend.secuscan import cache as cache_module
+        from backend.secuscan import auth as auth_module
 
         await cache_module.init_cache()
         test_db = await db_module.init_db(db_path)
 
-        async with AsyncClient(
-            transport=ASGITransport(app=app), base_url="http://test"
-        ) as client:
-            client._mock_executor = mock_executor
-            client._db = test_db
-            client._db_path = db_path
-            yield client
+        import tempfile, os
+        with tempfile.TemporaryDirectory() as tmp_data_dir:
+            api_key = auth_module.init_api_key(tmp_data_dir)
+
+            async with AsyncClient(
+                transport=ASGITransport(app=app),
+                base_url="http://test",
+                headers={"X-Api-Key": api_key},
+            ) as client:
+                client._mock_executor = mock_executor
+                client._db = test_db
+                client._db_path = db_path
+                yield client
 
         await test_db.disconnect()
         db_module.db = None