diff --git a/core/api.go b/core/api.go
index e32e367..0fe3791 100644
--- a/core/api.go
+++ b/core/api.go
@@ -459,34 +459,52 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
 
 	var userinfo map[string]any
 
+	var apiTokenObj primitive.ObjectID
 	if !*devflag {
-		authheader := r.Header.Get("Authorization")
-		if len(authheader) == 0 {
-			logger.Println("Authorization header is not valid :", authheader)
-			w.WriteHeader(http.StatusBadRequest)
-			return
-		}
+		apiToken := r.Header.Get("MG-X-API-TOKEN")
+		if len(apiToken) > 0 {
+			if apiToken != mg.maingateConfig.ApiToken {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
 
-		req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil)
-		req.Header.Add("Authorization", authheader)
-		client := &http.Client{}
+			obj, err := primitive.ObjectIDFromHex(apiToken)
+			if err != nil {
+				logger.Error(err)
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
 
-		resp, err := client.Do(req)
-		if err != nil {
-			logger.Println("graph microsoft api call failed :", err)
-			w.WriteHeader(http.StatusBadRequest)
-			return
-		}
-		defer resp.Body.Close()
+			apiTokenObj = obj
+		} else {
+			authheader := r.Header.Get("Authorization")
+			if len(authheader) == 0 {
+				logger.Println("Authorization header is not valid :", authheader)
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
 
-		raw, _ := io.ReadAll(resp.Body)
-		if err = json.Unmarshal(raw, &userinfo); err != nil {
-			return
-		}
+			req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil)
+			req.Header.Add("Authorization", authheader)
+			client := &http.Client{}
 
-		if _, expired := userinfo["error"]; expired {
-			w.WriteHeader(http.StatusUnauthorized)
-			return
+			resp, err := client.Do(req)
+			if err != nil {
+				logger.Println("graph microsoft api call failed :", err)
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
+			defer resp.Body.Close()
+
+			raw, _ := io.ReadAll(resp.Body)
+			if err = json.Unmarshal(raw, &userinfo); err != nil {
+				return
+			}
+
+			if _, expired := userinfo["error"]; expired {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
 		}
 	}
 
@@ -502,20 +520,6 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	var apiTokenObj primitive.ObjectID
-	if !*devflag {
-		apiToken := r.Header.Get("MG-X-API-TOKEN")
-		if len(apiToken) > 0 {
-			obj, err := primitive.ObjectIDFromHex(apiToken)
-			if err != nil {
-				logger.Error(err)
-				w.WriteHeader(http.StatusBadRequest)
-				return
-			}
-			apiTokenObj = obj
-		}
-	}
-
 	logger.Println("api call :", r.URL.Path, r.Method, r.URL.Query(), userinfo)
 	caller := apiCaller{
 		userinfo:     userinfo,
diff --git a/core/maingate.go b/core/maingate.go
index 7d61003..acadc82 100644
--- a/core/maingate.go
+++ b/core/maingate.go
@@ -123,6 +123,7 @@ func makeAuthCollection(mongoClient gocommon.MongoClient, sessionTTL time.Durati
 type maingateConfig struct {
 	Mongo                          string `json:"maingate_mongodb_url"`
 	SessionTTL                     int64  `json:"maingate_session_ttl"`
+	ApiToken                       string `json:"maingate_api_token"`
 	Autologin_ttl                  int64  `json:"autologin_ttl"`
 	AccDelTTL                      int64  `json:"acc_del_ttl"`
 	MaximumNumLinkAccount          int64  `json:"maximum_num_link_account"`