diff --git a/.env.example b/.env.example
index bdd6950..0526ea8 100644
--- a/.env.example
+++ b/.env.example
@@ -42,6 +42,12 @@ VAPID_PRIVATE_KEY="UHDY8M3-0beVIA2kt2zL3ZeMStJ0j6zVkVd2Cfqpgrc"
 # API key for file operations (upload, delete, copy, view directory)
 WS_APIKEY="your-websocket-api-key"
 
+# ===========================================
+# MONITORING API
+# ===========================================
+# API key untuk akses endpoint /api/monitoring (header: x-api-key)
+MONITORING_API_KEY="your-monitoring-api-key"
+
 # ===========================================
 # APPLICATION SETTINGS
 # ===========================================
diff --git a/.mcp/deploy-stg/server.ts b/.mcp/deploy-stg/server.ts
index c3614e7..c84ea4f 100644
--- a/.mcp/deploy-stg/server.ts
+++ b/.mcp/deploy-stg/server.ts
@@ -197,7 +197,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 
       // 3. Push to build remote (GitHub)
       const currentBranch = GIT(["rev-parse", "--abbrev-ref", "HEAD"]);
-      GIT(["push", "build", `${currentBranch}:main`, "--force"]);
+      GIT(["push", "build", `${currentBranch}:stg`, "--force"]);
 
       // 4. Trigger publish
       GH([
diff --git a/package.json b/package.json
index 9f15aea..c7553a2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sistem-desa-mandiri",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "private": true,
   "scripts": {
     "dev": "next dev --experimental-https",
diff --git a/prisma/migrations/20260430070147_auto/migration.sql b/prisma/migrations/20260430070147_auto/migration.sql
new file mode 100644
index 0000000..af5102c
--- /dev/null
+++ b/prisma/migrations/20260430070147_auto/migration.sql
@@ -0,0 +1 @@
+-- This is an empty migration.
\ No newline at end of file
diff --git a/src/app/api/monitoring/[[...slug]]/route.ts b/src/app/api/monitoring/[[...slug]]/route.ts
index 84c62af..f3ebf0b 100644
--- a/src/app/api/monitoring/[[...slug]]/route.ts
+++ b/src/app/api/monitoring/[[...slug]]/route.ts
@@ -25,6 +25,18 @@ const MonitoringServer = new Elysia({ prefix: "/api/monitoring" })
          }
       }
    }))
+   .onBeforeHandle(({ request, set, path }) => {
+      // Docs tidak perlu API key
+      if (path.startsWith("/api/monitoring/docs")) return;
+
+      const apiKey = process.env.MONITORING_API_KEY;
+      const incoming = request.headers.get("x-api-key");
+
+      if (!apiKey || incoming !== apiKey) {
+         set.status = 401;
+         return { success: false, message: "Unauthorized" };
+      }
+   })
 
    .get("/grid-overview", async ({ query, set }) => {
       try {
@@ -1503,7 +1515,7 @@ const MonitoringServer = new Elysia({ prefix: "/api/monitoring" })
             idUserRole: t.String({ description: "ID Role" }),
             idVillage: t.String({ description: "ID Desa" }),
             idGroup: t.String({ description: "ID Group" }),
-            idPosition: t.Optional(t.String({ description: "ID Posisi" })),
+            idPosition: t.Optional(t.Union([t.String(), t.Null()], { description: "ID Posisi" })),
             isActive: t.Boolean({ description: "Aktif" }),
             isWithoutOTP: t.Boolean({ description: "Tanpa OTP" }),
          }),