diff --git a/.env.example b/.env.example
index bdd6950..0526ea8 100644
--- a/.env.example
+++ b/.env.example
@@ -42,6 +42,12 @@ VAPID_PRIVATE_KEY="UHDY8M3-0beVIA2kt2zL3ZeMStJ0j6zVkVd2Cfqpgrc"
 # API key for file operations (upload, delete, copy, view directory)
 WS_APIKEY="your-websocket-api-key"
 
+# ===========================================
+# MONITORING API
+# ===========================================
+# API key untuk akses endpoint /api/monitoring (header: x-api-key)
+MONITORING_API_KEY="your-monitoring-api-key"
+
 # ===========================================
 # APPLICATION SETTINGS
 # ===========================================
diff --git a/src/app/api/monitoring/[[...slug]]/route.ts b/src/app/api/monitoring/[[...slug]]/route.ts
index 96e4cb4..f3ebf0b 100644
--- a/src/app/api/monitoring/[[...slug]]/route.ts
+++ b/src/app/api/monitoring/[[...slug]]/route.ts
@@ -25,6 +25,18 @@ const MonitoringServer = new Elysia({ prefix: "/api/monitoring" })
          }
       }
    }))
+   .onBeforeHandle(({ request, set, path }) => {
+      // Docs tidak perlu API key
+      if (path.startsWith("/api/monitoring/docs")) return;
+
+      const apiKey = process.env.MONITORING_API_KEY;
+      const incoming = request.headers.get("x-api-key");
+
+      if (!apiKey || incoming !== apiKey) {
+         set.status = 401;
+         return { success: false, message: "Unauthorized" };
+      }
+   })
 
    .get("/grid-overview", async ({ query, set }) => {
       try {