diff --git a/MCPForUnity/Editor/Constants/EditorPrefKeys.cs b/MCPForUnity/Editor/Constants/EditorPrefKeys.cs
index 30dcd2bb..d117af2f 100644
--- a/MCPForUnity/Editor/Constants/EditorPrefKeys.cs
+++ b/MCPForUnity/Editor/Constants/EditorPrefKeys.cs
@@ -21,6 +21,10 @@ internal static class EditorPrefKeys
         internal const string WebSocketUrlOverride = "MCPForUnity.WebSocketUrl";
         internal const string GitUrlOverride = "MCPForUnity.GitUrlOverride";
 
+        internal const string AuthToken = "MCPForUnity.AuthToken";
+        internal const string AuthEnabled = "MCPForUnity.AuthEnabled";
+        internal const string AuthAllowedIps = "MCPForUnity.AuthAllowedIps";
+
         internal const string ServerSrc = "MCPForUnity.ServerSrc";
         internal const string UseEmbeddedServer = "MCPForUnity.UseEmbeddedServer";
         internal const string LockCursorConfig = "MCPForUnity.LockCursorConfig";
diff --git a/MCPForUnity/Editor/Helpers/AssetPathUtility.cs b/MCPForUnity/Editor/Helpers/AssetPathUtility.cs
index a310c6e1..a10e170e 100644
--- a/MCPForUnity/Editor/Helpers/AssetPathUtility.cs
+++ b/MCPForUnity/Editor/Helpers/AssetPathUtility.cs
@@ -170,6 +170,7 @@ public static (string uvxPath, string fromUrl, string packageName) GetUvxCommand
         {
             string uvxPath = MCPServiceLocator.Paths.GetUvxPath();
             string fromUrl = GetMcpServerGitUrl();
+            // Default uvx package name
             string packageName = "mcp-for-unity";
 
             return (uvxPath, fromUrl, packageName);
diff --git a/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs b/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs
new file mode 100644
index 00000000..f7e29ba8
--- /dev/null
+++ b/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs
@@ -0,0 +1,139 @@
+using System;
+using System.IO;
+using MCPForUnity.Editor.Constants;
+using UnityEditor;
+
+namespace MCPForUnity.Editor.Helpers
+{
+    internal static class AuthPreferencesUtility
+    {
+        private static string ApiKeyPrefKey => EditorPrefKeys.AuthToken;
+        private static string AuthEnabledPrefKey => EditorPrefKeys.AuthEnabled;
+        private static string AllowedIpsPrefKey => EditorPrefKeys.AuthAllowedIps;
+
+        internal static bool IsAuthEnabled()
+        {
+            return EditorPrefs.GetBool(AuthEnabledPrefKey, false);
+        }
+
+        internal static void SetAuthEnabled(bool enabled)
+        {
+            EditorPrefs.SetBool(AuthEnabledPrefKey, enabled);
+        }
+
+        internal static string GetAllowedIps()
+        {
+            string stored = EditorPrefs.GetString(AllowedIpsPrefKey, string.Empty);
+            return string.IsNullOrWhiteSpace(stored) ? "*" : stored;
+        }
+
+        internal static void SetAllowedIps(string allowedIps)
+        {
+            string value = string.IsNullOrWhiteSpace(allowedIps) ? "*" : allowedIps;
+            EditorPrefs.SetString(AllowedIpsPrefKey, value);
+        }
+
+        internal static string GetApiKey(bool ensureExists = true)
+        {
+            // Prefer EditorPrefs for quick access
+            string apiKey = EditorPrefs.GetString(ApiKeyPrefKey, string.Empty);
+
+            if (string.IsNullOrEmpty(apiKey) && ensureExists)
+            {
+                apiKey = TryReadApiKeyFromDisk();
+                if (string.IsNullOrEmpty(apiKey))
+                {
+                    apiKey = GenerateNewApiKey();
+                }
+
+                EditorPrefs.SetString(ApiKeyPrefKey, apiKey);
+                TryPersistApiKey(apiKey);
+            }
+
+            return apiKey;
+        }
+
+        internal static void SetApiKey(string apiKey)
+        {
+            if (string.IsNullOrEmpty(apiKey))
+            {
+                apiKey = GenerateNewApiKey();
+            }
+
+            EditorPrefs.SetString(ApiKeyPrefKey, apiKey);
+            TryPersistApiKey(apiKey);
+        }
+
+        internal static string GenerateNewApiKey()
+        {
+            // 32 bytes -> ~43 base64url chars without padding; mirrors server token_urlsafe
+            var bytes = new byte[32];
+            using (var rng = System.Security.Cryptography.RandomNumberGenerator.Create())
+            {
+                rng.GetBytes(bytes);
+            }
+
+            string base64 = Convert.ToBase64String(bytes)
+                .TrimEnd('=')
+                .Replace('+', '-')
+                .Replace('/', '_');
+
+            return base64;
+        }
+
+        internal static string GetApiKeyFilePath()
+        {
+            // Keep UI in lockstep with server path resolution (supports UNITY_MCP_HOME override)
+            string overrideRoot = Environment.GetEnvironmentVariable("UNITY_MCP_HOME");
+            if (!string.IsNullOrEmpty(overrideRoot))
+            {
+            return Path.Combine(overrideRoot, "api_key");
+            }
+
+    #if UNITY_EDITOR_WIN
+            string root = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            return Path.Combine(root, "UnityMCP", "api_key");
+    #elif UNITY_EDITOR_OSX
+            string root = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Personal), "Library", "Application Support", "UnityMCP");
+            return Path.Combine(root, "api_key");
+    #else
+            string root = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Personal), ".local", "share", "UnityMCP");
+            return Path.Combine(root, "api_key");
+    #endif
+        }
+
+        private static string TryReadApiKeyFromDisk()
+        {
+            try
+            {
+                string path = GetApiKeyFilePath();
+                if (!File.Exists(path))
+                {
+                    return string.Empty;
+                }
+
+                string content = File.ReadAllText(path).Trim();
+                return content;
+            }
+            catch (Exception)
+            {
+                // Fall back to generating a new key if reading fails
+                return string.Empty;
+            }
+        }
+
+        private static void TryPersistApiKey(string apiKey)
+        {
+            try
+            {
+                string path = GetApiKeyFilePath();
+                Directory.CreateDirectory(Path.GetDirectoryName(path));
+                File.WriteAllText(path, apiKey);
+            }
+            catch (Exception)
+            {
+                // Non-fatal: user can still copy the key from the UI
+            }
+        }
+    }
+}
diff --git a/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs.meta b/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs.meta
new file mode 100644
index 00000000..378102c3
--- /dev/null
+++ b/MCPForUnity/Editor/Helpers/AuthPreferencesUtility.cs.meta
@@ -0,0 +1,11 @@
+fileFormatVersion: 2
+guid: a8e3b3c33c4f4f3e8c0f6f6a6f0a0c1f
+MonoImporter:
+  externalObjects: {}
+  serializedVersion: 2
+  defaultReferences: []
+  executionOrder: 0
+  icon: {fileID: 0}
+  userData: 
+  assetBundleName: 
+  assetBundleVariant: 
diff --git a/MCPForUnity/Editor/Helpers/ConfigJsonBuilder.cs b/MCPForUnity/Editor/Helpers/ConfigJsonBuilder.cs
index 3c0ba705..29672352 100644
--- a/MCPForUnity/Editor/Helpers/ConfigJsonBuilder.cs
+++ b/MCPForUnity/Editor/Helpers/ConfigJsonBuilder.cs
@@ -15,6 +15,7 @@ namespace MCPForUnity.Editor.Helpers
 {
     public static class ConfigJsonBuilder
     {
+        private const string ApiKeyInputKey = "UnityMcpApiKey";
         public static string BuildManualConfigJson(string uvPath, McpClient client)
         {
             var root = new JObject();
@@ -22,7 +23,7 @@ public static string BuildManualConfigJson(string uvPath, McpClient client)
             JObject container = isVSCode ? EnsureObject(root, "servers") : EnsureObject(root, "mcpServers");
 
             var unity = new JObject();
-            PopulateUnityNode(unity, uvPath, client, isVSCode);
+            PopulateUnityNode(root, unity, uvPath, client, isVSCode);
 
             container["unityMCP"] = unity;
 
@@ -35,7 +36,7 @@ public static JObject ApplyUnityServerToExistingConfig(JObject root, string uvPa
             bool isVSCode = client?.IsVsCodeLayout == true;
             JObject container = isVSCode ? EnsureObject(root, "servers") : EnsureObject(root, "mcpServers");
             JObject unity = container["unityMCP"] as JObject ?? new JObject();
-            PopulateUnityNode(unity, uvPath, client, isVSCode);
+            PopulateUnityNode(root, unity, uvPath, client, isVSCode);
 
             container["unityMCP"] = unity;
             return root;
@@ -48,10 +49,11 @@ public static JObject ApplyUnityServerToExistingConfig(JObject root, string uvPa
         /// - Adds transport configuration (HTTP or stdio)
         /// - Adds disabled:false for Windsurf/Kiro only when missing
         /// </summary>
-        private static void PopulateUnityNode(JObject unity, string uvPath, McpClient client, bool isVSCode)
+        private static void PopulateUnityNode(JObject root, JObject unity, string uvPath, McpClient client, bool isVSCode)
         {
             // Get transport preference (default to HTTP)
             bool useHttpTransport = client?.SupportsHttpTransport != false && EditorPrefs.GetBool(EditorPrefKeys.UseHttpTransport, true);
+            bool authEnabled = AuthPreferencesUtility.IsAuthEnabled();
             string httpProperty = string.IsNullOrEmpty(client?.HttpUrlProperty) ? "url" : client.HttpUrlProperty;
             var urlPropsToRemove = new HashSet<string>(StringComparer.OrdinalIgnoreCase) { "url", "serverUrl" };
             urlPropsToRemove.Remove(httpProperty);
@@ -62,6 +64,72 @@ private static void PopulateUnityNode(JObject unity, string uvPath, McpClient cl
                 string httpUrl = HttpEndpointUtility.GetMcpRpcUrl();
                 unity[httpProperty] = httpUrl;
 
+                var inputs = root["inputs"] as JArray ?? new JArray();
+
+                if (authEnabled)
+                {
+                    // Add API key header with input binding and prompt definition
+                    var headers = unity["headers"] as JObject ?? new JObject();
+                    // Remove legacy auth header if present
+                    if (headers["Authorization"] != null)
+                    {
+                        headers.Remove("Authorization");
+                    }
+                    headers["X-API-Key"] = "${input:UnityMcpApiKey}";
+                    unity["headers"] = headers;
+
+                    var existing = inputs
+                        .OfType<JObject>()
+                        .FirstOrDefault(o => string.Equals((string)o["id"], ApiKeyInputKey, StringComparison.Ordinal));
+                    if (existing == null)
+                    {
+                        existing = new JObject();
+                        inputs.Add(existing);
+                    }
+
+                    // Drop legacy Authorization input if it exists
+                    foreach (var legacy in inputs
+                                 .OfType<JObject>()
+                                 .Where(o => string.Equals((string)o["id"], "Authorization", StringComparison.Ordinal))
+                                 .ToList())
+                    {
+                        inputs.Remove(legacy);
+                    }
+
+                    existing["id"] = ApiKeyInputKey;
+                    existing["type"] = "promptString";
+                    existing["description"] = "Unity MCP API Key";
+                    existing["password"] = true;
+
+                    root["inputs"] = inputs;
+                }
+                else
+                {
+                    // Remove auth inputs and headers when disabled
+                    foreach (var legacy in inputs
+                                 .OfType<JObject>()
+                                 .Where(o => string.Equals((string)o["id"], ApiKeyInputKey, StringComparison.Ordinal) ||
+                                             string.Equals((string)o["id"], "Authorization", StringComparison.Ordinal))
+                                 .ToList())
+                    {
+                        inputs.Remove(legacy);
+                    }
+
+                    if (inputs.Count > 0)
+                    {
+                        root["inputs"] = inputs;
+                    }
+                    else if (root["inputs"] != null)
+                    {
+                        root.Remove("inputs");
+                    }
+
+                    if (unity["headers"] != null)
+                    {
+                        unity.Remove("headers");
+                    }
+                }
+
                 foreach (var prop in urlPropsToRemove)
                 {
                     if (unity[prop] != null) unity.Remove(prop);
@@ -75,6 +143,9 @@ private static void PopulateUnityNode(JObject unity, string uvPath, McpClient cl
                 {
                     unity["type"] = "http";
                 }
+
+                // Set version field
+                unity["version"] = AssetPathUtility.GetPackageVersion();
             }
             else
             {
@@ -106,6 +177,9 @@ private static void PopulateUnityNode(JObject unity, string uvPath, McpClient cl
                 {
                     unity["type"] = "stdio";
                 }
+
+                // Set version field
+                unity["version"] = AssetPathUtility.GetPackageVersion();
             }
 
             // Remove type for non-VSCode clients
diff --git a/MCPForUnity/Editor/Models/MCPConfigServer.cs b/MCPForUnity/Editor/Models/MCPConfigServer.cs
index fbffed37..aade7107 100644
--- a/MCPForUnity/Editor/Models/MCPConfigServer.cs
+++ b/MCPForUnity/Editor/Models/MCPConfigServer.cs
@@ -15,5 +15,8 @@ public class McpConfigServer
         // VSCode expects a transport type; include only when explicitly set
         [JsonProperty("type", NullValueHandling = NullValueHandling.Ignore)]
         public string type;
+
+        [JsonProperty("version", NullValueHandling = NullValueHandling.Ignore)]
+        public string version;
     }
 }
diff --git a/MCPForUnity/Editor/Services/ServerManagementService.cs b/MCPForUnity/Editor/Services/ServerManagementService.cs
index 31927533..53dc298a 100644
--- a/MCPForUnity/Editor/Services/ServerManagementService.cs
+++ b/MCPForUnity/Editor/Services/ServerManagementService.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using MCPForUnity.Editor.Constants;
@@ -368,11 +369,41 @@ public bool TryGetLocalHttpServerCommand(out string command, out string error)
                 return false;
             }
 
-            string args = string.IsNullOrEmpty(fromUrl)
-                ? $"{packageName} --transport http --http-url {httpUrl}"
-                : $"--from {fromUrl} {packageName} --transport http --http-url {httpUrl}";
+            var args = new List<string>();
 
-            command = $"{uvxPath} {args}";
+            if (!string.IsNullOrEmpty(fromUrl))
+            {
+                args.Add("--from");
+                args.Add(fromUrl);
+            }
+
+            args.Add(packageName);
+            args.Add("--transport");
+            args.Add("http");
+            args.Add("--http-url");
+            args.Add(httpUrl);
+
+            bool authEnabled = AuthPreferencesUtility.IsAuthEnabled();
+            if (authEnabled)
+            {
+                args.Add("--auth-enabled");
+
+                string allowedIps = AuthPreferencesUtility.GetAllowedIps();
+                if (!string.IsNullOrWhiteSpace(allowedIps))
+                {
+                    args.Add("--allowed-ips");
+                    args.Add(allowedIps);
+                }
+
+                string apiKey = AuthPreferencesUtility.GetApiKey();
+                if (!string.IsNullOrEmpty(apiKey))
+                {
+                    args.Add("--auth-token");
+                    args.Add(apiKey);
+                }
+            }
+
+            command = $"{QuoteArgument(uvxPath)} {string.Join(" ", args.Select(QuoteArgument))}".Trim();
             return true;
         }
 
@@ -516,5 +547,17 @@ private System.Diagnostics.ProcessStartInfo CreateTerminalProcessStartInfo(strin
             };
 #endif
         }
+
+        private static string QuoteArgument(string arg)
+        {
+            if (string.IsNullOrEmpty(arg))
+            {
+                return "\"\"";
+            }
+
+            bool needsQuotes = arg.IndexOfAny(new[] { ' ', '\"' }) >= 0;
+            return needsQuotes ? $"\"{arg.Replace("\"", "\\\"")}\"" : arg;
+        }
+
     }
 }
diff --git a/MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs b/MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs
index 35011a80..561bcf33 100644
--- a/MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs
+++ b/MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs
@@ -190,10 +190,34 @@ private async Task<bool> EstablishConnectionAsync(CancellationToken token)
             _socket = new ClientWebSocket();
             _socket.Options.KeepAliveInterval = _socketKeepAliveInterval;
 
+            // Send auth headers only when enabled
+            if (AuthPreferencesUtility.IsAuthEnabled())
+            {
+                string apiKey = AuthPreferencesUtility.GetApiKey();
+                if (!string.IsNullOrEmpty(apiKey))
+                {
+                    _socket.Options.SetRequestHeader("X-API-Key", apiKey);
+                    _socket.Options.SetRequestHeader("Authorization", $"Bearer {apiKey}");
+                }
+            }
+
             try
             {
                 await _socket.ConnectAsync(_endpointUri, connectionToken).ConfigureAwait(false);
             }
+            catch (WebSocketException wse)
+            {
+                string msg = wse.Message ?? string.Empty;
+                if (msg.Contains("401") || msg.Contains("403"))
+                {
+                    McpLog.Error("[WebSocket] Connection failed: unauthorized (check API key)");
+                }
+                else
+                {
+                    McpLog.Error($"[WebSocket] Connection failed: {wse.Message}");
+                }
+                return false;
+            }
             catch (Exception ex)
             {
                 McpLog.Error($"[WebSocket] Connection failed: {ex.Message}");
diff --git a/MCPForUnity/Editor/Windows/Components/Auth.meta b/MCPForUnity/Editor/Windows/Components/Auth.meta
new file mode 100644
index 00000000..7b7f9688
--- /dev/null
+++ b/MCPForUnity/Editor/Windows/Components/Auth.meta
@@ -0,0 +1,8 @@
+fileFormatVersion: 2
+guid: 2f1f5be7b6d740f8a56d5f3a65f6b9a3
+folderAsset: yes
+DefaultImporter:
+  externalObjects: {}
+  userData: 
+  assetBundleName: 
+  assetBundleVariant: 
diff --git a/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs b/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs
index 9b2cc933..3d6d5a76 100644
--- a/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs
+++ b/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs
@@ -26,12 +26,20 @@ private enum TransportProtocol
 
         // UI Elements
         private EnumField transportDropdown;
+        private Toggle authEnabledToggle;
+        private VisualElement authToggleRow;
+        private VisualElement allowedIpsRow;
+        private TextField allowedIpsField;
         private VisualElement httpUrlRow;
         private VisualElement httpServerCommandSection;
         private TextField httpServerCommandField;
         private Button copyHttpServerCommandButton;
         private Label httpServerCommandHint;
         private TextField httpUrlField;
+        private VisualElement apiKeyRow;
+        private TextField apiKeyField;
+        private Button copyApiKeyButton;
+        private Button regenerateApiKeyButton;
         private Button startHttpServerButton;
         private Button stopHttpServerButton;
         private VisualElement unitySocketPortRow;
@@ -69,12 +77,20 @@ public McpConnectionSection(VisualElement root)
         private void CacheUIElements()
         {
             transportDropdown = Root.Q<EnumField>("transport-dropdown");
+            authEnabledToggle = Root.Q<Toggle>("auth-enabled-toggle");
+            authToggleRow = Root.Q<VisualElement>("auth-toggle-row");
+            allowedIpsRow = Root.Q<VisualElement>("allowed-ips-row");
+            allowedIpsField = Root.Q<TextField>("allowed-ips-field");
             httpUrlRow = Root.Q<VisualElement>("http-url-row");
             httpServerCommandSection = Root.Q<VisualElement>("http-server-command-section");
             httpServerCommandField = Root.Q<TextField>("http-server-command");
             copyHttpServerCommandButton = Root.Q<Button>("copy-http-server-command-button");
             httpServerCommandHint = Root.Q<Label>("http-server-command-hint");
             httpUrlField = Root.Q<TextField>("http-url");
+            apiKeyRow = Root.Q<VisualElement>("api-key-row");
+            apiKeyField = Root.Q<TextField>("api-key-field");
+            copyApiKeyButton = Root.Q<Button>("copy-api-key-button");
+            regenerateApiKeyButton = Root.Q<Button>("regenerate-api-key-button");
             startHttpServerButton = Root.Q<Button>("start-http-server-button");
             stopHttpServerButton = Root.Q<Button>("stop-http-server-button");
             unitySocketPortRow = Root.Q<VisualElement>("unity-socket-port-row");
@@ -95,6 +111,23 @@ private void InitializeUI()
 
             httpUrlField.value = HttpEndpointUtility.GetBaseUrl();
 
+            bool authEnabled = AuthPreferencesUtility.IsAuthEnabled();
+            if (authEnabledToggle != null)
+            {
+                authEnabledToggle.value = authEnabled;
+            }
+            if (allowedIpsField != null)
+            {
+                allowedIpsField.value = AuthPreferencesUtility.GetAllowedIps();
+            }
+
+            if (apiKeyField != null)
+            {
+                apiKeyField.isPasswordField = true;
+                apiKeyField.isReadOnly = true;
+                RefreshAuthUi();
+            }
+
             int unityPort = EditorPrefs.GetInt(EditorPrefKeys.UnitySocketPort, 0);
             if (unityPort == 0)
             {
@@ -126,6 +159,26 @@ private void RegisterCallbacks()
                 RefreshHttpUi();
             });
 
+            if (authEnabledToggle != null)
+            {
+                authEnabledToggle.RegisterValueChangedCallback(evt =>
+                {
+                    bool enabled = evt.newValue;
+                    AuthPreferencesUtility.SetAuthEnabled(enabled);
+                    RefreshAuthUi();
+                    OnManualConfigUpdateRequested?.Invoke();
+                });
+            }
+
+            if (allowedIpsField != null)
+            {
+                allowedIpsField.RegisterValueChangedCallback(evt =>
+                {
+                    AuthPreferencesUtility.SetAllowedIps(evt.newValue);
+                    OnManualConfigUpdateRequested?.Invoke();
+                });
+            }
+
             if (startHttpServerButton != null)
             {
                 startHttpServerButton.clicked += OnStartLocalHttpServerClicked;
@@ -160,6 +213,38 @@ private void RegisterCallbacks()
 
             connectionToggleButton.clicked += OnConnectionToggleClicked;
             testConnectionButton.clicked += OnTestConnectionClicked;
+
+            if (copyApiKeyButton != null)
+            {
+                copyApiKeyButton.clicked += () =>
+                {
+                    if (!AuthPreferencesUtility.IsAuthEnabled())
+                    {
+                        return;
+                    }
+                    string apiKey = AuthPreferencesUtility.GetApiKey();
+                    if (!string.IsNullOrEmpty(apiKey))
+                    {
+                        EditorGUIUtility.systemCopyBuffer = apiKey;
+                        McpLog.Info("API key copied to clipboard.");
+                    }
+                };
+            }
+
+            if (regenerateApiKeyButton != null)
+            {
+                regenerateApiKeyButton.clicked += () =>
+                {
+                    if (!AuthPreferencesUtility.IsAuthEnabled())
+                    {
+                        return;
+                    }
+                    string newKey = AuthPreferencesUtility.GenerateNewApiKey();
+                    AuthPreferencesUtility.SetApiKey(newKey);
+                    UpdateApiKeyField();
+                    OnManualConfigUpdateRequested?.Invoke();
+                };
+            }
         }
 
         public void UpdateConnectionStatus()
@@ -225,6 +310,7 @@ public void UpdateHttpServerCommandDisplay()
             }
 
             httpServerCommandSection.style.display = DisplayStyle.Flex;
+            RefreshAuthUi();
 
             if (MCPServiceLocator.Server.TryGetLocalHttpServerCommand(out var command, out var error))
             {
@@ -254,12 +340,62 @@ public void UpdateHttpServerCommandDisplay()
             }
         }
 
+        private void RefreshAuthUi()
+        {
+            bool enabled = AuthPreferencesUtility.IsAuthEnabled();
+            bool useHttp = transportDropdown != null && (TransportProtocol)transportDropdown.value == TransportProtocol.HTTP;
+            bool active = enabled && useHttp;
+
+            UpdateAuthVisibility(active);
+            UpdateAuthControlState(active);
+
+            if (active)
+            {
+                EnsureApiKeyExists();
+                UpdateApiKeyField();
+            }
+            else if (apiKeyField != null)
+            {
+                apiKeyField.value = string.Empty;
+            }
+        }
+
+        private void UpdateAuthVisibility(bool enabled)
+        {
+            if (allowedIpsRow != null)
+            {
+                allowedIpsRow.style.display = enabled ? DisplayStyle.Flex : DisplayStyle.None;
+            }
+
+            if (apiKeyRow != null)
+            {
+                apiKeyRow.style.display = enabled ? DisplayStyle.Flex : DisplayStyle.None;
+            }
+        }
+
+        private void UpdateAuthControlState(bool enabled)
+        {
+            allowedIpsField?.SetEnabled(enabled);
+            apiKeyField?.SetEnabled(enabled);
+            copyApiKeyButton?.SetEnabled(enabled);
+            regenerateApiKeyButton?.SetEnabled(enabled);
+        }
+
         private void UpdateHttpFieldVisibility()
         {
             bool useHttp = (TransportProtocol)transportDropdown.value == TransportProtocol.HTTP;
 
             httpUrlRow.style.display = useHttp ? DisplayStyle.Flex : DisplayStyle.None;
             unitySocketPortRow.style.display = useHttp ? DisplayStyle.None : DisplayStyle.Flex;
+
+            if (authToggleRow != null)
+            {
+                authToggleRow.style.display = useHttp ? DisplayStyle.Flex : DisplayStyle.None;
+            }
+            if (!useHttp)
+            {
+                UpdateAuthVisibility(false);
+            }
         }
 
         private void UpdateStartHttpButtonState()
@@ -292,6 +428,7 @@ private void UpdateStartHttpButtonState()
 
         private void RefreshHttpUi()
         {
+            RefreshAuthUi();
             UpdateStartHttpButtonState();
             UpdateHttpServerCommandDisplay();
         }
@@ -497,6 +634,29 @@ private async Task VerifyBridgeConnectionInternalAsync()
                     lastHealthStatus = newStatus;
                 }
             }
+
+        }
+
+        private void EnsureApiKeyExists()
+        {
+            if (!AuthPreferencesUtility.IsAuthEnabled())
+            {
+                return;
+            }
+
+            string current = AuthPreferencesUtility.GetApiKey(ensureExists: false);
+            if (string.IsNullOrEmpty(current))
+            {
+                AuthPreferencesUtility.SetApiKey(AuthPreferencesUtility.GenerateNewApiKey());
+            }
+        }
+
+        private void UpdateApiKeyField()
+        {
+            if (apiKeyField != null)
+            {
+                apiKeyField.value = AuthPreferencesUtility.GetApiKey(ensureExists: false);
+            }
         }
     }
 }
diff --git a/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.uxml b/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.uxml
index 14e3babc..f0bd10da 100644
--- a/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.uxml
+++ b/MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.uxml
@@ -11,6 +11,20 @@
                 <ui:Label text="HTTP URL:" class="setting-label" />
                 <ui:TextField name="http-url" class="url-field" placeholder-text="http://localhost:8080" />
             </ui:VisualElement>
+            <ui:VisualElement class="setting-row" name="auth-toggle-row">
+                <ui:Label text="Authentication (recommended):" class="setting-label" />
+                <ui:Toggle name="auth-enabled-toggle" class="setting-toggle" />
+            </ui:VisualElement>
+            <ui:VisualElement class="setting-row" name="allowed-ips-row">
+                <ui:Label text="Allowed IPs:" class="setting-label" />
+                <ui:TextField name="allowed-ips-field" class="url-field" placeholder-text="* or 127.0.0.1,10.0.0.0/8" />
+            </ui:VisualElement>
+            <ui:VisualElement class="setting-row" name="api-key-row">
+                <ui:Label text="API Key:" class="setting-label" />
+                <ui:TextField name="api-key-field" class="url-field" readonly="true" />
+                <ui:Button name="copy-api-key-button" text="Copy" class="icon-button" />
+                <ui:Button name="regenerate-api-key-button" text="Regenerate" class="icon-button" />
+            </ui:VisualElement>
             <ui:VisualElement name="http-server-command-section" class="manual-config-content">
                 <ui:Label text="Use this command to launch the server manually:" class="config-label" />
                 <ui:VisualElement class="config-json-row">
diff --git a/MCPForUnity/Editor/Windows/Components/Settings/McpSettingsSection.cs b/MCPForUnity/Editor/Windows/Components/Settings/McpSettingsSection.cs
index 55a4c665..c42a7e4a 100644
--- a/MCPForUnity/Editor/Windows/Components/Settings/McpSettingsSection.cs
+++ b/MCPForUnity/Editor/Windows/Components/Settings/McpSettingsSection.cs
@@ -128,6 +128,7 @@ private void RegisterCallbacks()
                 OnGitUrlChanged?.Invoke();
                 OnHttpServerCommandUpdateRequested?.Invoke();
             };
+
         }
 
         public void UpdatePathOverrides()
@@ -159,6 +160,7 @@ public void UpdatePathOverrides()
             }
 
             gitUrlOverride.value = EditorPrefs.GetString(EditorPrefKeys.GitUrlOverride, "");
+
         }
 
         private void UpdateVersionLabel()
diff --git a/MCPForUnity/README.md b/MCPForUnity/README.md
index b4048f5e..6e5aed55 100644
--- a/MCPForUnity/README.md
+++ b/MCPForUnity/README.md
@@ -77,6 +77,13 @@ Notes:
 
 ---
 
+## Authentication
+- Auth is always on. The API key lives in the **Connection** section (under the HTTP URL) with Copy and Regenerate buttons.
+- The same key is stored on disk for the server to read automatically; clients are prompted for it when auto-config runs.
+- Requests use `X-API-Key` (or `Authorization: Bearer <key>` for compatibility) on every call.
+
+---
+
 ## Troubleshooting
 - Python or `uv` not found:
   - Help: [Fix MCP for Unity with Cursor, VS Code & Windsurf](https://github.com/CoplayDev/unity-mcp/wiki/1.-Fix-Unity-MCP-and-Cursor,-VSCode-&-Windsurf)
diff --git a/README.md b/README.md
index 97510019..81a95e76 100644
--- a/README.md
+++ b/README.md
@@ -235,7 +235,8 @@ claude mcp add --scope user UnityMCP -- "C:/Users/USERNAME/AppData/Local/Microso
   "servers": {
     "unityMCP": {
       "type": "http",
-      "url": "http://localhost:8080/mcp"
+      "url": "http://localhost:8080/mcp",
+      "headers": { "X-API-Key": "<your key>" }
     }
   }
 }
@@ -248,7 +249,7 @@ claude mcp add --scope user UnityMCP -- "C:/Users/USERNAME/AppData/Local/Microso
   "mcpServers": {
     "unityMCP": {
       "url": "http://localhost:8080/mcp"
-    }
+      "headers": { "X-API-Key": "<your key>" }
   }
 }
 ```
diff --git a/Server/README.md b/Server/README.md
index a18554be..b4f112d9 100644
--- a/Server/README.md
+++ b/Server/README.md
@@ -26,42 +26,8 @@ Run directly from GitHub without installation:
 uvx --from git+https://github.com/CoplayDev/unity-mcp@v8.1.6#subdirectory=Server \
     mcp-for-unity --transport http --http-url http://localhost:8080
 
-# Stdio
-uvx --from git+https://github.com/CoplayDev/unity-mcp@v8.1.6#subdirectory=Server \
-    mcp-for-unity --transport stdio
-```
-
-**MCP Client Configuration (HTTP):**
-
-```json
-{
-  "mcpServers": {
-    "UnityMCP": {
-      "url": "http://localhost:8080/mcp"
-    }
-  }
-}
 ```
 
-**MCP Client Configuration (stdio):**
-
-```json
-{
-  "mcpServers": {
-    "UnityMCP": {
-      "command": "uvx",
-      "args": [
-        "--from",
-        "git+https://github.com/CoplayDev/unity-mcp@v8.1.6#subdirectory=Server",
-        "mcp-for-unity",
-        "--transport",
-        "stdio"
-      ],
-      "type": "stdio"
-    }
-  }
-}
-```
 
 ### Option 2: Using uv (Local Installation)
 
@@ -84,7 +50,8 @@ uv run server.py --transport stdio
 {
   "mcpServers": {
     "UnityMCP": {
-      "url": "http://localhost:8080/mcp"
+      "url": "http://localhost:8080/mcp",
+      "headers": { "X-API-Key": "<your key>" }
     }
   }
 }
@@ -135,49 +102,25 @@ docker build -t unity-mcp-server .
 docker run -p 8080:8080 unity-mcp-server --transport http --http-url http://0.0.0.0:8080
 ```
 
-Configure your MCP client with `"url": "http://localhost:8080/mcp"`. For stdio-in-docker (rare), run the container with `--transport stdio` and use the same `command`/`args` pattern as the uv examples, wrapping it in `docker run -i ...` if needed.
+Configure your MCP client with `"url": "http://localhost:8080/mcp"` and include the `X-API-Key` header. For stdio-in-docker (rare), run the container with `--transport stdio` and use the same `command`/`args` pattern as the uv examples, wrapping it in `docker run -i ...` if needed.
 
 ---
 
 ## Configuration
-
-The server connects to Unity Editor automatically when both are running. No additional configuration needed.
-
-**Environment Variables:**
-
+The server connects to Unity Editor automatically when both are running.
+
+**Authentication (optional; disabled by default)**
+- Toggle with `--auth-enabled` (or `UNITY_MCP_AUTH_ENABLED=1`).
+- Allowlist with `--allowed-ips "127.0.0.1,10.0.0.0/8"` (or `UNITY_MCP_ALLOWED_IPS`). Default `*`.
+- Token with `--auth-token <value>` (or `UNITY_MCP_AUTH_TOKEN`). If omitted while enabled, the server generates one; empty string skips token checks.
+- Token file lives at `api_key` (auto-created when needed):
+  - macOS: `~/Library/Application Support/UnityMCP/api_key`
+  - Windows: `%LOCALAPPDATA%\UnityMCP/api_key`
+  - Linux: `~/.local/share/UnityMCP/api_key`
+- HTTP clients send `X-API-Key: <key>`. When auth is disabled, no auth headers are required.
+
+**Environment/flags**
 - `DISABLE_TELEMETRY=true` - Opt out of anonymous usage analytics
 - `LOG_LEVEL=DEBUG` - Enable detailed logging (default: INFO)
 
 ---
-
-## Example Prompts
-
-Once connected, try these commands in your AI assistant:
-
-- "Create a 3D player controller with WASD movement"
-- "Add a rotating cube to the scene with a red material"
-- "Create a simple platformer level with obstacles"
-- "Generate a shader that creates a holographic effect"
-- "List all GameObjects in the current scene"
-
----
-
-## Documentation
-
-For complete documentation, troubleshooting, and advanced usage:
-
-📖 **[Full Documentation](https://github.com/CoplayDev/unity-mcp#readme)**
-
----
-
-## Requirements
-
-- **Python:** 3.10 or newer
-- **Unity Editor:** 2021.3 LTS or newer
-- **uv:** Python package manager ([Installation Guide](https://docs.astral.sh/uv/getting-started/installation/))
-
----
-
-## License
-
-MIT License - See [LICENSE](https://github.com/CoplayDev/unity-mcp/blob/main/LICENSE)
diff --git a/Server/src/core/auth/__init__.py b/Server/src/core/auth/__init__.py
new file mode 100644
index 00000000..f7843c8f
--- /dev/null
+++ b/Server/src/core/auth/__init__.py
@@ -0,0 +1,51 @@
+"""Authentication utilities for MCP for Unity.
+
+This package centralizes auth settings, guards, and middleware to keep
+the auth surface consistent across HTTP, WebSocket, and FastMCP tool
+invocations.
+"""
+
+from .settings import (
+    AuthSettings,
+    DEFAULT_ALLOWED_IPS,
+    build_auth_settings,
+    get_api_key_path,
+    load_or_create_api_key,
+)
+from .guard import AuthGuard, verify_http_request, verify_websocket, unauthorized_response
+from .middleware import AuthMiddleware, build_http_auth_guard
+
+
+def auth_settings(*, enabled: bool = False, token: str | None = None, allowed_ips=None) -> AuthSettings:
+    return build_auth_settings(enabled=enabled, token=token, allowed_ips=allowed_ips)
+
+
+def auth_guard(settings: AuthSettings) -> AuthGuard:
+    return AuthGuard(settings)
+
+
+def auth_middleware(settings: AuthSettings) -> AuthMiddleware:
+    return AuthMiddleware(settings)
+
+
+def http_auth_guard(settings: AuthSettings, path_prefix: str = "/mcp"):
+    return build_http_auth_guard(settings, path_prefix=path_prefix)
+
+
+__all__ = [
+    "auth_settings",
+    "auth_guard",
+    "auth_middleware",
+    "http_auth_guard",
+    "verify_http_request",
+    "verify_websocket",
+    "unauthorized_response",
+    "get_api_key_path",
+    "load_or_create_api_key",
+    "DEFAULT_ALLOWED_IPS",
+    "AuthSettings",
+    "AuthGuard",
+    "AuthMiddleware",
+    "build_auth_settings",
+    "build_http_auth_guard",
+]
diff --git a/Server/src/core/auth/guard.py b/Server/src/core/auth/guard.py
new file mode 100644
index 00000000..91d77bad
--- /dev/null
+++ b/Server/src/core/auth/guard.py
@@ -0,0 +1,113 @@
+"""Auth guards shared by HTTP and WebSocket surfaces."""
+
+from __future__ import annotations
+
+import ipaddress
+import logging
+from typing import Iterable, Mapping
+
+from starlette.requests import Request
+from starlette.responses import JSONResponse
+from starlette.websockets import WebSocket
+
+from .settings import AuthSettings
+
+logger = logging.getLogger("mcp-for-unity-server")
+
+
+def _ip_in_allowlist(ip: str | None, allowed: Iterable[str]) -> bool:
+    if ip is None:
+        return False
+    try:
+        candidate = ipaddress.ip_address(ip)
+    except ValueError:
+        return False
+
+    for pattern in allowed:
+        pat = pattern.strip()
+        if pat == "*":
+            return True
+        try:
+            net = ipaddress.ip_network(pat, strict=False)
+            if candidate in net:
+                return True
+        except ValueError:
+            try:
+                if candidate == ipaddress.ip_address(pat):
+                    return True
+            except ValueError:
+                continue
+    return False
+
+
+def _extract_token(headers: Mapping[str, str]) -> str | None:
+    api_key = headers.get("x-api-key") or headers.get("X-API-Key")
+    if api_key:
+        return api_key.strip()
+    return None
+
+
+def unauthorized_response(message: str, status_code: int = 401, error: str = "invalid_token") -> JSONResponse:
+    return JSONResponse(
+        {"success": False, "error": "unauthorized", "message": message},
+        status_code=status_code,
+    )
+
+
+class AuthGuard:
+    def __init__(self, settings: AuthSettings) -> None:
+        self.settings = settings
+
+    def check_http(self, request: Request) -> JSONResponse | None:
+        if not self.settings.enabled:
+            return None
+        client_ip = request.client.host if request.client else None
+        return self._evaluate(client_ip, request.headers)
+
+    async def check_ws(self, websocket: WebSocket) -> JSONResponse | None:
+        if not self.settings.enabled:
+            return None
+        client_ip = websocket.client.host if websocket.client else None
+        headers = dict(websocket.headers)
+        return self._evaluate(client_ip, headers)
+
+    def _evaluate(self, client_ip: str | None, headers: Mapping[str, str]) -> JSONResponse | None:
+        logger.debug(
+            "Auth context: ip=%s api_key_header=%s",
+            client_ip or "unknown",
+            "present" if headers.get("x-api-key") or headers.get("X-API-Key") else "absent",
+        )
+
+        if not _ip_in_allowlist(client_ip, self.settings.normalized_allowed_ips):
+            logger.warning("Auth denied: IP not allowed (%s)", client_ip)
+            return unauthorized_response("IP not allowed", status_code=403)
+
+        if not self.settings.token_required:
+            return None
+
+        provided = _extract_token(headers) or ""
+        if provided != (self.settings.token or ""):
+            masked_expected = (self.settings.token or "")[:4] + "***"
+            masked_provided = provided[:4] + "***" if provided else "none"
+            logger.warning(
+                "Auth denied: missing or invalid token from %s (provided=%s expected=%s)",
+                client_ip,
+                masked_provided,
+                masked_expected,
+            )
+            status = 401 if not provided else 403
+            return unauthorized_response(
+                "Missing or invalid API key",
+                status_code=status,
+                error="invalid_token" if status == 401 else "insufficient_scope",
+            )
+
+        return None
+
+
+def verify_http_request(request: Request, settings: AuthSettings) -> JSONResponse | None:
+    return AuthGuard(settings).check_http(request)
+
+
+async def verify_websocket(websocket: WebSocket, settings: AuthSettings) -> JSONResponse | None:
+    return await AuthGuard(settings).check_ws(websocket)
diff --git a/Server/src/core/auth/middleware.py b/Server/src/core/auth/middleware.py
new file mode 100644
index 00000000..408c64f4
--- /dev/null
+++ b/Server/src/core/auth/middleware.py
@@ -0,0 +1,72 @@
+"""FastMCP auth middleware and HTTP guard factory."""
+
+from __future__ import annotations
+
+import logging
+import os
+from typing import Callable, Type
+
+from fastmcp.server.dependencies import get_http_request
+from fastmcp.server.middleware import Middleware, MiddlewareContext
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import JSONResponse
+
+from .guard import AuthGuard, unauthorized_response
+from .settings import AuthSettings
+
+logger = logging.getLogger("mcp-for-unity-server")
+
+
+class AuthMiddleware(Middleware):
+    def __init__(self, settings: AuthSettings):
+        super().__init__()
+        self.settings = settings
+        self._guard = AuthGuard(settings)
+
+    def _check_request_if_present(self) -> JSONResponse | None:
+        if not self.settings.enabled:
+            return None
+        try:
+            request = get_http_request()
+        except Exception:
+            request = None
+        if request is None:
+            if os.environ.get("UNITY_MCP_TRANSPORT", "stdio").lower() == "http":
+                logger.warning("HTTP auth denied: no request context available")
+                return unauthorized_response("Missing request context")
+            return None
+        return self._guard.check_http(request)
+
+    async def on_request(self, context: MiddlewareContext, call_next):
+        failure = self._check_request_if_present()
+        if failure is not None:
+            return failure
+        return await call_next(context)
+
+    async def on_call_tool(self, context: MiddlewareContext, call_next):
+        failure = self._check_request_if_present()
+        if failure is not None:
+            return failure
+        return await call_next(context)
+
+    async def on_read_resource(self, context: MiddlewareContext, call_next):
+        failure = self._check_request_if_present()
+        if failure is not None:
+            return failure
+        return await call_next(context)
+
+
+def build_http_auth_guard(settings: AuthSettings, path_prefix: str = "/mcp") -> Type[BaseHTTPMiddleware]:
+    """Create a Starlette HTTP middleware class that enforces auth for a prefix."""
+
+    guard = AuthGuard(settings)
+
+    class HttpAuthGuard(BaseHTTPMiddleware):
+        async def dispatch(self, request, call_next):
+            if request.url.path.startswith(path_prefix):
+                failure = guard.check_http(request)
+                if failure is not None:
+                    return failure
+            return await call_next(request)
+
+    return HttpAuthGuard
diff --git a/Server/src/core/auth/settings.py b/Server/src/core/auth/settings.py
new file mode 100644
index 00000000..a7ca17ae
--- /dev/null
+++ b/Server/src/core/auth/settings.py
@@ -0,0 +1,81 @@
+"""Auth settings and API key storage helpers."""
+
+from __future__ import annotations
+
+import logging
+import os
+import secrets
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Sequence
+
+logger = logging.getLogger("mcp-for-unity-server")
+
+DEFAULT_ALLOWED_IPS: list[str] = ["*"]
+
+
+@dataclass
+class AuthSettings:
+    enabled: bool = False
+    allowed_ips: list[str] = field(default_factory=lambda: list(DEFAULT_ALLOWED_IPS))
+    token: str | None = None
+
+    @property
+    def normalized_allowed_ips(self) -> list[str]:
+        return [ip.strip() for ip in self.allowed_ips if ip and ip.strip()] or list(DEFAULT_ALLOWED_IPS)
+
+    @property
+    def token_required(self) -> bool:
+        return self.enabled and bool(self.token)
+
+
+def build_auth_settings(
+    *,
+    enabled: bool = False,
+    token: str | None = None,
+    allowed_ips: Sequence[str] | None = None,
+) -> AuthSettings:
+    resolved_allowed = list(allowed_ips) if allowed_ips else list(DEFAULT_ALLOWED_IPS)
+    resolved_token = token if token is not None else (load_or_create_api_key() if enabled else None)
+    return AuthSettings(enabled=enabled, allowed_ips=resolved_allowed, token=resolved_token)
+
+
+def get_api_key_path() -> Path:
+    if home := os.environ.get("UNITY_MCP_HOME"):
+        return Path(home) / "api_key"
+
+    if sys.platform == "win32":
+        base = Path(os.environ.get("LOCALAPPDATA", Path.home() / "AppData/Local"))
+        return base / "UnityMCP" / "api_key"
+
+    if sys.platform == "darwin":
+        return Path.home() / "Library" / "Application Support" / "UnityMCP" / "api_key"
+
+    return Path.home() / ".local" / "share" / "UnityMCP" / "api_key"
+
+
+def load_or_create_api_key(preferred: str | None = None) -> str:
+    if preferred:
+        logger.info("Using API key provided via CLI flag")
+        return preferred
+
+    path = get_api_key_path()
+    try:
+        if path.exists():
+            existing = path.read_text(encoding="utf-8").strip()
+            if existing:
+                logger.info("Loaded API key from %s", path)
+                return existing
+    except Exception:
+        logger.debug("Failed to read API key file at %s", path, exc_info=True)
+
+    token = secrets.token_urlsafe(32)
+    try:
+        path.parent.mkdir(parents=True, exist_ok=True)
+        path.write_text(token, encoding="utf-8")
+        logger.info("Generated and persisted new API key to %s", path)
+    except Exception:
+        logger.warning("Failed to persist API key to %s", path, exc_info=True)
+
+    return token
diff --git a/Server/src/main.py b/Server/src/main.py
index ee04d535..af581c50 100644
--- a/Server/src/main.py
+++ b/Server/src/main.py
@@ -26,15 +26,34 @@
     UnityInstanceMiddleware,
     get_unity_instance_middleware
 )
+from core.auth import (
+    AuthSettings,
+    auth_middleware,
+    auth_settings,
+    get_api_key_path,
+    http_auth_guard,
+    verify_http_request,
+)
+from starlette.middleware import Middleware
+from utils.network import resolve_http_host
 
 # Configure logging using settings from config
+# Reduce default verbosity: cap at WARNING unless explicitly overridden by env/config
+_configured_level = getattr(logging, config.log_level)
+_effective_level = max(logging.WARNING, _configured_level)
 logging.basicConfig(
-    level=getattr(logging, config.log_level),
+    level=_effective_level,
     format=config.log_format,
     stream=None,  # None -> defaults to sys.stderr; avoid stdout used by MCP stdio
     force=True    # Ensure our handler replaces any prior stdout handlers
 )
 logger = logging.getLogger("mcp-for-unity-server")
+# Ensure console logging so auth diagnostics are visible during HTTP transport
+_console_handler = logging.StreamHandler()
+_console_handler.setFormatter(logging.Formatter(config.log_format))
+_console_handler.setLevel(_effective_level)
+logger.addHandler(_console_handler)
+logger.propagate = True
 
 # Also write logs to a rotating file so logs are available when launched via stdio
 try:
@@ -45,7 +64,7 @@
     _fh = RotatingFileHandler(
         _file_path, maxBytes=512*1024, backupCount=2, encoding="utf-8")
     _fh.setFormatter(logging.Formatter(config.log_format))
-    _fh.setLevel(getattr(logging, config.log_level))
+    _fh.setLevel(_effective_level)
     logger.addHandler(_fh)
     logger.propagate = False  # Prevent double logging to root logger
     # Also route telemetry logger to the same rotating file and normal level
@@ -83,6 +102,9 @@
 _unity_connection_pool: UnityConnectionPool | None = None
 _plugin_registry: PluginRegistry | None = None
 
+# Authentication settings (populated during argument parsing)
+auth_settings_state: AuthSettings = auth_settings()
+
 # In-memory custom tool service initialized after MCP construction
 custom_tool_service: CustomToolService | None = None
 
@@ -110,7 +132,7 @@ async def server_lifespan(server: FastMCP) -> AsyncIterator[dict[str, Any]]:
     if _plugin_registry is None:
         _plugin_registry = PluginRegistry()
         loop = asyncio.get_running_loop()
-        PluginHub.configure(_plugin_registry, loop)
+        PluginHub.configure(_plugin_registry, loop, auth_settings=auth_settings_state)
 
     # Record server startup telemetry
     start_time = time.time()
@@ -249,7 +271,10 @@ def _emit_startup():
 
 
 @mcp.custom_route("/health", methods=["GET"])
-async def health_http(_: Request) -> JSONResponse:
+async def health_http(request: Request) -> JSONResponse:
+    failure = verify_http_request(request, auth_settings_state)
+    if failure:
+        return failure
     return JSONResponse({
         "status": "healthy",
         "timestamp": time.time(),
@@ -258,16 +283,16 @@ async def health_http(_: Request) -> JSONResponse:
 
 
 @mcp.custom_route("/plugin/sessions", methods=["GET"])
-async def plugin_sessions_route(_: Request) -> JSONResponse:
+async def plugin_sessions_route(request: Request) -> JSONResponse:
+    failure = verify_http_request(request, auth_settings_state)
+    if failure:
+        return failure
     data = await PluginHub.get_sessions()
     return JSONResponse(data.model_dump())
 
 
 # Initialize and register middleware for session-based Unity instance routing
 # Using the singleton getter ensures we use the same instance everywhere
-unity_middleware = get_unity_instance_middleware()
-mcp.add_middleware(unity_middleware)
-logger.info("Registered Unity instance middleware for session-based routing")
 
 # Mount plugin websocket hub at /hub/plugin when HTTP transport is active
 existing_routes = [
@@ -287,6 +312,7 @@ async def plugin_sessions_route(_: Request) -> JSONResponse:
 
 def main():
     """Entry point for uvx and console scripts."""
+    global auth_settings_state
     parser = argparse.ArgumentParser(
         description="MCP for Unity Server",
         formatter_class=argparse.RawDescriptionHelpFormatter,
@@ -354,8 +380,87 @@ def main():
              "Overrides UNITY_MCP_HTTP_PORT environment variable."
     )
 
+    parser.add_argument(
+        "--auth-enabled",
+        action="store_true",
+        default=False,
+        help="Enable authentication (IP allowlist always applies; token optional)."
+    )
+    parser.add_argument(
+        "--auth-token",
+        dest="auth_token",
+        type=str,
+        default=None,
+        help="Authentication token. If omitted while auth is enabled, a token is generated. Empty string disables token checks."
+    )
+    # Back-compat alias
+    parser.add_argument(
+        "--api-key",
+        dest="auth_token",
+        type=str,
+        default=None,
+        help=argparse.SUPPRESS,
+    )
+    parser.add_argument(
+        "--allowed-ips",
+        dest="allowed_ips",
+        type=str,
+        default=None,
+        help="Comma-separated IP allowlist (supports *, CIDR, single IP)."
+    )
+
     args = parser.parse_args()
 
+    global AUTH_SETTINGS
+    env_auth_enabled = os.environ.get("UNITY_MCP_AUTH_ENABLED", "").lower() in ("1", "true", "yes", "on")
+    auth_enabled = args.auth_enabled or env_auth_enabled
+
+    env_allowed_ips = os.environ.get("UNITY_MCP_ALLOWED_IPS")
+    allowed_ips = None
+    if args.allowed_ips:
+        allowed_ips = [ip.strip() for ip in args.allowed_ips.split(",") if ip.strip()]
+    elif env_allowed_ips:
+        allowed_ips = [ip.strip() for ip in env_allowed_ips.split(",") if ip.strip()]
+
+    env_auth_token = os.environ.get("UNITY_MCP_AUTH_TOKEN")
+    token_arg = args.auth_token if args.auth_token is not None else env_auth_token
+
+    auth_settings_state = auth_settings(
+        token=token_arg,
+        allowed_ips=allowed_ips,
+        enabled=auth_enabled,
+    )
+
+    # Ensure plugin hub and services see the final auth settings (configure() ran earlier with defaults)
+    PluginHub.set_auth_settings(auth_settings_state)
+
+    logger.info(
+        "Auth state: enabled=%s token_required=%s allowed_ips=%s",
+        auth_settings_state.enabled,
+        bool(auth_settings_state.token) if auth_settings_state.enabled else False,
+        auth_settings_state.normalized_allowed_ips,
+    )
+    if auth_settings_state.enabled and not auth_settings_state.token:
+        logger.warning("Auth enabled with no token: only IP allowlist enforced")
+    if auth_settings_state.enabled:
+        try:
+            logger.info("API key file location: %s", get_api_key_path())
+        except Exception:
+            logger.debug("Could not resolve API key file path", exc_info=True)
+
+    # Register auth middleware only when enabled so we skip auth checks entirely when disabled
+    if auth_settings_state.enabled:
+        mcp.add_middleware(auth_middleware(auth_settings_state))
+        logger.info("Registered middleware: auth enabled")
+    # Session-based Unity instance routing
+    unity_middleware = get_unity_instance_middleware()
+    mcp.add_middleware(unity_middleware)
+    logger.info("Registered middleware: unity instance routing%s",
+                " + auth" if auth_settings_state.enabled else " (auth disabled)")
+
+    if custom_tool_service:
+        custom_tool_service.set_auth_settings(auth_settings_state)
+
     # Set environment variables from command line args
     if args.default_instance:
         os.environ["UNITY_MCP_DEFAULT_INSTANCE"] = args.default_instance
@@ -372,8 +477,11 @@ def main():
     parsed_url = urlparse(http_url)
 
     # Allow individual host/port to override URL components
-    http_host = args.http_host or os.environ.get(
-        "UNITY_MCP_HTTP_HOST") or parsed_url.hostname or "localhost"
+    http_host = resolve_http_host(
+        args.http_host,
+        os.environ.get("UNITY_MCP_HTTP_HOST"),
+        parsed_url.hostname,
+    )
     http_port = args.http_port or (int(os.environ.get("UNITY_MCP_HTTP_PORT")) if os.environ.get(
         "UNITY_MCP_HTTP_PORT") else None) or parsed_url.port or 8080
 
@@ -399,7 +507,11 @@ def main():
         port = args.http_port or (int(os.environ.get("UNITY_MCP_HTTP_PORT")) if os.environ.get(
             "UNITY_MCP_HTTP_PORT") else None) or parsed_url.port or 8080
         logger.info(f"Starting FastMCP with HTTP transport on {host}:{port}")
-        mcp.run(transport=transport, host=host, port=port)
+        http_middleware = []
+        if auth_settings_state.enabled:
+            http_guard = http_auth_guard(auth_settings_state)
+            http_middleware.append(Middleware(http_guard))
+        mcp.run(transport=transport, host=host, port=port, middleware=http_middleware)
     else:
         # Use stdio transport for traditional MCP
         logger.info("Starting FastMCP with stdio transport")
diff --git a/Server/src/services/custom_tool_service.py b/Server/src/services/custom_tool_service.py
index d1f37036..479a4806 100644
--- a/Server/src/services/custom_tool_service.py
+++ b/Server/src/services/custom_tool_service.py
@@ -16,6 +16,7 @@
     get_unity_connection_pool,
 )
 from transport.plugin_hub import PluginHub
+from core.auth import AuthSettings, auth_settings, verify_http_request
 
 logger = logging.getLogger("mcp-for-unity-server")
 
@@ -39,13 +40,17 @@ class ToolRegistrationResponse(BaseModel):
 class CustomToolService:
     _instance: "CustomToolService | None" = None
 
-    def __init__(self, mcp: FastMCP):
+    def __init__(self, mcp: FastMCP, auth_settings_value: AuthSettings | None = None):
         CustomToolService._instance = self
         self._mcp = mcp
         self._project_tools: dict[str, dict[str, ToolDefinitionModel]] = {}
         self._hash_to_project: dict[str, str] = {}
+        self._auth_settings: AuthSettings = auth_settings_value or auth_settings()
         self._register_http_routes()
 
+    def set_auth_settings(self, auth_settings_value: AuthSettings) -> None:
+        self._auth_settings = auth_settings_value
+
     @classmethod
     def get_instance(cls) -> "CustomToolService":
         if cls._instance is None:
@@ -56,6 +61,9 @@ def get_instance(cls) -> "CustomToolService":
     def _register_http_routes(self) -> None:
         @self._mcp.custom_route("/register-tools", methods=["POST"])
         async def register_tools(request: Request) -> JSONResponse:
+            failure = verify_http_request(request, self._auth_settings)
+            if failure:
+                return failure
             try:
                 payload = RegisterToolsPayload.model_validate(await request.json())
             except ValidationError as exc:
diff --git a/Server/src/transport/models.py b/Server/src/transport/models.py
index ba5ab16b..4c70bec6 100644
--- a/Server/src/transport/models.py
+++ b/Server/src/transport/models.py
@@ -7,8 +7,11 @@
 
 class WelcomeMessage(BaseModel):
     type: str = "welcome"
+    serverVersion: str = ""
     serverTimeout: int
     keepAliveInterval: int
+    authEnabled: bool = False
+    authTokenRequired: bool = False
 
 
 class RegisteredMessage(BaseModel):
diff --git a/Server/src/transport/plugin_hub.py b/Server/src/transport/plugin_hub.py
index fed65b22..cb167836 100644
--- a/Server/src/transport/plugin_hub.py
+++ b/Server/src/transport/plugin_hub.py
@@ -12,6 +12,7 @@
 from starlette.websockets import WebSocket
 
 from core.config import config
+from core.auth import AuthSettings, auth_settings, verify_websocket
 from transport.plugin_registry import PluginRegistry
 from transport.models import (
     WelcomeMessage,
@@ -37,6 +38,7 @@ class PluginHub(WebSocketEndpoint):
     COMMAND_TIMEOUT = 30
 
     _registry: PluginRegistry | None = None
+    _auth_settings: AuthSettings | None = None
     _connections: dict[str, WebSocket] = {}
     _pending: dict[str, asyncio.Future] = {}
     _lock: asyncio.Lock | None = None
@@ -47,21 +49,38 @@ def configure(
         cls,
         registry: PluginRegistry,
         loop: asyncio.AbstractEventLoop | None = None,
+        auth_settings: AuthSettings | None = None,
     ) -> None:
         cls._registry = registry
         cls._loop = loop or asyncio.get_running_loop()
         # Ensure coordination primitives are bound to the configured loop
         cls._lock = asyncio.Lock()
+        cls._auth_settings = auth_settings
+
+    @classmethod
+    def set_auth_settings(cls, settings: AuthSettings | None) -> None:
+        cls._auth_settings = settings
 
     @classmethod
     def is_configured(cls) -> bool:
         return cls._registry is not None and cls._lock is not None
 
     async def on_connect(self, websocket: WebSocket) -> None:
+        settings = self._auth_settings or auth_settings()
+
+        failure = await verify_websocket(websocket, settings)
+        if failure is not None:
+            await websocket.close(code=4401)
+            return
+
         await websocket.accept()
+        from core.telemetry import get_package_version
         msg = WelcomeMessage(
+            serverVersion=get_package_version(),
             serverTimeout=self.SERVER_TIMEOUT,
             keepAliveInterval=self.KEEP_ALIVE_INTERVAL,
+            authEnabled=settings.enabled,
+            authTokenRequired=settings.enabled and bool(settings.token),
         )
         await websocket.send_json(msg.model_dump())
 
diff --git a/Server/src/utils/network.py b/Server/src/utils/network.py
new file mode 100644
index 00000000..cf46e861
--- /dev/null
+++ b/Server/src/utils/network.py
@@ -0,0 +1,13 @@
+def resolve_http_host(
+    arg_host: str | None,
+    env_host: str | None,
+    parsed_host: str | None,
+) -> str:
+    """Resolve HTTP host from arguments/env/url with sensible defaults."""
+
+    if arg_host:
+        return arg_host
+    if env_host:
+        return env_host
+
+    return parsed_host or "localhost"
diff --git a/Server/tests/integration/conftest.py b/Server/tests/integration/conftest.py
index 798c6a60..c854ce06 100644
--- a/Server/tests/integration/conftest.py
+++ b/Server/tests/integration/conftest.py
@@ -82,7 +82,11 @@ class _DummyMiddlewareContext:
 fastmcp_server_middleware = types.ModuleType("fastmcp.server.middleware")
 fastmcp_server_middleware.Middleware = _DummyMiddleware
 fastmcp_server_middleware.MiddlewareContext = _DummyMiddlewareContext
+fastmcp_server_dependencies = types.ModuleType("fastmcp.server.dependencies")
+fastmcp_server_dependencies.get_http_request = lambda: None
 fastmcp.server = fastmcp_server
 fastmcp_server.middleware = fastmcp_server_middleware
+fastmcp_server.dependencies = fastmcp_server_dependencies
 sys.modules.setdefault("fastmcp.server", fastmcp_server)
 sys.modules.setdefault("fastmcp.server.middleware", fastmcp_server_middleware)
+sys.modules.setdefault("fastmcp.server.dependencies", fastmcp_server_dependencies)
diff --git a/Server/tests/integration/test_auth_controls.py b/Server/tests/integration/test_auth_controls.py
new file mode 100644
index 00000000..2f665791
--- /dev/null
+++ b/Server/tests/integration/test_auth_controls.py
@@ -0,0 +1,95 @@
+import types
+
+import pytest
+import tests.integration.conftest  # noqa: F401  # ensure stubs are registered before imports
+
+from core.auth import auth_settings, verify_http_request, verify_websocket
+
+
+class _DummyRequest:
+    def __init__(self, host: str | None, headers: dict[str, str] | None = None):
+        self.client = types.SimpleNamespace(host=host)
+        self.headers = headers or {}
+
+
+class _DummyWebSocket:
+    def __init__(self, host: str | None, headers: list[tuple[str, str]] | None = None):
+        self.client = types.SimpleNamespace(host=host)
+        self.headers = headers or []
+
+
+def test_http_allowlist_allows_any_ip_when_wildcard():
+    settings = auth_settings(token="secret", allowed_ips=["*"])
+    request = _DummyRequest("192.168.1.10", headers={"X-API-Key": "secret"})
+
+    response = verify_http_request(request, settings)
+
+    assert response is None
+
+
+def test_http_allowlist_blocks_outside_cidr():
+    settings = auth_settings(token="secret", allowed_ips=["10.0.0.0/8"])
+    request = _DummyRequest("192.168.1.10", headers={"X-API-Key": "secret"})
+
+    response = verify_http_request(request, settings)
+
+    assert response is not None
+    assert response.status_code == 403
+
+
+def test_http_requires_matching_token_when_set():
+    settings = auth_settings(token="secret", allowed_ips=["*"])
+    request = _DummyRequest("127.0.0.1", headers={"X-API-Key": "secret"})
+
+    response = verify_http_request(request, settings)
+
+    assert response is None
+
+
+def test_http_blocks_missing_token_when_required():
+    settings = auth_settings(token="secret", allowed_ips=["127.0.0.1"])
+    request = _DummyRequest("127.0.0.1")
+
+    response = verify_http_request(request, settings)
+
+    assert response is not None
+    assert response.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_websocket_checks_token_and_allowlist():
+    settings = auth_settings(token="secret", allowed_ips=["10.0.0.0/8"])
+    websocket = _DummyWebSocket("10.1.2.3", headers=[("x-api-key", "secret")])
+
+    response = await verify_websocket(websocket, settings)
+
+    assert response is None
+
+
+@pytest.mark.asyncio
+async def test_websocket_blocks_invalid_token():
+    settings = auth_settings(token="secret", allowed_ips=["10.0.0.0/8"])
+    websocket = _DummyWebSocket("10.1.2.3", headers=[("x-api-key", "wrong")])
+
+    response = await verify_websocket(websocket, settings)
+
+    assert response is not None
+    assert response.status_code == 401
+
+
+def test_http_no_auth_when_disabled():
+    settings = auth_settings(enabled=False, allowed_ips=["127.0.0.1"])
+    request = _DummyRequest("192.168.1.10")
+
+    response = verify_http_request(request, settings)
+
+    assert response is None
+
+
+def test_http_no_token_required_when_empty():
+    settings = auth_settings(token="", allowed_ips=["*"], enabled=True)
+    request = _DummyRequest("127.0.0.1")
+
+    response = verify_http_request(request, settings)
+
+    assert response is None
diff --git a/Server/tests/integration/test_host_resolution.py b/Server/tests/integration/test_host_resolution.py
new file mode 100644
index 00000000..248bed1a
--- /dev/null
+++ b/Server/tests/integration/test_host_resolution.py
@@ -0,0 +1,27 @@
+import tests.integration.conftest  # noqa: F401  # ensure stubs are registered before imports
+
+from utils.network import resolve_http_host
+
+
+def test_resolve_host_prefers_explicit_arg():
+    host = resolve_http_host(arg_host="0.0.0.0", env_host="1.2.3.4", parsed_host="5.6.7.8")
+
+    assert host == "0.0.0.0"
+
+
+def test_resolve_host_prefers_env_when_arg_missing():
+    host = resolve_http_host(arg_host=None, env_host="1.2.3.4", parsed_host="5.6.7.8")
+
+    assert host == "1.2.3.4"
+
+
+def test_resolve_host_falls_back_to_parsed():
+    host = resolve_http_host(arg_host=None, env_host=None, parsed_host="5.6.7.8")
+
+    assert host == "5.6.7.8"
+
+
+def test_resolve_host_defaults_to_localhost():
+    host = resolve_http_host(arg_host=None, env_host=None, parsed_host=None)
+
+    assert host == "localhost"
diff --git a/Server/tests/integration/test_welcome_message_auth_flags.py b/Server/tests/integration/test_welcome_message_auth_flags.py
new file mode 100644
index 00000000..fb566021
--- /dev/null
+++ b/Server/tests/integration/test_welcome_message_auth_flags.py
@@ -0,0 +1,20 @@
+from transport.models import WelcomeMessage
+
+
+def test_welcome_message_defaults_auth_flags_false():
+    msg = WelcomeMessage(serverTimeout=30, keepAliveInterval=15)
+
+    assert msg.authEnabled is False
+    assert msg.authTokenRequired is False
+
+
+def test_welcome_message_allows_auth_flags_true():
+    msg = WelcomeMessage(
+        serverTimeout=30,
+        keepAliveInterval=15,
+        authEnabled=True,
+        authTokenRequired=True,
+    )
+
+    assert msg.authEnabled is True
+    assert msg.authTokenRequired is True
diff --git a/Server/uv.lock b/Server/uv.lock
index 44a0ef88..7b3e0043 100644
--- a/Server/uv.lock
+++ b/Server/uv.lock
@@ -694,7 +694,7 @@ wheels = [
 
 [[package]]
 name = "mcpforunityserver"
-version = "8.1.4"
+version = "8.1.6"
 source = { editable = "." }
 dependencies = [
     { name = "fastapi" },
diff --git a/docs/MCP_CLIENT_CONFIGURATORS.md b/docs/MCP_CLIENT_CONFIGURATORS.md
index f79f1ccb..f2c8105b 100644
--- a/docs/MCP_CLIENT_CONFIGURATORS.md
+++ b/docs/MCP_CLIENT_CONFIGURATORS.md
@@ -115,6 +115,7 @@ All of these follow the same pattern:
   - `SupportsHttpTransport` + `EditorPrefs.UseHttpTransport` decide whether to configure
     - `url` / `serverUrl` (HTTP), or
     - `command` + `args` (stdio with `uvx`).
+  - When HTTP is used and auth is enabled with a token in the Unity Auth panel, the configurator injects `headers.Authorization: Bearer <token>` into the client config so requests include the token automatically.
 - **URL property name**
   - `HttpUrlProperty` (default `"url"`) selects which JSON property to use for HTTP urls.
   - Example: Windsurf and Antigravity use `"serverUrl"`.