diff --git a/.gitignore b/.gitignore
index 4822dcc..fe2cb09 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,6 @@ __pycache__/
 engine/data/
 
 TMP/
+.env
+.venv/
+test_mcp_client.py
diff --git a/mcp/server.py b/mcp/server.py
index 2d25bd0..c0307e2 100644
--- a/mcp/server.py
+++ b/mcp/server.py
@@ -87,7 +87,12 @@ async def _ensure_exclusive_collection(doc_id: int, collection: str) -> None:
 
 mcp = FastMCP(
     "kb",
-    instructions="Knowledge base MCP server. Provides tools for searching, adding, and managing documents and notes.",
+    instructions=(
+        "Knowledge base MCP server. Provides tools for searching, adding, and "
+        "managing documents and notes. This server requires Bearer token "
+        "authentication — all requests are authenticated via the Authorization "
+        "header at the HTTP transport layer."
+    ),
 )
 
 
@@ -218,6 +223,7 @@ async def kb_status() -> str:
     database size, and ingestion queue state.
     """
     result = engine.get_status()
+    result["authenticated"] = bool(config.KB_MCP_API_KEY)
     return json.dumps(result, indent=2)
 
 
@@ -323,10 +329,8 @@ class BearerAuthMiddleware(BaseHTTPMiddleware):
             return await call_next(request)
 
         auth_header = request.headers.get("authorization", "")
-        if auth_header.startswith("Bearer "):
-            token = auth_header[7:]
-            if token == config.KB_MCP_API_KEY:
-                return await call_next(request)
+        if auth_header.startswith("Bearer ") and auth_header[7:] == config.KB_MCP_API_KEY:
+            return await call_next(request)
 
         return JSONResponse(
             status_code=401,