diff --git a/.env b/.env
index b1b8cba..62e985b 100644
--- a/.env
+++ b/.env
@@ -1,5 +1,5 @@
 FILES_DIR="./files"
-API_KEY="aboba"
+API_KEY_HASH="a6c79a27049109e472b246b5dfbe08aedff1e9e2259597e54032dbad4958d4ad"
 FILES_PADDING="5"
 DATABASE_NAME="files.db"
 FTP_URL="ftp"
diff --git a/app/api.py b/app/api.py
index cb716ab..d8b22fa 100644
--- a/app/api.py
+++ b/app/api.py
@@ -8,11 +8,12 @@ from io import BytesIO
 from . import db
 from dotenv import load_dotenv
 import os
+import hmac
 
 load_dotenv()
 
 FILES_DIR = os.getenv("FILES_DIR")
-API_KEY = os.getenv("API_KEY")
+API_KEY_HASH = os.getenv("API_KEY_HASH")
 api_key_header = APIKeyHeader(name="X-API-Key")
 
 FTP_URL = os.getenv("FTP_URL")
@@ -21,8 +22,10 @@ FTP_PASSWORD = os.getenv("FTP_PASSWORD")
 CACHE_DIR = "cache"
 
 def verify_api_key(api_key: str = Security(api_key_header)):
-    if api_key != API_KEY:
-        raise HTTPException(status_code=403, detail="Forbidden")
+    api_key_hashed = hashlib.sha256(api_key.encode()).hexdigest()
+    if not hmac.compare_digest(api_key_hashed, API_KEY_HASH):
+        raise HTTPException(status_code=403, detail="Forbidden. (╥﹏╥)")
+    
     return api_key
 
 def compute_hash(data: bytes, algorithm="sha256") -> str: