diff --git a/api/src/auth/guards/auth.guard.ts b/api/src/auth/guards/auth.guard.ts
index 8bfc9c2..f3ca682 100644
--- a/api/src/auth/guards/auth.guard.ts
+++ b/api/src/auth/guards/auth.guard.ts
@@ -20,25 +20,29 @@ export class AuthGuard implements CanActivate {
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    var userId
-
     const request = context.switchToHttp().getRequest()
+    let userId
+    const apiKeyString = request.headers['x-api-key'] || request.query.apiKey
     if (request.headers.authorization?.startsWith('Bearer ')) {
       const bearerToken = request.headers.authorization.split(' ')[1]
-      const payload = this.jwtService.verify(bearerToken)
-      userId = payload.sub
-    }
-
-    // check apiKey in query params
-    else if (request.query.apiKey) {
-      const apiKeyStr = request.query.apiKey
-      const regex = new RegExp(`^${apiKeyStr.substr(0, 17)}`, 'g')
+      try {
+        const payload = this.jwtService.verify(bearerToken)
+        userId = payload.sub
+      } catch (e) {
+        throw new HttpException(
+          { error: 'Unauthorized' },
+          HttpStatus.UNAUTHORIZED,
+        )
+      }
+    } else if (apiKeyString) {
+      const regex = new RegExp(`^${apiKeyString.substr(0, 17)}`, 'g')
       const apiKey = await this.authService.findApiKey({
         apiKey: { $regex: regex },
       })
 
-      if (apiKey && bcrypt.compareSync(apiKeyStr, apiKey.hashedApiKey)) {
+      if (apiKey && bcrypt.compareSync(apiKeyString, apiKey.hashedApiKey)) {
         userId = apiKey.user
+        this.authService.trackApiKeyUsage(apiKey._id)
       }
     }
 
@@ -46,9 +50,6 @@ export class AuthGuard implements CanActivate {
       const user = await this.usersService.findOne({ _id: userId })
       if (user) {
         request.user = user
-        if (request.query.apiKey) {
-          this.authService.trackApiKeyUsage(user._id)
-        }
         return true
       }
     }
diff --git a/api/src/main.ts b/api/src/main.ts
index 83abe89..e54e09b 100644
--- a/api/src/main.ts
+++ b/api/src/main.ts
@@ -20,6 +20,11 @@ async function bootstrap() {
     .setDescription('TextBee - Android SMS Gateway API Docs')
     .setVersion('1.0')
     .addBearerAuth()
+    .addApiKey({
+      type: 'apiKey',
+      name: 'x-api-key',
+      in: 'header',
+    })
     .build()
   const document = SwaggerModule.createDocument(app, config)
   SwaggerModule.setup('', app, document, {