diff --git a/src/lib/backend/convex/user_enabled_models.ts b/src/lib/backend/convex/user_enabled_models.ts
index 2974a64..5ee3182 100644
--- a/src/lib/backend/convex/user_enabled_models.ts
+++ b/src/lib/backend/convex/user_enabled_models.ts
@@ -3,6 +3,7 @@ import { v } from 'convex/values';
 import { providerValidator } from './schema';
 import * as array from '../../utils/array';
 import * as object from '../../utils/object';
+import { internal } from './_generated/api';
 
 export const get_enabled = query({
 	args: {
@@ -42,8 +43,17 @@ export const set = mutation({
 		model_id: v.string(),
 		user_id: v.string(),
 		enabled: v.boolean(),
+		session_token: v.string(),
 	},
 	handler: async (ctx, args) => {
+		const session = await ctx.runQuery(internal.betterAuth.getSession, {
+			sessionToken: args.session_token,
+		});
+
+		if (!session) {
+			throw new Error('Unauthorized');
+		}
+
 		const existing = await ctx.db
 			.query('user_enabled_models')
 			.withIndex('by_model_provider', (q) =>
diff --git a/src/lib/backend/convex/user_keys.ts b/src/lib/backend/convex/user_keys.ts
index 68fa832..92cb5dd 100644
--- a/src/lib/backend/convex/user_keys.ts
+++ b/src/lib/backend/convex/user_keys.ts
@@ -1,5 +1,6 @@
 import { v } from 'convex/values';
 import { Provider } from '../../types';
+import { internal } from './_generated/api';
 import { mutation, query } from './_generated/server';
 import { providerValidator } from './schema';
 
@@ -27,8 +28,17 @@ export const get = query({
 	args: {
 		user_id: v.string(),
 		provider: providerValidator,
+		session_token: v.string(),
 	},
 	handler: async (ctx, args) => {
+		const session = await ctx.runQuery(internal.betterAuth.getSession, {
+			sessionToken: args.session_token,
+		});
+
+		if (!session) {
+			throw new Error('Unauthorized');
+		}
+
 		const key = await ctx.db
 			.query('user_keys')
 			.withIndex('by_provider_user', (q) =>
@@ -45,8 +55,17 @@ export const set = mutation({
 		provider: providerValidator,
 		user_id: v.string(),
 		key: v.string(),
+		session_token: v.string(),
 	},
 	handler: async (ctx, args) => {
+		const session = await ctx.runQuery(internal.betterAuth.getSession, {
+			sessionToken: args.session_token,
+		});
+
+		if (!session) {
+			throw new Error('Unauthorized');
+		}
+
 		const existing = await ctx.db
 			.query('user_keys')
 			.withIndex('by_provider_user', (q) =>
diff --git a/src/routes/account/api-keys/provider-card.svelte b/src/routes/account/api-keys/provider-card.svelte
index 0d32781..1076cbd 100644
--- a/src/routes/account/api-keys/provider-card.svelte
+++ b/src/routes/account/api-keys/provider-card.svelte
@@ -23,6 +23,7 @@
 	const keyQuery = useCachedQuery(api.user_keys.get, {
 		user_id: session.current?.user.id ?? '',
 		provider,
+		session_token: session.current?.session.token ?? '',
 	});
 
 	const client = useConvexClient();
@@ -44,6 +45,7 @@
 				provider,
 				user_id: session.current?.user.id ?? '',
 				key: `${key}`,
+				session_token: session.current?.session.token,
 			}),
 			(e) => e
 		);
diff --git a/src/routes/account/models/model-card.svelte b/src/routes/account/models/model-card.svelte
index b88232b..f8faa42 100644
--- a/src/routes/account/models/model-card.svelte
+++ b/src/routes/account/models/model-card.svelte
@@ -46,6 +46,7 @@
 				user_id: session.current.user.id,
 				model_id: model.id,
 				enabled: v,
+				session_token: session.current?.session.token,
 			}),
 			(e) => e
 		);