diff --git a/api.js b/api.js
index 917b9eb..98d7362 100644
--- a/api.js
+++ b/api.js
@@ -405,11 +405,10 @@ app.get("/api/health", async (req, res) => {
 
 function authMiddleware(req, res, next) {
   const key = process.env.CASECOMP_API_KEY;
+  const sandboxKey = process.env.CASECOMP_SANDBOX_KEY;
   if (!key) return next();
-  const auth = req.headers.authorization;
-  const query = req.query.key;
-  const token = auth?.startsWith("Bearer ") ? auth.slice(7) : query;
-  if (!token || token !== key) {
+  const token = getRequestToken(req);
+  if (!token || (token !== key && token !== sandboxKey)) {
     return res.status(401).json({ error: "Invalid or missing API key" });
   }
   next();
@@ -568,7 +567,15 @@ app.post("/api/alerts", authMiddleware, async (req, res) => {
 });
 
 const PORT = process.env.API_PORT || 3000;
-app.listen(PORT, () => {
+app.listen(PORT, async () => {
   console.log(`Casecomp API listening on http://localhost:${PORT}`);
   console.log(`Swagger docs: http://localhost:${PORT}/docs`);
+  if (clientId && clientSecret) {
+    try {
+      await getToken();
+      console.log("eBay OAuth token warmed");
+    } catch (e) {
+      console.warn(`eBay token warmup failed: ${e.message}`);
+    }
+  }
 });