1 files changed, 7 insertions, 6 deletions

diff --git a/internal/auth/interceptor.go b/internal/auth/interceptor.go
index c055a15..7d785bf 100644
--- a/internal/auth/interceptor.go
+++ b/internal/auth/interceptor.go
@@ -35,10 +35,11 @@ type InterceptorOptions struct {
         // Default: false
         ValidatePayload bool
 
-        // AllowedPubkeys is an optional whitelist of allowed pubkeys.
+        // AllowedNpubs is an optional whitelist of allowed pubkeys (hex format).
+        // Config accepts npub format only, normalized to hex at load time.
         // If nil or empty, all valid signatures are accepted.
         // Default: nil (allow all)
-        AllowedPubkeys []string
+        AllowedNpubs []string
 
         // SkipMethods is a list of gRPC methods that bypass authentication.
         // Useful for public endpoints like health checks or relay info.
@@ -53,7 +54,7 @@ func DefaultInterceptorOptions() *InterceptorOptions {
                 TimestampWindow: 60,
                 Required:        false,
                 ValidatePayload: false,
-                AllowedPubkeys:  nil,
+                AllowedNpubs:    nil,
                 SkipMethods:     nil,
         }
 }
@@ -168,9 +169,9 @@ func validateAuthFromContext(ctx context.Context, method string, opts *Intercept
         // Extract pubkey
         pubkey := ExtractPubkey(event)
 
-        // Check whitelist if configured
-        if len(opts.AllowedPubkeys) > 0 {
-                if !contains(opts.AllowedPubkeys, pubkey) {
+        // Check whitelist if configured (all values are already normalized to hex)
+        if len(opts.AllowedNpubs) > 0 {
+                if !contains(opts.AllowedNpubs, pubkey) {
                         return "", fmt.Errorf("pubkey not in whitelist")
                 }
         }