2 files changed, 19 insertions, 2 deletions

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index dfe7b9e..909e2ec 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -348,7 +348,12 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
 
         h.subs.MatchAndFan(pbEvent)
 
-        status = "ok"
+        // Track whether request was authenticated for metrics
+        if state.authenticatedPubkey != "" {
+                status = "authorized"
+        } else {
+                status = "ok"
+        }
         h.sendOK(ctx, conn, event.ID, true, "")
         return nil
 }
@@ -448,7 +453,12 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
 
         go h.streamEvents(ctx, conn, sub)
 
-        status = "ok"
+        // Track whether request was authenticated for metrics
+        if state.authenticatedPubkey != "" {
+                status = "authorized"
+        } else {
+                status = "ok"
+        }
         return nil
 }
 
diff --git a/internal/handler/websocket/handler_test.go b/internal/handler/websocket/handler_test.go
index 10405b2..604a190 100644
--- a/internal/handler/websocket/handler_test.go
+++ b/internal/handler/websocket/handler_test.go
@@ -305,6 +305,13 @@ func TestAuthRequired(t *testing.T) {
                 t.Errorf("Expected OK true after auth, got false: %v", msg3[3])
         }
         t.Logf("Publish succeeded after auth")
+
+        // Verify authorized requests are tracked in metrics
+        authorizedCount := ts.metrics.getRequestCount("EVENT", "authorized")
+        if authorizedCount == 0 {
+                t.Errorf("Expected authorized requests to be tracked in metrics, got 0")
+        }
+        t.Logf("Metrics: %d authorized requests tracked", authorizedCount)
 }
 
 // TestAuthNotInAllowlist verifies that pubkeys not in allowlist are rejected