2 files changed, 9 insertions, 2 deletions

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index a23dd60..de71926 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -265,7 +265,7 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
         }
 
         if err := h.requireAuth(ctx, conn, true, state); err != nil {
-                status = "error"
+                status = "unauthorized"
                 h.sendOK(ctx, conn, event.ID, false, err.Error())
                 return nil
         }
@@ -371,7 +371,7 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
         }
 
         if err := h.requireAuth(ctx, conn, false, state); err != nil {
-                status = "error"
+                status = "unauthorized"
                 return err
         }
 
diff --git a/internal/handler/websocket/handler_test.go b/internal/handler/websocket/handler_test.go
index 9f02510..9982aea 100644
--- a/internal/handler/websocket/handler_test.go
+++ b/internal/handler/websocket/handler_test.go
@@ -368,6 +368,13 @@ func TestAuthNotInAllowlist(t *testing.T) {
                 t.Errorf("Expected OK false for unauthorized pubkey, got false: %v", msg3[3])
         }
         t.Logf("Unauthorized pubkey correctly rejected: %v", msg3[3])
+
+        // Verify metrics tracked the unauthorized request
+        unauthorizedCount := ts.metrics.getRequestCount("EVENT", "unauthorized")
+        if unauthorizedCount == 0 {
+                t.Errorf("Expected unauthorized requests to be tracked in metrics, got 0")
+        }
+        t.Logf("Metrics: %d unauthorized requests tracked", unauthorizedCount)
 }
 
 // TestRateLimitByIP verifies that rate limiting works by IP