diff --git a/ingestion/internal/mcp/auth.go b/ingestion/internal/mcp/auth.go
index 99b62f5..7509653 100644
--- a/ingestion/internal/mcp/auth.go
+++ b/ingestion/internal/mcp/auth.go
@@ -13,8 +13,8 @@ func BearerAuth(token string, next http.Handler) http.Handler {
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}
-		got := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
-		if got != token {
+		got, ok := strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ")
+		if !ok || got != token {
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}