diff --git a/backend/.env b/backend/.env
index cdccb51..5784151 100644
--- a/backend/.env
+++ b/backend/.env
@@ -10,4 +10,6 @@ APP_SECRET=850da55654c68f779822ea80d2b66a94
 # DATABASE_URL="mysql://app:!ChangeMe!@127.0.0.1:3306/app?serverVersion=10.11.2-MariaDB&charset=utf8mb4"
 DATABASE_URL="postgresql://app:!ChangeMe!@127.0.0.1:5432/app?serverVersion=16&charset=utf8"
 ###< doctrine/doctrine-bundle ###
-DOT_DOT_URL='http://dot-dot.local'
\ No newline at end of file
+DOT_DOT_URL='http://dot-dot.local'
+
+API_TOKEN='secret'
\ No newline at end of file
diff --git a/backend/src/Api/Request/SignRequest.php b/backend/src/Api/Request/SignRequest.php
index ec12392..f3e6193 100644
--- a/backend/src/Api/Request/SignRequest.php
+++ b/backend/src/Api/Request/SignRequest.php
@@ -10,4 +10,5 @@ class SignRequest implements RequestDtoInterface
 {
     public string $url;
     public int $batch;
+    public string $apiToken;
 }
\ No newline at end of file
diff --git a/backend/src/Controller/SignController.php b/backend/src/Controller/SignController.php
index 4bc52cc..c7822b7 100644
--- a/backend/src/Controller/SignController.php
+++ b/backend/src/Controller/SignController.php
@@ -24,6 +24,6 @@ class SignController extends AbstractController
     {
         $token = $request->server->get('HTTP_AUTHORIZATION');
 
-        return new JsonResponse($this->signService->signDocument($signRequest->url, $token, $signRequest->batch));
+        return new JsonResponse($this->signService->signDocument($signRequest, $token));
     }
 }
\ No newline at end of file
diff --git a/backend/src/SignService.php b/backend/src/SignService.php
index 6c427df..5a3b44e 100644
--- a/backend/src/SignService.php
+++ b/backend/src/SignService.php
@@ -6,9 +6,11 @@ namespace App;
 
 use App\Api\Api;
 use App\Api\ApiParams;
+use App\Api\Request\SignRequest;
 use App\Infrastructure\External\Api\BinaryStringFileResult;
 use Exception;
 use RuntimeException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 class SignService
 {
@@ -22,16 +24,20 @@ class SignService
         $this->devSignService = new DevSignService();
         $this->prodSignService = new ProdSignService();
     }
-    public function signDocument(string $url, string $token, int $batch): array
+    public function signDocument(SignRequest $request,string $token): array
     {
+        if ($_ENV['API_TOKEN'] !== $request->apiToken) {
+            throw new AccessDeniedHttpException('Доступ запрещен');
+        }
+
         $this->api->apiParams = $this->apiParams;
 
         try {
-            $document = $this->api->download($url, $token);
+            $document = $this->api->download($request->url, $token);
 
             $this->sign($document->tempFileName);
 
-            $response = $this->api->send($token, $document->tempFileName . '_sign.pdf', $batch);
+            $response = $this->api->send($token, $document->tempFileName . '_sign.pdf', $request->batch);
 
             $this->removeExistingDocument($document);