diff --git a/app/Http/Controllers/Api/TransactionController.php b/app/Http/Controllers/Api/TransactionController.php
index 31b9c21c..3075784c 100644
--- a/app/Http/Controllers/Api/TransactionController.php
+++ b/app/Http/Controllers/Api/TransactionController.php
@@ -4,7 +4,6 @@
 
 use App\Http\Controllers\Controller;
 use App\Http\Resources\TransactionResource;
-use App\Models\ApiKey;
 use App\Models\Earning;
 use App\Models\Spending;
 use Illuminate\Http\Request;
@@ -13,13 +12,8 @@ class TransactionController extends Controller
 {
     public function index(Request $request)
     {
-        $apiKey = ApiKey::query()
-            ->where('token', $request->header('api-key'))
-            ->first();
-
-        if (!$apiKey) {
-            abort(401);
-        }
+        /** @var ApiKey $apiKey */
+        $apiKey = $request->get('apiKey');
 
         $transactions = collect();
 
@@ -36,13 +30,8 @@ public function index(Request $request)
 
     public function store(Request $request)
     {
-        $apiKey = ApiKey::query()
-            ->where('token', $request->header('api-key'))
-            ->first();
-
-        if (!$apiKey) {
-            abort(401);
-        }
+        /** @var ApiKey $apiKey */
+        $apiKey = $request->get('apiKey');
 
         $spaceId = $apiKey->user->spaces()->first()->id;
 
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 3fb99324..22c202fd 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -58,6 +58,7 @@ class Kernel extends HttpKernel
         'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,
         'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
+        'resolve-api-key' => \App\Http\Middleware\ResolveApiKey::class,
         'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
         'stripe' => \App\Http\Middleware\RedirectIfStripeAbsent::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
diff --git a/app/Http/Middleware/ResolveApiKey.php b/app/Http/Middleware/ResolveApiKey.php
new file mode 100644
index 00000000..313905a2
--- /dev/null
+++ b/app/Http/Middleware/ResolveApiKey.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\ApiKey;
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class ResolveApiKey
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $apiKey = ApiKey::query()
+            ->where('token', $request->header('api-key'))
+            ->first();
+
+        if (!$apiKey) {
+            abort(401);
+        }
+
+        $request->attributes->add(['apiKey' => $apiKey]);
+
+        return $next($request);
+    }
+}
diff --git a/database/factories/ApiKeyFactory.php b/database/factories/ApiKeyFactory.php
new file mode 100644
index 00000000..36116345
--- /dev/null
+++ b/database/factories/ApiKeyFactory.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace Database\Factories;
+
+use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Support\Str;
+
+class ApiKeyFactory extends Factory
+{
+    public function definition(): array
+    {
+        return [
+            'token' => Str::random(32),
+        ];
+    }
+}
diff --git a/routes/api.php b/routes/api.php
index 7c369b50..448a0986 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -6,5 +6,8 @@
 
 Route::post('/log-in', LogInController::class);
 
-Route::get('/transactions', [TransactionController::class, 'index']);
-Route::post('/transactions', [TransactionController::class, 'store']);
+Route::middleware('resolve-api-key')
+    ->group(function () {
+        Route::resource('transactions', TransactionController::class)
+            ->only(['index', 'store']);
+    });
diff --git a/tests/Feature/ResolveApiKeyMiddlewareTest.php b/tests/Feature/ResolveApiKeyMiddlewareTest.php
new file mode 100644
index 00000000..06240f96
--- /dev/null
+++ b/tests/Feature/ResolveApiKeyMiddlewareTest.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\ApiKey;
+use App\Models\Space;
+use App\Models\User;
+use Tests\TestCase;
+
+class ResolveApiKeyMiddlewareTest extends TestCase
+{
+    public function testWithoutApiKey(): void
+    {
+        $response = $this->get('/api/transactions');
+
+        $response->assertStatus(401);
+    }
+
+    public function testWithWrongApikey(): void
+    {
+        $response = $this->get('/api/transactions', ['api_key' => 'WRONG_API_KEY']);
+
+        $response->assertStatus(401);
+    }
+
+    public function testWithCorrectApiKey(): void
+    {
+        $user = User::factory()
+            ->create();
+
+        $space = Space::factory()
+            ->create();
+
+        $user->spaces()->attach($space->id);
+
+        $apiKey = ApiKey::factory()
+            ->create(['user_id' => $user->id]);
+
+        $response = $this->get('/api/transactions', ['api_key' => $apiKey->token]);
+
+        $response->assertStatus(200);
+    }
+}