diff --git a/video-lab/app/auth.py b/video-lab/app/auth.py
new file mode 100644
index 0000000..4d781ad
--- /dev/null
+++ b/video-lab/app/auth.py
@@ -0,0 +1,17 @@
+"""SP-8 — Windows worker → NAS video-lab internal webhook 인증.
+
+X-Internal-Key 헤더를 .env의 INTERNAL_API_KEY와 비교.
+서버 측 키 미설정 시 401 (안전한 기본값).
+"""
+from __future__ import annotations
+
+import os
+from fastapi import Header, HTTPException
+
+
+def verify_internal_key(x_internal_key: str = Header(...)):
+    expected = os.getenv("INTERNAL_API_KEY")
+    if not expected:
+        raise HTTPException(401, "INTERNAL_API_KEY not configured on server")
+    if x_internal_key != expected:
+        raise HTTPException(401, "Invalid X-Internal-Key")
diff --git a/video-lab/tests/__init__.py b/video-lab/tests/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/video-lab/tests/test_auth.py b/video-lab/tests/test_auth.py
new file mode 100644
index 0000000..6de73d3
--- /dev/null
+++ b/video-lab/tests/test_auth.py
@@ -0,0 +1,23 @@
+"""verify_internal_key — Windows video-render webhook 인증."""
+import pytest
+from fastapi import HTTPException
+from app.auth import verify_internal_key
+
+
+def test_valid_key_passes(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    verify_internal_key(x_internal_key="secret123")
+
+
+def test_invalid_key_raises_401(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="wrong")
+    assert exc.value.status_code == 401
+
+
+def test_missing_env_key_raises_401(monkeypatch):
+    monkeypatch.delenv("INTERNAL_API_KEY", raising=False)
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="any")
+    assert exc.value.status_code == 401