diff --git a/image-lab/app/auth.py b/image-lab/app/auth.py
new file mode 100644
index 0000000..4d7af85
--- /dev/null
+++ b/image-lab/app/auth.py
@@ -0,0 +1,13 @@
+"""Windows image-render worker → NAS image-lab internal webhook 인증."""
+from __future__ import annotations
+
+import os
+from fastapi import Header, HTTPException
+
+
+def verify_internal_key(x_internal_key: str = Header(...)):
+    expected = os.getenv("INTERNAL_API_KEY")
+    if not expected:
+        raise HTTPException(401, "INTERNAL_API_KEY not configured on server")
+    if x_internal_key != expected:
+        raise HTTPException(401, "Invalid X-Internal-Key")
diff --git a/image-lab/tests/test_auth.py b/image-lab/tests/test_auth.py
new file mode 100644
index 0000000..eec7033
--- /dev/null
+++ b/image-lab/tests/test_auth.py
@@ -0,0 +1,19 @@
+import pytest
+from fastapi import HTTPException
+from app.auth import verify_internal_key
+
+def test_no_server_key_rejects(monkeypatch):
+    monkeypatch.delenv("INTERNAL_API_KEY", raising=False)
+    with pytest.raises(HTTPException) as e:
+        verify_internal_key("anything")
+    assert e.value.status_code == 401
+
+def test_wrong_key_rejects(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret")
+    with pytest.raises(HTTPException) as e:
+        verify_internal_key("wrong")
+    assert e.value.status_code == 401
+
+def test_correct_key_passes(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret")
+    assert verify_internal_key("secret") is None