diff --git a/core/cat/api_auth.py b/core/cat/api_auth.py
index a6088d49..1dac95a2 100644
--- a/core/cat/api_auth.py
+++ b/core/cat/api_auth.py
@@ -1,5 +1,7 @@
 import os
+import fnmatch
 
+from fastapi import Request
 from fastapi import Security, HTTPException
 from fastapi.security.api_key import APIKeyHeader
 
@@ -15,13 +17,15 @@
 api_key_header = APIKeyHeader(name="access_token", auto_error=False)
 
 
-def check_api_key(api_key: str = Security(api_key_header)) -> None | str:
+def check_api_key(request: Request, api_key: str = Security(api_key_header)) -> None | str:
     """Authenticate endpoint.
 
     Check the provided key is available in API keys list.
 
     Parameters
     ----------
+    request : Request
+        HTTP request.
     api_key : str
         API keys to be checked.
 
@@ -38,6 +42,8 @@ def check_api_key(api_key: str = Security(api_key_header)) -> None | str:
     """
     if not API_KEY:
         return None
+    if fnmatch.fnmatch(request.url.path, "/admin*"):
+        return None
     if api_key in API_KEY:
         return api_key
     else:
diff --git a/core/cat/main.py b/core/cat/main.py
index 3437366b..ceae9508 100644
--- a/core/cat/main.py
+++ b/core/cat/main.py
@@ -33,12 +33,14 @@ async def lifespan(app: FastAPI):
 
     yield
 
+
 def custom_generate_unique_id(route: APIRoute):
     return f"{route.name}"
 
+
 # REST API
 cheshire_cat_api = FastAPI(
-    lifespan=lifespan, 
+    lifespan=lifespan,
     dependencies=[Depends(check_api_key)],
     generate_unique_id_function=custom_generate_unique_id
 )
@@ -64,7 +66,6 @@ def custom_generate_unique_id(route: APIRoute):
 cheshire_cat_api.include_router(upload.router, tags=["Rabbit Hole"], prefix="/rabbithole")
 cheshire_cat_api.include_router(websocket.router, tags=["Websocket"])
 
-
 # mount static files
 # this cannot be done via fastapi.APIrouter:
 # https://github.com/tiangolo/fastapi/discussions/9070
@@ -93,7 +94,7 @@ async def validation_exception_handler(request, exc):
 
 # RUN!
 if __name__ == "__main__":
-    
+
     # debugging utilities, to deactivate put `DEBUG=false` in .env
     debug_config = {}
     if os.getenv("DEBUG", "true") == "true":
diff --git a/core/cat/routes/static/admin.py b/core/cat/routes/static/admin.py
index 47b3a2a9..92e13a0b 100644
--- a/core/cat/routes/static/admin.py
+++ b/core/cat/routes/static/admin.py
@@ -25,14 +25,10 @@ def get_injected_admin():
         # - CORE_HOST
         # - CORE_PORT
         # - CORE_USE_SECURE_PROTOCOLS
-        # - API_KEY
-        # TODO: this is not secure nor useful, because if API_KEY is activated than the endpoint itself does not work.
-        #       fix when user system is available
         cat_core_config = json.dumps({
             "CORE_HOST": os.getenv("CORE_HOST"),
             "CORE_PORT": os.getenv("CORE_PORT"),
             "CORE_USE_SECURE_PROTOCOLS": os.getenv("CORE_USE_SECURE_PROTOCOLS"),
-            "API_KEY": os.getenv("API_KEY"),
         })
 
         # the admin sttic build is created during docker build from this repo:
diff --git a/core/cat/routes/websocket.py b/core/cat/routes/websocket.py
index 397e5c06..43650fb1 100644
--- a/core/cat/routes/websocket.py
+++ b/core/cat/routes/websocket.py
@@ -1,7 +1,7 @@
 import traceback
 import asyncio
 
-from fastapi import APIRouter, WebSocket, WebSocketDisconnect
+from fastapi import APIRouter, WebSocketDisconnect, WebSocket
 from cat.log import log
 from fastapi.concurrency import run_in_threadpool
 
@@ -24,6 +24,7 @@ async def connect(self, websocket: WebSocket):
         """
         Accept the incoming WebSocket connection and add it to the active connections list.
         """
+
         await websocket.accept()
         self.active_connections.append(websocket)