diff --git a/src/auth.ts b/src/auth.ts
index 4bedc62..fb8e760 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -5,7 +5,15 @@
 import type { AuthResult, AuthServiceRpc, Tier } from './types.js';
 
 function isApiKey(token: string): boolean {
-  return token.startsWith('sb_live_') || token.startsWith('sb_test_');
+  // Must match edge-auth's `resolvePrincipal` / `extractKeyPrefix` — edge-auth
+  // is the SoT for key format. The old `sb_*` checks are legacy from the
+  // pre-migration stackbilt-auth era and were never updated when edge-auth
+  // took over and started minting `ea_*` keys.
+  return (
+    token.startsWith('ea_') ||
+    token.startsWith('sb_live_') ||
+    token.startsWith('sb_test_')
+  );
 }
 
 function mapError(error?: string): string {