diff --git a/middleware/security.py b/middleware/security.py
index 98801dc..88df4f6 100644
--- a/middleware/security.py
+++ b/middleware/security.py
@@ -112,6 +112,7 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
         "/health",
         "/auth",
         "/api-keys/verify",
+        "/universign/webhook",
     ]
 
     def _is_excluded_path(self, path: str) -> bool:
@@ -137,6 +138,12 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
         auth_header = request.headers.get("Authorization")
         api_key_header = request.headers.get("X-API-Key")
 
+        if api_key_header:
+            logger.debug(f"🔑 API Key détectée pour {method} {path}")
+            return await self._handle_api_key_auth(
+                request, api_key_header, path, method, call_next
+            )
+
         if auth_header and auth_header.startswith("Bearer "):
             token = auth_header.split(" ")[1]
 
@@ -144,27 +151,16 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
                 logger.warning(
                     " API Key envoyée dans Authorization au lieu de X-API-Key"
                 )
-                api_key_header = token
-            else:
-                logger.debug(f" JWT détecté pour {method} {path}")
-                return await call_next(request)
+                return await self._handle_api_key_auth(
+                    request, token, path, method, call_next
+                )
 
-        if api_key_header:
-            logger.debug(f" API Key détectée pour {method} {path}")
-            return await self._handle_api_key_auth(
-                request, api_key_header, path, method, call_next
-            )
+            logger.debug(f"🎫 JWT détecté pour {method} {path} → délégation à FastAPI")
+            request.state.authenticated_via = "jwt"
+            return await call_next(request)
 
-        logger.warning(f" Aucune authentification: {method} {path}")
-        return JSONResponse(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            content={
-                "detail": "Authentification requise",
-                "hint": "Utilisez 'X-API-Key: sdk_live_xxx' ou 'Authorization: Bearer <jwt>'",
-                "path": path,
-            },
-            headers={"WWW-Authenticate": 'Bearer realm="API", charset="UTF-8"'},
-        )
+        logger.debug(f" Aucune auth pour {method} {path} → délégation à FastAPI")
+        return await call_next(request)
 
     async def _handle_api_key_auth(
         self,
@@ -196,7 +192,7 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
 
                 is_allowed, rate_info = await service.check_rate_limit(api_key_obj)
                 if not is_allowed:
-                    logger.warning(f"⚠️ Rate limit: {api_key_obj.name}")
+                    logger.warning(f" Rate limit: {api_key_obj.name}")
                     return JSONResponse(
                         status_code=status.HTTP_429_TOO_MANY_REQUESTS,
                         content={"detail": "Rate limit dépassé"},
diff --git a/scripts/manage_security.py b/scripts/manage_security.py
index 6c5ac01..1e5cab9 100644
--- a/scripts/manage_security.py
+++ b/scripts/manage_security.py
@@ -162,7 +162,7 @@ async def create_api_key(
             logger.info("   Endpoints: Tous (aucune restriction)")
 
         logger.info("=" * 70)
-        logger.info("⚠️  SAUVEGARDEZ CETTE CLÉ - Elle ne sera plus affichée !")
+        logger.info("  SAUVEGARDEZ CETTE CLÉ - Elle ne sera plus affichée !")
         logger.info("=" * 70)