diff --git a/config.example.yaml b/config.example.yaml
index 0c3c237d..aee2fcb2 100644
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -15,6 +15,11 @@ remote-management:
 # Authentication directory (supports ~ for home directory)
 auth-dir: "~/.cli-proxy-api"
 
+# API keys for authentication
+api-keys:
+  - "your-api-key-1"
+  - "your-api-key-2"
+
 # Enable debug logging
 debug: false
 
diff --git a/internal/access/reconcile.go b/internal/access/reconcile.go
index eb0beb2d..7a69dd95 100644
--- a/internal/access/reconcile.go
+++ b/internal/access/reconcile.go
@@ -167,11 +167,11 @@ func ApplyAccessProviders(manager *sdkaccess.Manager, oldCfg, newCfg *config.Con
 
 	if len(added)+len(updated)+len(removed) > 0 {
 		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
-		log.Debugf("auth provider changes details - added=%v updated=%v removed=%v", added, updated, removed)
+		log.Debugf("auth providers changes details - added=%v updated=%v removed=%v", added, updated, removed)
 		return true, nil
 	}
 
-	// log.Debug("auth providers unchanged after config update")
+	log.Debug("auth providers unchanged after config update")
 	return false, nil
 }
 
diff --git a/internal/misc/credentials.go b/internal/misc/credentials.go
index 5a70e0f8..b03cd788 100644
--- a/internal/misc/credentials.go
+++ b/internal/misc/credentials.go
@@ -9,7 +9,7 @@ import (
 )
 
 // Separator used to visually group related log lines.
-var credentialSeparator = strings.Repeat("-", 70)
+var credentialSeparator = strings.Repeat("-", 67)
 
 // LogSavingCredentials emits a consistent log message when persisting auth material.
 func LogSavingCredentials(path string) {
diff --git a/internal/watcher/watcher.go b/internal/watcher/watcher.go
index b13f4679..1a2f720b 100644
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -456,6 +456,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 
 // reloadConfig reloads the configuration and triggers a full reload
 func (w *Watcher) reloadConfig() bool {
+	log.Debug("=========================== CONFIG RELOAD ============================")
 	log.Debugf("starting config reload from: %s", w.configPath)
 
 	newConfig, errLoadConfig := config.LoadConfig(w.configPath)
@@ -555,7 +556,7 @@ func (w *Watcher) reloadConfig() bool {
 
 // reloadClients performs a full scan and reload of all clients.
 func (w *Watcher) reloadClients(rescanAuth bool) {
-	log.Debugf("starting full client reload process")
+	log.Debugf("starting full client load process")
 
 	w.clientsMutex.RLock()
 	cfg := w.config
@@ -578,7 +579,7 @@ func (w *Watcher) reloadClients(rescanAuth bool) {
 	if rescanAuth {
 		// Load file-based clients when explicitly requested (startup or authDir change)
 		authFileCount = w.loadFileClients(cfg)
-		log.Debugf("loaded %d new file-based clients", authFileCount)
+		log.Debugf("loaded %d file-based clients", authFileCount)
 	} else {
 		// Preserve existing auth hashes and only report current known count to avoid redundant scans.
 		w.clientsMutex.RLock()
diff --git a/sdk/auth/gemini-web.go b/sdk/auth/gemini-web.go
index 3b2cdb2c..c56bc969 100644
--- a/sdk/auth/gemini-web.go
+++ b/sdk/auth/gemini-web.go
@@ -24,6 +24,6 @@ func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config,
 }
 
 func (a *GeminiWebAuthenticator) RefreshLead() *time.Duration {
-	d := 15 * time.Minute
+	d := time.Hour
 	return &d
 }
diff --git a/sdk/cliproxy/service.go b/sdk/cliproxy/service.go
index e5087a6d..be9f3716 100644
--- a/sdk/cliproxy/service.go
+++ b/sdk/cliproxy/service.go
@@ -12,7 +12,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/access"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	geminiwebclient "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web"
@@ -106,19 +105,6 @@ func newDefaultAuthManager() *sdkAuth.Manager {
 	)
 }
 
-func (s *Service) refreshAccessProviders(cfg *config.Config) {
-	if s == nil || s.accessManager == nil || cfg == nil {
-		return
-	}
-	s.cfgMu.RLock()
-	oldCfg := s.cfg
-	s.cfgMu.RUnlock()
-
-	if _, err := access.ApplyAccessProviders(s.accessManager, oldCfg, cfg); err != nil {
-		return
-	}
-}
-
 func (s *Service) ensureAuthUpdateQueue(ctx context.Context) {
 	if s == nil {
 		return
@@ -310,7 +296,6 @@ func (s *Service) Run(ctx context.Context) error {
 	// legacy clients removed; no caches to refresh
 
 	// handlers no longer depend on legacy clients; pass nil slice initially
-	s.refreshAccessProviders(s.cfg)
 	s.server = api.NewServer(s.cfg, s.coreManager, s.accessManager, s.configPath, s.serverOptions...)
 
 	if s.authManager == nil {
@@ -347,7 +332,6 @@ func (s *Service) Run(ctx context.Context) error {
 		if newCfg == nil {
 			return
 		}
-		s.refreshAccessProviders(newCfg)
 		if s.server != nil {
 			s.server.UpdateClients(newCfg)
 		}