diff --git a/gso/api/v1/subscriptions.py b/gso/api/v1/subscriptions.py
index 24c9307f1ce67371ea3f89c6f0888380ad7ea09c..9cc6075ac8bb4858e0354afb691b645a0bdcc1dd 100644
--- a/gso/api/v1/subscriptions.py
+++ b/gso/api/v1/subscriptions.py
@@ -8,13 +8,13 @@ from orchestrator.domain import SubscriptionModel
 from orchestrator.schemas import SubscriptionDomainModelSchema
 from orchestrator.services.subscriptions import build_extended_domain_model
 
-from gso.auth.security import opa_security_default
+from gso.auth.api_key_auth import get_api_key
 from gso.services.subscriptions import get_active_router_subscriptions
 
 router = APIRouter(
     prefix="/subscriptions",
     tags=["Subscriptions"],
-    dependencies=[Depends(opa_security_default)],
+    dependencies=[Depends(get_api_key)],
 )
 
 
diff --git a/gso/auth/api_key_auth.py b/gso/auth/api_key_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..c3fb362998d9ac5ea96d73b65f0dbf0ff92f381e
--- /dev/null
+++ b/gso/auth/api_key_auth.py
@@ -0,0 +1,20 @@
+"""Manage API key validation for FastAPI routes."""
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security.api_key import APIKeyHeader
+
+from gso.settings import load_oss_params
+
+API_KEY_NAME = "access_token"
+api_key_header = APIKeyHeader(name=API_KEY_NAME, auto_error=True)
+
+
+async def get_api_key(api_key: str = Depends(api_key_header)) -> str:
+    """Validate the provided API key against known third-party keys and returns it if valid, else raises HTTP 403."""
+    settings = load_oss_params()
+
+    # TODO: This is a simulated database of API keys which should be replace with a real one
+    if api_key in settings.THIRD_PARTY_API_KEYS:
+        return api_key
+
+    raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid API Key")
diff --git a/gso/oss-params-example.json b/gso/oss-params-example.json
index fa8616e4151a50175db13e52b48ed28513861133..7af29f351c6578a0fff9a64163514646b9dd8cce 100644
--- a/gso/oss-params-example.json
+++ b/gso/oss-params-example.json
@@ -73,5 +73,9 @@
     "broker_url": "redis://localhost:6379/0",
     "result_backend": "rpc://localhost:6379/0",
     "result_expires": 3600
+  },
+  "THIRD_PARTY_API_KEYS": {
+    "REALLY_random_AND_secure_T0keN": "Ansible Dynamic Inventory Generator",
+    "Another_REALLY_random_AND_secure_T0keN": "Application 2"
   }
 }
diff --git a/gso/settings.py b/gso/settings.py
index f05632ed3968d8f727c6d108618c0c80a5065ca8..ca0da591c00e829585db55c5a68731b3c44aac90 100644
--- a/gso/settings.py
+++ b/gso/settings.py
@@ -161,6 +161,7 @@ class OSSParams(BaseSettings):
     MONITORING: MonitoringParams
     PROVISIONING_PROXY: ProvisioningProxyParams
     CELERY: CeleryParams
+    THIRD_PARTY_API_KEYS: dict[str, str]
 
 
 def load_oss_params() -> OSSParams:
diff --git a/test/api/test_subscriptions.py b/test/api/test_subscriptions.py
index d56d2d582c21a89aa255e417a19dc04b38bff6e4..ebdeefef4466422f7aa0a30e41797a8c6d41cbc8 100644
--- a/test/api/test_subscriptions.py
+++ b/test/api/test_subscriptions.py
@@ -3,14 +3,28 @@ from orchestrator.types import SubscriptionLifecycle
 ROUTER_SUBSCRIPTION_ENDPOINT = "/api/v1/subscriptions/routers"
 
 
-def test_router_subscriptions_endpoint(test_client, nokia_router_subscription_factory):
+def test_router_subscriptions_endpoint_with_valid_api_key(test_client, nokia_router_subscription_factory):
     nokia_router_subscription_factory()
     nokia_router_subscription_factory()
     nokia_router_subscription_factory()
     nokia_router_subscription_factory(status=SubscriptionLifecycle.TERMINATED)
     nokia_router_subscription_factory(status=SubscriptionLifecycle.INITIAL)
 
-    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT)
+    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT, headers={"access_token": "REALY_random_AND_3cure_T0keN"})
 
     assert response.status_code == 200
     assert len(response.json()) == 3
+
+
+def test_router_subscriptions_endpoint_with_invalid_api_key(test_client, nokia_router_subscription_factory):
+    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT, headers={"access_token": "fake_invalid_api_key"})
+
+    assert response.status_code == 403
+    assert response.json() == {"detail": "Invalid API Key"}
+
+
+def test_router_subscriptions_endpoint_without_api_key(test_client, nokia_router_subscription_factory):
+    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT)
+
+    assert response.status_code == 403
+    assert response.json() == {"detail": "Not authenticated"}
diff --git a/test/conftest.py b/test/conftest.py
index edb1dffba401f2f57b5c140d171570468c7ee8e7..fac1c16889c64a670d2669d769617c988750ba98 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -204,6 +204,10 @@ def configuration_data() -> dict:
                 "result_backend": "rpc://localhost:6379/0",
                 "result_expires": 3600,
             },
+            "THIRD_PARTY_API_KEYS": {
+                "REALY_random_AND_3cure_T0keN": "LSO",
+                "another_REALY_random_AND_3cure_T0keN": "Application 2",
+            },
         }