OceanProtocolEnterprise · AdriGeorge · Apr 8, 2026
diff --git a/README.md b/README.md
@@ -23,6 +23,11 @@ MODE_PROXY=1
 MODE_PS=1
 # Optional: if set, POST / requires X-API-Key to match this value
 POLICY_SERVER_API_KEY=API_KEY_EXAMPLE
+# Optional: if set, GET/POST /node-access-list require this separate X-API-Key
+POLICY_SERVER_NODE_ACCESS_LIST_API_KEY=ACCESS_LIST_API_KEY_EXAMPLE
+# Comma-separated list of allowed Ocean Node addresses in `0x` + 40 hex format.
+# If this is empty or unset, node access-list authorization is disabled.
+POLICY_SERVER_NODE_ACCESS_LIST=0x1111111111111111111111111111111111111111,0x2222222222222222222222222222222222222222
 ```
 
 1. Start the Docker container:
@@ -40,6 +45,34 @@ POLICY_SERVER_API_KEY=API_KEY_EXAMPLE
 
 `POLICY_SERVER_API_KEY` is optional. If it is configured, requests to `POST /` must include `X-API-Key: <POLICY_SERVER_API_KEY>`, and missing or invalid keys are rejected with `401 Unauthorized` before any action is processed. If it is not configured, the Policy Server accepts requests without API key authentication.
 
+`POLICY_SERVER_NODE_ACCESS_LIST_API_KEY` is separate. If it is configured, requests to `GET /node-access-list` and `POST /node-access-list` must include `X-API-Key: <POLICY_SERVER_NODE_ACCESS_LIST_API_KEY>`.
+
+When `POLICY_SERVER_NODE_ACCESS_LIST` contains one or more addresses, Ocean Node caller authorization on `POST /` is enabled. Every Ocean Node action request must include:
+
+- `nodeAddress`
+
+`nodeAddress` must match the `0x` + 40 hex address format and must be present in `POLICY_SERVER_NODE_ACCESS_LIST`.
+
+The API key can also protect access-list management endpoints:
+
+- `GET /node-access-list`
+- `POST /node-access-list`
+
+These endpoints use `POLICY_SERVER_NODE_ACCESS_LIST_API_KEY`, not `POLICY_SERVER_API_KEY`.
+
+`POST /node-access-list` accepts a JSON body like:
+
+```json
+{
+  "addresses": [
+    "0x1111111111111111111111111111111111111111",
+    "0x2222222222222222222222222222222222222222"
+  ]
+}
+```
+
+This replaces the in-memory list for the running server process and mirrors the values into `process.env`. Sending an empty array disables env-based node access-list authorization for newly created app instances.
+
 - `initiate`
 - `getPD`
 - `presentationRequest`
@@ -65,6 +98,7 @@ POLICY_SERVER_API_KEY=API_KEY_EXAMPLE
 {
   "action": "initiate",
   "serviceId": "ff294c2e2c7d01bd5f9701abc117737917bb1f91044ba6b2d0903fc806db0d65",
+  "nodeAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "consumerAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "policyServer": {
     "sessionId": "",
@@ -565,6 +599,7 @@ Policy Server also replaces `response_uri` with `WALTID_VERIFY_RESPONSE_REDIRECT
 {
   "action": "download",
   "serviceId": "ff294c2e2c7d01bd5f9701abc117737917bb1f91044ba6b2d0903fc806db0d65",
+  "nodeAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "consumerAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "policyServer": {
     "successRedirectUri": "",
@@ -920,6 +955,7 @@ Policy Server also replaces `response_uri` with `WALTID_VERIFY_RESPONSE_REDIRECT
   "action": "startCompute",
   "documentId": "did1",
   "serviceId": "ff294c2e2c7d01bd5f9701abc117737917bb1f91044ba6b2d0903fc806db0d65",
+  "nodeAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "consumerAddress": "0xd727fb9be39fa019d7c02fea19e54d688da3a662",
   "policyServer": [
     {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -41,6 +41,7 @@
     "@types/mocha": "^10.0.10",
     "@types/node": "^22.9.0",
     "@types/sinon": "^17.0.3",
+    "@types/supertest": "^7.2.0",
     "@types/swagger-ui-express": "^4.1.7",
     "@typescript-eslint/eslint-plugin": "^6.21.0",
     "@typescript-eslint/parser": "^6.21.0",

diff --git a/src/@types/policy.ts b/src/@types/policy.ts
@@ -1,5 +1,6 @@
 export type PolicyRequestPayload = {
   action: string
+  nodeAddress?: string
 } & Record<PropertyKey, any>
 
 export type PolicyRequestResponse = {

diff --git a/src/index.ts b/src/index.ts
@@ -12,19 +12,32 @@ import { downloadLogs } from './utils/logger.js'
 import dotenv from 'dotenv'
 import path from 'path'
 import { fileURLToPath } from 'url'
-import { policyServerApiKeyAuth } from './utils/auth.js'
+import { nodeAccessListApiKeyAuth, policyServerApiKeyAuth } from './utils/auth.js'
+import {
+  EnvNodeAccessListStore,
+  NodeRequestAuthenticator,
+  normalizeNodeAddresses
+} from './utils/nodeRequestAuth.js'
 
 dotenv.config()
 
-export function createApp(): express.Express {
+export function createApp(
+  nodeRequestAuthenticator: NodeRequestAuthenticator = NodeRequestAuthenticator.fromEnvironment()
+): express.Express {
   const app = express()
   const authType = process.env.AUTH_TYPE || 'waltid'
+  const nodeAccessListStore = EnvNodeAccessListStore.fromEnvironment()
 
   async function handlePolicyRequest(
     req: Request<{}, {}, PolicyRequestPayload>,
     res: Response
   ): Promise<void> {
     const { action, ...rest } = req.body
+    const authFailure = await nodeRequestAuthenticator.authenticate(req.body)
+    if (authFailure) {
+      res.status(authFailure.httpStatus).json(authFailure)
+      return
+    }
 
     const handler = PolicyHandlerFactory.createPolicyHandler(authType)
     if (handler == null) {
@@ -44,6 +57,52 @@ export function createApp(): express.Express {
   app.use(express.json())
 
   if (process.env.MODE_PS === '1') {
+    app.get(
+      '/node-access-list',
+      nodeAccessListApiKeyAuth,
+      (_req: Request, res: Response) => {
+        res.status(200).json({
+          success: true,
+          httpStatus: 200,
+          addresses: nodeAccessListStore.getAddresses()
+        })
+      }
+    )
+
+    app.post(
+      '/node-access-list',
+      nodeAccessListApiKeyAuth,
+      (req: Request<{}, {}, { addresses?: string[] }>, res: Response) => {
+        const { addresses } = req.body ?? {}
+
+        try {
+          if (!Array.isArray(addresses)) {
+            res.status(400).json({
+              success: false,
+              httpStatus: 400,
+              message: 'addresses must be an array of Ethereum addresses.'
+            })
+            return
+          }
+
+          nodeAccessListStore.setAddresses(normalizeNodeAddresses(addresses))
+        } catch {
+          res.status(400).json({
+            success: false,
+            httpStatus: 400,
+            message: 'Invalid Ethereum address in access list.'
+          })
+          return
+        }
+
+        res.status(200).json({
+          success: true,
+          httpStatus: 200,
+          addresses: nodeAccessListStore.getAddresses()
+        })
+      }
+    )
+
     app.post(
       '/',
       policyServerApiKeyAuth,

diff --git a/src/test/.env.test b/src/test/.env.test
@@ -11,3 +11,5 @@ ENABLE_LOGS=1
 MODE_PROXY=1
 MODE_PS=1
 POLICY_SERVER_API_KEY=test-secret
+POLICY_SERVER_NODE_ACCESS_LIST_API_KEY=list-secret
+POLICY_SERVER_NODE_ACCESS_LIST=0x1111111111111111111111111111111111111111