diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 6d60e52..7cc26ab 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -55,6 +55,9 @@ jobs:
       DB_PASSWORD_PROD: ${{ secrets.PROD_DB_PASSWORD }}
       REDIS_PASSWORD_PROD: ${{ secrets.PROD_REDIS_PASSWORD }}
       JWT_SECRET_PROD: ${{ secrets.PROD_JWT_SECRET }}
+      ORDER_SERVICE_KEY_PROD: ${{ secrets.PROD_ORDER_SERVICE_KEY }}
+
       DB_PASSWORD_DEV: ${{ secrets.DEV_DB_PASSWORD }}
       REDIS_PASSWORD_DEV: ${{ secrets.DEV_REDIS_PASSWORD }}
-      JWT_SECRET_DEV: ${{ secrets.DEV_JWT_SECRET }}
\ No newline at end of file
+      JWT_SECRET_DEV: ${{ secrets.DEV_JWT_SECRET }}
+      ORDER_SERVICE_KEY_DEV: ${{ secrets.DEV_ORDER_SERVICE_KEY }}
\ No newline at end of file
diff --git a/app/Http/Controllers/OrderController.php b/app/Http/Controllers/OrderController.php
index ebb4952..2050b19 100644
--- a/app/Http/Controllers/OrderController.php
+++ b/app/Http/Controllers/OrderController.php
@@ -88,4 +88,29 @@ public function show(Request $request, int $orderId)
 
         return response()->json(['data' => $order]);
     }
+
+    public function markPaid(int $orderId)
+    {
+        $order = \App\Models\Order::query()->findOrFail($orderId);
+
+        // če je že paid, pusti
+        if ($order->status !== 'paid') {
+            $order->status = 'paid';
+            $order->save();
+        }
+
+        return response()->json(['data' => $order]);
+    }
+
+    public function markFailed(int $orderId)
+    {
+        $order = \App\Models\Order::query()->findOrFail($orderId);
+
+        if ($order->status !== 'paid') {
+            $order->status = 'failed';
+            $order->save();
+        }
+
+        return response()->json(['data' => $order]);
+    }
 }
\ No newline at end of file
diff --git a/app/Http/Middleware/InternalServiceKey.php b/app/Http/Middleware/InternalServiceKey.php
new file mode 100644
index 0000000..aa18e14
--- /dev/null
+++ b/app/Http/Middleware/InternalServiceKey.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class InternalServiceKey
+{
+    public function handle(Request $request, Closure $next)
+    {
+        $key = (string) $request->header('X-Service-Key', '');
+        $expected = (string) env('ORDER_SERVICE_KEY', '');
+
+        if ($expected === '' || $key !== $expected) {
+            return response()->json(['message' => 'Unauthorized'], 401);
+        }
+
+        return $next($request);
+    }
+}
\ No newline at end of file
diff --git a/bootstrap/app.php b/bootstrap/app.php
index 75b58e0..30b0743 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -14,6 +14,7 @@
     ->withMiddleware(function (Middleware $middleware): void {
         $middleware->alias([
             'jwt' => \App\Http\Middleware\JwtAuth::class,
+            'service_key' => \App\Http\Middleware\InternalServiceKey::class,
         ]);
     })
     ->withExceptions(function (Exceptions $exceptions): void {
diff --git a/routes/api.php b/routes/api.php
index 62b2896..b1cf62e 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -51,3 +51,9 @@
     Route::get('/items', [OrderController::class, 'index']);
     Route::get('/items/{orderId}', [OrderController::class, 'show']);
 });
+
+
+Route::middleware('service_key')->prefix('internal')->group(function () {
+    Route::post('/items/{orderId}/mark-paid', [OrderController::class, 'markPaid']);
+    Route::post('/items/{orderId}/mark-failed', [OrderController::class, 'markFailed']);
+});
\ No newline at end of file