diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 00000000000..c36ececb0c9
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,22 @@
+name: ci
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  tests:
+    name: Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.25.1"
+      
+      - name: tests
+        run: go test ../.
\ No newline at end of file
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index f969aacf638..acfc30431c9 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -7,6 +7,7 @@ import (
 )
 
 var ErrNoAuthHeaderIncluded = errors.New("no authorization header included")
+var ErrMalformedAuthHeader = errors.New("malformed authorization header")
 
 // GetAPIKey -
 func GetAPIKey(headers http.Header) (string, error) {
@@ -16,7 +17,7 @@ func GetAPIKey(headers http.Header) (string, error) {
 	}
 	splitAuth := strings.Split(authHeader, " ")
 	if len(splitAuth) < 2 || splitAuth[0] != "ApiKey" {
-		return "", errors.New("malformed authorization header")
+		return "", ErrMalformedAuthHeader
 	}
 
 	return splitAuth[1], nil
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
new file mode 100644
index 00000000000..94b42fe78f5
--- /dev/null
+++ b/internal/auth/auth_test.go
@@ -0,0 +1,63 @@
+package auth
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestGetAPIKey(t *testing.T) {
+	tests := []struct {
+		name        string
+		headerValue string
+		wantKey     string
+		wantErr     error
+	}{
+		{
+			name:        "missing authorization header",
+			headerValue: "",
+			wantErr:     ErrNoAuthHeaderIncluded,
+		},
+		{
+			name:        "malformed header",
+			headerValue: "ApiKey",
+			wantErr:     ErrNoAuthHeaderIncluded,
+		},
+		{
+			name:        "wrong auth scheme",
+			headerValue: "Bearer token",
+			wantErr:     ErrMalformedAuthHeader,
+		},
+		{
+			name:        "valid api key",
+			headerValue: "ApiKey my-key",
+			wantKey:     "my-key",
+			wantErr:     nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			headers := http.Header{}
+			if tt.headerValue != "" {
+				headers.Set("Authorization", tt.headerValue)
+			}
+
+			key, err := GetAPIKey(headers)
+
+			if tt.wantErr != nil {
+				if err != tt.wantErr {
+					t.Fatalf("expected error %v, got %v", tt.wantErr, err)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if key != tt.wantKey {
+				t.Fatalf("expected key %q, got %q", tt.wantKey, key)
+			}
+		})
+	}
+}