diff --git a/src/pages/api/mkworld/config.ts b/src/pages/api/mkworld/config.ts
index b9f563e8..e485bb5e 100644
--- a/src/pages/api/mkworld/config.ts
+++ b/src/pages/api/mkworld/config.ts
@@ -10,6 +10,8 @@ import { PassThrough } from "stream";
 import { execSync } from "child_process";
 import { updateLocalConf } from "~/utils/planet";
 import { ZT_FOLDER } from "~/utils/ztApi";
+import { getServerSession } from "next-auth/next";
+import { authOptions } from "~/server/auth";
 
 export const config = {
 	api: {
@@ -18,6 +20,12 @@ export const config = {
 };
 
 export default async (req: NextApiRequest, res: NextApiResponse) => {
+	const session = await getServerSession(req, res, authOptions);
+	if (!session) {
+		res.status(401).json({ message: "Authorization Error" });
+		return;
+	}
+
 	if (req.method === "GET") {
 		try {
 			const folderPath = path.resolve(`${ZT_FOLDER}/zt-mkworld`);
diff --git a/src/pages/api/planet.ts b/src/pages/api/planet.ts
index a9f53a08..181cdb8f 100644
--- a/src/pages/api/planet.ts
+++ b/src/pages/api/planet.ts
@@ -10,6 +10,10 @@ export const config = {
 };
 
 export default async (req: NextApiRequest, res: NextApiResponse) => {
+	// download planet file.
+	// The planet.custom is signed by the server, so it can be trusted.
+	// No authentication is required.
+
 	if (req.method === "GET") {
 		try {
 			const folderPath = path.resolve(`${ZT_FOLDER}/zt-mkworld`);