diff --git a/challenges/strong-api-key/.gitignore b/challenges/strong-api-key/.gitignore
new file mode 100644
index 0000000..a9ea67c
--- /dev/null
+++ b/challenges/strong-api-key/.gitignore
@@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+jwt-null-signature
diff --git a/challenges/strong-api-key/Dockerfile b/challenges/strong-api-key/Dockerfile
new file mode 100644
index 0000000..f99114a
--- /dev/null
+++ b/challenges/strong-api-key/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.23 AS builder
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . ./
+
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -o /strong-api-key .
+
+FROM gcr.io/distroless/static-debian11:nonroot AS runner
+
+WORKDIR /
+
+COPY --from=builder --chown=nonroot:nonroot /strong-api-key /usr/bin/strong-api-key
+
+EXPOSE 8080
+
+USER nonroot:nonroot
+
+ENTRYPOINT ["strong-api-key"]
+CMD ["serve"]
diff --git a/challenges/strong-api-key/cmd/root.go b/challenges/strong-api-key/cmd/root.go
new file mode 100644
index 0000000..18eb170
--- /dev/null
+++ b/challenges/strong-api-key/cmd/root.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/cerberauth/api-vulns-challenges/challenges/strong-api-key/cmd/serve"
+
+	"github.com/spf13/cobra"
+)
+
+func NewRootCmd() (cmd *cobra.Command) {
+	var rootCmd = &cobra.Command{}
+	rootCmd.AddCommand(serve.NewServeCmd())
+	return rootCmd
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the RootCmd.
+func Execute() {
+	c := NewRootCmd()
+
+	if err := c.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/challenges/strong-api-key/cmd/serve/root.go b/challenges/strong-api-key/cmd/serve/root.go
new file mode 100644
index 0000000..1c05f85
--- /dev/null
+++ b/challenges/strong-api-key/cmd/serve/root.go
@@ -0,0 +1,24 @@
+package serve
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/cerberauth/api-vulns-challenges/challenges/strong-api-key/serve"
+)
+
+var (
+	port string
+)
+
+func NewServeCmd() (serveCmd *cobra.Command) {
+	serveCmd = &cobra.Command{
+		Use: "serve",
+		Run: func(cmd *cobra.Command, args []string) {
+			serve.RunServer(port)
+		},
+	}
+
+	serveCmd.Flags().StringVarP(&port, "port", "p", "8080", "Port to listen on")
+
+	return serveCmd
+}
diff --git a/challenges/strong-api-key/go.mod b/challenges/strong-api-key/go.mod
new file mode 100644
index 0000000..910eec9
--- /dev/null
+++ b/challenges/strong-api-key/go.mod
@@ -0,0 +1,10 @@
+module github.com/cerberauth/api-vulns-challenges/challenges/strong-api-key
+
+go 1.20
+
+require github.com/spf13/cobra v1.8.1
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+)
diff --git a/challenges/strong-api-key/go.sum b/challenges/strong-api-key/go.sum
new file mode 100644
index 0000000..912390a
--- /dev/null
+++ b/challenges/strong-api-key/go.sum
@@ -0,0 +1,10 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/challenges/strong-api-key/main.go b/challenges/strong-api-key/main.go
new file mode 100644
index 0000000..a8981cf
--- /dev/null
+++ b/challenges/strong-api-key/main.go
@@ -0,0 +1,7 @@
+package main
+
+import "github.com/cerberauth/api-vulns-challenges/challenges/strong-api-key/cmd"
+
+func main() {
+	cmd.Execute()
+}
diff --git a/challenges/strong-api-key/serve/server.go b/challenges/strong-api-key/serve/server.go
new file mode 100644
index 0000000..6298e1f
--- /dev/null
+++ b/challenges/strong-api-key/serve/server.go
@@ -0,0 +1,39 @@
+package serve
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func generateStrongAPIKey() (string, error) {
+	b := make([]byte, 32)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(b), nil
+}
+
+func RunServer(port string) {
+	apiKey, err := generateStrongAPIKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println("API Key:", apiKey)
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("X-API-Key") != apiKey {
+			w.WriteHeader(401)
+			return
+		}
+
+		w.WriteHeader(204)
+	})
+
+	log.Println("Server started at port", port)
+	log.Fatal(http.ListenAndServe(":"+port, nil))
+}