diff --git a/WebAPI/Controllers/DataInboxController.cs b/WebAPI/Controllers/DataInboxController.cs
index d64bc75..3cc85b2 100644
--- a/WebAPI/Controllers/DataInboxController.cs
+++ b/WebAPI/Controllers/DataInboxController.cs
@@ -1,4 +1,5 @@
 using System.Data;
+using System.Text;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Data.SqlClient;
@@ -43,6 +44,61 @@ public class DataInboxController : Controller
 
         try
         {
+            if (
+                !Request.Headers.TryGetValue("Authorization", out var authHeader))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - no authorization header ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var credentialsArr = authHeader.ToString().Split(" ");
+            if (credentialsArr.Length != 2)
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - wrong auth header format ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var authValue = Encoding.UTF8.GetString(Convert.FromBase64String(credentialsArr[1]));
+            var username = authValue.Split(':')[0];
+            var password = authValue.Split(':')[1];
+            if (username != _configuration["morska-user"] || password != _configuration["morska-pass"])
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - bad credentials ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.PowerBi,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+            
+            // check if datainbox.data is base64 encoded value
+            if (!string.IsNullOrEmpty(dataInbox.Data) && !IsBase64String(dataInbox.Data))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Invalid data format - not base64 encoded ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return BadRequest("Invalid data format - not base64 encoded");
+            }
+            
+            
             dataInbox.Id = Guid.NewGuid();
             dataInbox.CreatedAt = DateTime.UtcNow;
             _db.DataInbox.Add(dataInbox);
@@ -77,4 +133,11 @@ public class DataInboxController : Controller
     {
         return Ok(_db.DataInbox);
     }
+    
+    // helpers
+    private bool IsBase64String(string data)
+    {
+        var bytes = new Span<byte>(new byte[256]); 
+        return Convert.TryFromBase64String(data, bytes, out _);
+    }
 }
\ No newline at end of file
diff --git a/WebAPI/Controllers/LayersController.cs b/WebAPI/Controllers/LayersController.cs
index 3f1a0da..e2ba6c6 100644
--- a/WebAPI/Controllers/LayersController.cs
+++ b/WebAPI/Controllers/LayersController.cs
@@ -230,7 +230,8 @@ public class LayersController : Controller
                     {
                         var importer = new MorskaFk2Importer(_db, _googleSheetValues, this);
                         importer.Import(importWorker);
-
+                        Thread.Sleep(5000); // be aware of GSheet API quota
+                        
                         _logsController.AddEntry(new LogEntry
                         {
                             Title = $"{importWorker.Name}, {importWorker.Id}",
diff --git a/WebAPI/Program.cs b/WebAPI/Program.cs
index 4c6bdd4..eeb1d41 100644
--- a/WebAPI/Program.cs
+++ b/WebAPI/Program.cs
@@ -60,7 +60,9 @@ var app = builder.Build();
 app.Use(async (context, next) =>
 {
     var token = context.Request.Headers.Authorization.ToString();
-    if (token.Length > 0 && !context.Request.Path.ToString().Contains("getForPowerBI")) {
+    if (token.Length > 0 
+        && !context.Request.Path.ToString().Contains("getForPowerBI")
+        && !context.Request.Path.ToString().Contains("DataInbox/Add")) {
         var handler = new JwtSecurityTokenHandler();
         var data = handler.ReadJwtToken(token.Split(' ')[1]);
         context.Request.Headers.Append("UserId", new Microsoft.Extensions.Primitives.StringValues(data.Subject));
diff --git a/WebAPI/appsettings.Development.json b/WebAPI/appsettings.Development.json
index 6710150..86d3b65 100644
--- a/WebAPI/appsettings.Development.json
+++ b/WebAPI/appsettings.Development.json
@@ -15,6 +15,8 @@
   "apiKey": "10763478CB738D4ecb2h76g803478CB738D4e",
   "powerBI-user": "powerbi",
   "powerBI-pass": "0F9C7E2D19FSLOCgKexz2h76g802tj6a",
+  "morska-user": "morska",
+  "morska-pass": "0F9C7E8CB738gK2h76g803478CB",
   "exportDirectory": "1eTyCUzYbzVQB8f8sbNmvnebFXyW2-axt",
   "appLogsFile": "13PuDvS3_HAYoSLOCgKexzlzIDLUilkApUF8QiJMTae0",
   "apiLocalUrl": "localhost:5400",