diff --git a/src/alpine_bits_python/api.py b/src/alpine_bits_python/api.py
index 566ae06..b39f0ba 100644
--- a/src/alpine_bits_python/api.py
+++ b/src/alpine_bits_python/api.py
@@ -1,6 +1,7 @@
 from fastapi import FastAPI, HTTPException, BackgroundTasks, Request, Depends, APIRouter, Form, File, UploadFile
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.security import HTTPBearer, HTTPBasicCredentials, HTTPBasic
+from .config_loader import load_config
 from fastapi.responses import HTMLResponse, PlainTextResponse, Response
 from .models import WixFormSubmission
 from .auth import validate_api_key, validate_wix_signature, generate_api_key
@@ -24,9 +25,13 @@ from .alpinebits_server import AlpineBitsServer, Version
 import urllib.parse
 
 
+
 # HTTP Basic auth for AlpineBits
 security_basic = HTTPBasic()
 
+# Load config at startup
+config = load_config()
+
 # Configure logging
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
@@ -317,18 +322,25 @@ async def validate_basic_auth(credentials: HTTPBasicCredentials = Depends(securi
     Validate basic authentication for AlpineBits protocol.
     Returns username if valid, raises HTTPException if not.
     """
-    # In production, validate against your user database
-    # For demo purposes, we'll accept any non-empty credentials
+    # Accept any username/password pair present in config['alpine_bits_auth']
     if not credentials.username or not credentials.password:
         raise HTTPException(
             status_code=401,
             detail="ERROR: Authentication required",
             headers={"WWW-Authenticate": "Basic"},
         )
-    
-    # In a real implementation, you'd validate these credentials
-    # For now, we'll just return the username
-    logger.info(f"AlpineBits authentication successful for user: {credentials.username}")
+    valid = False
+    for entry in config['alpine_bits_auth']:
+        if credentials.username == entry['username'] and credentials.password == entry['password']:
+            valid = True
+            break
+    if not valid:
+        raise HTTPException(
+            status_code=401,
+            detail="ERROR: Invalid credentials",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+    logger.info(f"AlpineBits authentication successful for user: {credentials.username} (from config)")
     return credentials.username
 
 
@@ -466,7 +478,7 @@ async def alpinebits_server_handshake(
         if "multipart/form-data" not in content_type and "application/x-www-form-urlencoded" not in content_type:
             raise HTTPException(
                 status_code=400,
-                detail="ERROR: Content-Type must be multipart/form-data"
+                detail="ERROR: Content-Type must be multipart/form-data or application/x-www-form-urlencoded"
             )
         
         # Parse multipart data