diff --git a/app/client/api.ts b/app/client/api.ts
index 502c74698..edee99342 100644
--- a/app/client/api.ts
+++ b/app/client/api.ts
@@ -184,7 +184,8 @@ export function getHeaders() {
       accessStore.enabledAccessControl() &&
       validString(accessStore.accessCode)
     ) {
-      headers[authHeader] = makeBearer(
+      // access_code must send with header named `Authorization`, will using in auth middleware.
+      headers['Authorization'] = makeBearer(
         ACCESS_CODE_PREFIX + accessStore.accessCode,
       );
     }
diff --git a/app/client/platforms/anthropic.ts b/app/client/platforms/anthropic.ts
index b8eca6946..18c3decac 100644
--- a/app/client/platforms/anthropic.ts
+++ b/app/client/platforms/anthropic.ts
@@ -192,7 +192,8 @@ export class ClaudeApi implements LLMApi {
       headers: {
         ...getHeaders(),  // get common headers
         "anthropic-version": accessStore.anthropicApiVersion,
-        Authorization: getAuthKey(accessStore.anthropicApiKey),
+        // do not send `anthropicApiKey` in browser!!!
+        // Authorization: getAuthKey(accessStore.anthropicApiKey),
       },
     };
 
@@ -387,27 +388,3 @@ function trimEnd(s: string, end = " ") {
 
   return s;
 }
-
-function bearer(value: string) {
-  return `Bearer ${value.trim()}`;
-}
-
-function getAuthKey(apiKey = "") {
-  const accessStore = useAccessStore.getState();
-  const isApp = !!getClientConfig()?.isApp;
-  let authKey = "";
-
-  if (apiKey) {
-    // use user's api key first
-    authKey = bearer(apiKey);
-  } else if (
-    accessStore.enabledAccessControl() &&
-    !isApp &&
-    !!accessStore.accessCode
-  ) {
-    // or use access code
-    authKey = bearer(ACCESS_CODE_PREFIX + accessStore.accessCode);
-  }
-
-  return authKey;
-}