diff --git a/src/ZB.MOM.WW.MxGateway.Server/Sessions/GatewaySession.cs b/src/ZB.MOM.WW.MxGateway.Server/Sessions/GatewaySession.cs
index 4a14a91..fc89d76 100644
--- a/src/ZB.MOM.WW.MxGateway.Server/Sessions/GatewaySession.cs
+++ b/src/ZB.MOM.WW.MxGateway.Server/Sessions/GatewaySession.cs
@@ -30,6 +30,11 @@ public sealed class GatewaySession
     /// <param name="startupTimeout">Timeout for worker process startup.</param>
     /// <param name="shutdownTimeout">Timeout for worker process shutdown.</param>
     /// <param name="openedAt">Timestamp when the session opened.</param>
+    /// <remarks>
+    ///     Constructs a session with no owner key (<see cref="OwnerKeyId"/> will be null).
+    ///     Authenticated call sites that have a resolved API key identity must use the
+    ///     12-parameter overload and pass the caller's key id explicitly.
+    /// </remarks>
     public GatewaySession(
         string sessionId,
         string backendName,
diff --git a/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs b/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs
index 26b8aa4..5ddc009 100644
--- a/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs
+++ b/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs
@@ -45,6 +45,7 @@ public sealed class MxAccessGatewayServiceTests
         Assert.Equal(ProtocolStatusCode.Ok, reply.ProtocolStatus.Code);
         Assert.Contains("unary-invoke", reply.Capabilities);
         Assert.Equal("Operator Key", sessionManager.LastClientIdentity);
+        Assert.Equal("operator01", sessionManager.LastOwnerKeyId);
         Assert.Equal("operator-session", sessionManager.LastOpenRequest?.ClientSessionName);
     }
 
@@ -508,6 +509,9 @@ public sealed class MxAccessGatewayServiceTests
         /// <summary>The last client identity passed to OpenSessionAsync.</summary>
         public string? LastClientIdentity { get; private set; }
 
+        /// <summary>The last owner key id passed to OpenSessionAsync.</summary>
+        public string? LastOwnerKeyId { get; private set; }
+
         /// <summary>The last session ID passed to ReadEventsAsync.</summary>
         public string? LastReadEventsSessionId { get; private set; }
 
@@ -550,6 +554,7 @@ public sealed class MxAccessGatewayServiceTests
         {
             LastOpenRequest = request;
             LastClientIdentity = clientIdentity;
+            LastOwnerKeyId = ownerKeyId;
 
             return Task.FromResult(OpenSessionResult ?? CreateSession("session-1", processId: 1234));
         }