diff --git a/node/ws.go b/node/ws.go
index d8a680f..22dc548 100644
--- a/node/ws.go
+++ b/node/ws.go
@@ -521,13 +521,17 @@ func (h *WSHub) authorizeSubscribe(c *wsClient, topic string) error {
 		if authed == "" {
 			return fmt.Errorf("inbox:* requires auth")
 		}
-		// If we have an x25519 mapping, enforce it; otherwise accept
-		// (best-effort — identity may not be registered yet).
-		if authX != "" {
-			want := strings.TrimPrefix(topic, "inbox:")
-			if want != authX {
-				return fmt.Errorf("inbox:* only for your own x25519")
-			}
+		// Hard-require a registered X25519 identity — otherwise an
+		// Ed25519-only identity could subscribe to ANY inbox topic by
+		// design (authX == "" skipped the equality check). Fixed: we
+		// now refuse the subscription until the client publishes an
+		// X25519 key via REGISTER_KEY.
+		if authX == "" {
+			return fmt.Errorf("inbox:* requires a registered X25519 identity (send REGISTER_KEY first)")
+		}
+		want := strings.TrimPrefix(topic, "inbox:")
+		if want != authX {
+			return fmt.Errorf("inbox:* only for your own x25519")
 		}
 		return nil
 	}
@@ -536,11 +540,12 @@ func (h *WSHub) authorizeSubscribe(c *wsClient, topic string) error {
 		if authed == "" {
 			return fmt.Errorf("typing:* requires auth")
 		}
-		if authX != "" {
-			want := strings.TrimPrefix(topic, "typing:")
-			if want != authX {
-				return fmt.Errorf("typing:* only for your own x25519")
-			}
+		if authX == "" {
+			return fmt.Errorf("typing:* requires a registered X25519 identity")
+		}
+		want := strings.TrimPrefix(topic, "typing:")
+		if want != authX {
+			return fmt.Errorf("typing:* only for your own x25519")
 		}
 		return nil
 	}