diff --git a/src/main.el b/src/main.el
index a9511a9..7f0596e 100644
--- a/src/main.el
+++ b/src/main.el
@@ -686,7 +686,7 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
         if !str_eq(pi_email, "") {
             let pi_email_enc: String = str_replace(str_replace(pi_email, "@", "%40"), "+", "%2B")
             let pi_search_url: String = "https://api.stripe.com/v1/customers/search?query=email%3A%22" + pi_email_enc + "%22&limit=1"
-            let pi_search: String = http_get_auth(pi_search_url, auth_header)
+            let pi_search: String = http_get_auth(pi_search_url, stripe_key)
             let pi_cus_id = json_get_string(pi_search, "id")
             if str_eq(pi_cus_id, "") {
                 let pi_name_enc: String = str_replace(pi_name, " ", "%20")
@@ -784,7 +784,7 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
 
         // 1. Search existing customers by email
         let lc_search_url: String = "https://api.stripe.com/v1/customers/search?query=email%3A%22" + lc_email_enc + "%22&limit=1"
-        let lc_search:     String = http_get_auth(lc_search_url, lc_auth)
+        let lc_search:     String = http_get_auth(lc_search_url, stripe_key)
         let lc_cus_id:     String = json_get_string(lc_search, "id")
 
         // 2. If none, create one. We always include supabase_user_id so the
@@ -1116,13 +1116,16 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
         }
         let attest_name:  String = json_get(body, "name")
         let attest_email: String = json_get(body, "email")
-        let attest_plan:  String = json_get(body, "plan")
         let attest_ts:    String = json_get(body, "timestamp")
         let attest_text:  String = json_get(body, "attestation")
         let attest_ua:    String = json_get(body, "user_agent")
         if str_eq(attest_email, "") {
             return "{\"error\":\"email required\"}"
         }
+        // Founding membership now requires $199 Stripe payment — the attestation
+        // form is a waitlist-only path. Server enforces this regardless of what
+        // the client submits as plan to prevent bypassing payment.
+        let attest_plan: String = "waitlist"
         let n_safe: String = str_replace(str_replace(attest_name, "\\", "\\\\"), "\"", "\\\"")
         let e_safe: String = str_replace(str_replace(attest_email, "\\", "\\\\"), "\"", "\\\"")
         let t_safe: String = str_replace(str_replace(attest_text, "\\", "\\\\"), "\"", "\\\"")