diff --git a/src/lib/ae_core/ae_core__site.ts b/src/lib/ae_core/ae_core__site.ts
index 59aa3bdb..7f93f282 100644
--- a/src/lib/ae_core/ae_core__site.ts
+++ b/src/lib/ae_core/ae_core__site.ts
@@ -99,12 +99,14 @@ export async function lookup_site_domain({
     api_cfg,
     fqdn,
     view = 'default',
-    log_lvl = 0
+    log_lvl = 0,
+    access_key
 }: {
     api_cfg: any;
     fqdn: string;
     view?: string;
     log_lvl?: number;
+    access_key?: string;
 }): Promise<ae_SiteDomain | null> {
     if (log_lvl) {
         console.log(`*** lookup_site_domain() *** fqdn=${fqdn} (Cache-First)`);
@@ -125,7 +127,8 @@ export async function lookup_site_domain({
                 api_cfg,
                 fqdn,
                 view,
-                log_lvl: 0
+                log_lvl: 0,
+                access_key
             });
 
             return cached as any;
@@ -139,7 +142,8 @@ export async function lookup_site_domain({
         api_cfg,
         fqdn,
         view,
-        log_lvl
+        log_lvl,
+        access_key
     });
 }
 
@@ -150,7 +154,8 @@ async function _refresh_site_domain_background({
     api_cfg,
     fqdn,
     view,
-    log_lvl
+    log_lvl,
+    access_key
 }: any) {
     try {
         const guest_api_cfg = { ...api_cfg };
@@ -172,10 +177,20 @@ async function _refresh_site_domain_background({
         delete guest_api_cfg.jwt;
         delete guest_api_cfg.account_id;
 
-        const search_query = {
+        const search_query: any = {
             and: [{ field: 'fqdn', op: 'eq', value: fqdn }]
         };
 
+        // If the caller provided an access_key (from the URL), include it
+        // so the server can match restricted domains. Omit empty/falsy keys.
+        if (access_key) {
+            search_query.and.push({
+                field: 'access_key',
+                op: 'eq',
+                value: access_key
+            });
+        }
+
         const result_li = await api.search_ae_obj({
             api_cfg: guest_api_cfg,
             obj_type: 'site_domain',
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
index abb1d10b..0e8a1495 100644
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -119,6 +119,8 @@ export async function load({ fetch, params, parent, route, url }) {
     };
 
     const fqdn = url.host;
+    // Optional access key provided via URL `?key=...` to support restricted site domains
+    const access_key = url.searchParams.get('key') || undefined;
 
     let result: any = null;
     let api_error = false;
@@ -272,7 +274,8 @@ export async function load({ fetch, params, parent, route, url }) {
                 api_cfg: bootstrap_api_cfg,
                 fqdn,
                 view: 'base',
-                log_lvl
+                log_lvl,
+                access_key
             });
             if (log_lvl)
                 console.log(
@@ -296,7 +299,8 @@ export async function load({ fetch, params, parent, route, url }) {
             api_cfg: ae_api_init,
             fqdn,
             view: 'base',
-            log_lvl: 0
+            log_lvl: 0,
+            access_key
         });
     }