diff --git a/cmd/metacrypt/server.go b/cmd/metacrypt/server.go
index 1b8e344..9112dd5 100644
--- a/cmd/metacrypt/server.go
+++ b/cmd/metacrypt/server.go
@@ -88,7 +88,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 	engineRegistry.RegisterFactory(engine.EngineTypeTransit, transit.NewTransitEngine)
 	engineRegistry.RegisterFactory(engine.EngineTypeUser, user.NewUserEngine)
 
-	srv := server.New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, auditLog, logger, version)
+	srv := server.New(cfg, database, sealMgr, authenticator, policyEngine, engineRegistry, auditLog, logger, version)
 	grpcSrv := grpcserver.New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, auditLog, logger)
 
 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
diff --git a/internal/server/routes.go b/internal/server/routes.go
index b1de1a8..fa493a9 100644
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -11,6 +11,7 @@ import (
 
 
 
+	"git.wntrmute.dev/kyle/mcdsl/health"
 	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
@@ -23,6 +24,9 @@ import (
 )
 
 func (s *Server) registerRoutes(r chi.Router) {
+	// Health check (database ping, no auth required).
+	r.Get("/healthz", health.Handler(s.database))
+
 	// REST API routes — web UI served by metacrypt-web.
 	r.Get("/v1/status", s.handleStatus)
 	r.Post("/v1/init", s.handleInit)
diff --git a/internal/server/server.go b/internal/server/server.go
index 02815d9..7043613 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -3,6 +3,7 @@ package server
 
 import (
 	"context"
+	"database/sql"
 	"log/slog"
 	"sync"
 
@@ -21,6 +22,7 @@ import (
 // Server is the Metacrypt HTTP server.
 type Server struct {
 	cfg          *config.Config
+	database     *sql.DB
 	seal         *seal.Manager
 	auth         *auth.Authenticator
 	policy       *policy.Engine
@@ -35,10 +37,11 @@ type Server struct {
 }
 
 // New creates a new server.
-func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenticator,
+func New(cfg *config.Config, database *sql.DB, sealMgr *seal.Manager, authenticator *auth.Authenticator,
 	policyEngine *policy.Engine, engineRegistry *engine.Registry, auditLog *audit.Logger, logger *slog.Logger, version string) *Server {
 	s := &Server{
-		cfg:     cfg,
+		cfg:      cfg,
+		database: database,
 		seal:    sealMgr,
 		auth:    authenticator,
 		policy:  policyEngine,
diff --git a/internal/server/server_test.go b/internal/server/server_test.go
index 0476be2..1d8ee5d 100644
--- a/internal/server/server_test.go
+++ b/internal/server/server_test.go
@@ -65,7 +65,7 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) {
 	}
 
 	logger := slog.Default()
-	srv := New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, nil, logger, "test")
+	srv := New(cfg, database, sealMgr, authenticator, policyEngine, engineRegistry, nil, logger, "test")
 
 	r := chi.NewRouter()
 	srv.registerRoutes(r)