diff --git a/src/Controller/Api/ApiAccountController.php b/src/Controller/Api/ApiAccountController.php
new file mode 100644
index 0000000..05678fb
--- /dev/null
+++ b/src/Controller/Api/ApiAccountController.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace App\Controller\Api;
+
+use App\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Attribute\Route;
+
+#[Route('/api/account')]
+class ApiAccountController extends AbstractController
+{
+    use ApiAuthTrait;
+
+    /** @codeCoverageIgnore Autowire injection */
+    public function __construct(
+        #[Autowire('%kernel.secret%')] private string $appSecret,
+    ) {
+    }
+
+    #[Route('/lookup', name: 'app_api_account_lookup', methods: ['POST'])]
+    public function lookup(
+        Request $request,
+        EntityManagerInterface $em,
+    ): JsonResponse {
+        $secret = $request->headers->get('X-App-Secret', '');
+
+        if ('' === $secret || !hash_equals($this->appSecret, $secret)) {
+            return $this->error('Secret invalide.', 401);
+        }
+
+        $data = json_decode($request->getContent(), true);
+        $email = $data['email'] ?? '';
+
+        if ('' === $email) {
+            return $this->error('Email requis.');
+        }
+
+        $user = $em->getRepository(User::class)->findOneBy(['email' => $email]);
+
+        if (!$user) {
+            return $this->error('Utilisateur introuvable.', 404);
+        }
+
+        return $this->success([
+            'id' => $user->getId(),
+            'stripeAccountId' => $user->getStripeAccountId(),
+        ]);
+    }
+}
diff --git a/tests/Controller/Api/ApiAccountControllerTest.php b/tests/Controller/Api/ApiAccountControllerTest.php
new file mode 100644
index 0000000..192305f
--- /dev/null
+++ b/tests/Controller/Api/ApiAccountControllerTest.php
@@ -0,0 +1,136 @@
+<?php
+
+namespace App\Tests\Controller\Api;
+
+use App\Controller\Api\ApiAccountController;
+use App\Entity\User;
+use App\Repository\UserRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+
+class ApiAccountControllerTest extends TestCase
+{
+    private const SECRET = 'test_secret';
+
+    private function createController(): ApiAccountController
+    {
+        $reflection = new \ReflectionClass(ApiAccountController::class);
+        $controller = $reflection->newInstanceWithoutConstructor();
+
+        $prop = $reflection->getProperty('appSecret');
+        $prop->setValue($controller, self::SECRET);
+
+        // Set the container to null-like state — we only use the trait helpers
+        $containerProp = (new \ReflectionClass(\Symfony\Bundle\FrameworkBundle\Controller\AbstractController::class))->getProperty('container');
+        $containerProp->setValue($controller, new \Symfony\Component\DependencyInjection\Container());
+
+        return $controller;
+    }
+
+    private function createEm(?User $user): EntityManagerInterface
+    {
+        $repo = $this->createMock(UserRepository::class);
+        $repo->method('findOneBy')->willReturn($user);
+
+        $em = $this->createMock(EntityManagerInterface::class);
+        $em->method('getRepository')->willReturn($repo);
+
+        return $em;
+    }
+
+    private function createUser(int $id, string $email, ?string $stripeAccountId = null): User
+    {
+        $user = $this->createMock(User::class);
+        $user->method('getId')->willReturn($id);
+        $user->method('getEmail')->willReturn($email);
+        $user->method('getStripeAccountId')->willReturn($stripeAccountId);
+
+        return $user;
+    }
+
+    private function makeRequest(string $email = '', string $secret = self::SECRET): Request
+    {
+        $request = Request::create('/api/account/lookup', 'POST', [], [], [], [], json_encode(['email' => $email]));
+        $request->headers->set('X-App-Secret', $secret);
+        $request->headers->set('Content-Type', 'application/json');
+
+        return $request;
+    }
+
+    public function testLookupSuccess(): void
+    {
+        $controller = $this->createController();
+        $user = $this->createUser(42, 'test@example.com', 'acct_123');
+        $em = $this->createEm($user);
+
+        $response = $controller->lookup($this->makeRequest('test@example.com'), $em);
+
+        self::assertSame(200, $response->getStatusCode());
+        $data = json_decode($response->getContent(), true);
+        self::assertTrue($data['success']);
+        self::assertSame(42, $data['data']['id']);
+        self::assertSame('acct_123', $data['data']['stripeAccountId']);
+    }
+
+    public function testLookupSuccessWithoutStripe(): void
+    {
+        $controller = $this->createController();
+        $user = $this->createUser(10, 'user@example.com');
+        $em = $this->createEm($user);
+
+        $response = $controller->lookup($this->makeRequest('user@example.com'), $em);
+
+        $data = json_decode($response->getContent(), true);
+        self::assertTrue($data['success']);
+        self::assertSame(10, $data['data']['id']);
+        self::assertNull($data['data']['stripeAccountId']);
+    }
+
+    public function testLookupInvalidSecret(): void
+    {
+        $controller = $this->createController();
+        $em = $this->createEm(null);
+
+        $response = $controller->lookup($this->makeRequest('test@example.com', 'wrong_secret'), $em);
+
+        self::assertSame(401, $response->getStatusCode());
+        $data = json_decode($response->getContent(), true);
+        self::assertFalse($data['success']);
+        self::assertSame('Secret invalide.', $data['error']);
+    }
+
+    public function testLookupEmptySecret(): void
+    {
+        $controller = $this->createController();
+        $em = $this->createEm(null);
+
+        $response = $controller->lookup($this->makeRequest('test@example.com', ''), $em);
+
+        self::assertSame(401, $response->getStatusCode());
+    }
+
+    public function testLookupMissingEmail(): void
+    {
+        $controller = $this->createController();
+        $em = $this->createEm(null);
+
+        $response = $controller->lookup($this->makeRequest(''), $em);
+
+        self::assertSame(400, $response->getStatusCode());
+        $data = json_decode($response->getContent(), true);
+        self::assertSame('Email requis.', $data['error']);
+    }
+
+    public function testLookupUserNotFound(): void
+    {
+        $controller = $this->createController();
+        $em = $this->createEm(null);
+
+        $response = $controller->lookup($this->makeRequest('notfound@example.com'), $em);
+
+        self::assertSame(404, $response->getStatusCode());
+        $data = json_decode($response->getContent(), true);
+        self::assertSame('Utilisateur introuvable.', $data['error']);
+    }
+}