diff --git a/deploy/docker/auth.py b/deploy/docker/auth.py
index 6fcef3399..ebc4eea1f 100644
--- a/deploy/docker/auth.py
+++ b/deploy/docker/auth.py
@@ -70,4 +70,5 @@ def jwt_required(credentials: HTTPAuthorizationCredentials = Depends(security))
 
 
 class TokenRequest(BaseModel):
-    email: EmailStr
\ No newline at end of file
+    email: EmailStr
+    api_token: Optional[str] = None
\ No newline at end of file
diff --git a/deploy/docker/config.yml b/deploy/docker/config.yml
index db3193a69..8175c2e1e 100644
--- a/deploy/docker/config.yml
+++ b/deploy/docker/config.yml
@@ -44,6 +44,7 @@ rate_limiting:
 security:
   enabled: false
   jwt_enabled: false
+  api_token: ""  # When set, /token endpoint requires this secret to issue JWTs
   https_redirect: false
   trusted_hosts: ["*"]
   headers:
diff --git a/deploy/docker/server.py b/deploy/docker/server.py
index 7ae1adb8b..3c9c05f3e 100644
--- a/deploy/docker/server.py
+++ b/deploy/docker/server.py
@@ -303,6 +303,9 @@ def _safe_eval_config(expr: str) -> dict:
 # ──────────────────────── Endpoints ──────────────────────────
 @app.post("/token")
 async def get_token(req: TokenRequest):
+    expected_token = config.get("security", {}).get("api_token", "")
+    if expected_token and req.api_token != expected_token:
+        raise HTTPException(401, "Invalid or missing api_token")
     if not verify_email_domain(req.email):
         raise HTTPException(400, "Invalid email domain")
     token = create_access_token({"sub": req.email})