diff --git a/Cargo.lock b/Cargo.lock
index 9309d1a9..ba35d84b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -95,6 +95,7 @@ dependencies = [
  "serde_json",
  "serde_urlencoded",
  "sqlx",
+ "subtle",
  "tokio",
  "tower 0.4.13",
  "tower-http",
diff --git a/crates/api/Cargo.toml b/crates/api/Cargo.toml
index d2f883d7..e1f99425 100644
--- a/crates/api/Cargo.toml
+++ b/crates/api/Cargo.toml
@@ -26,3 +26,4 @@ reverse-proxy-service = { version = "0.2.1", features = ["axum"] }
 serde_urlencoded = "0.7.1"
 tower = "0.4.13"
 tower-http = { version = "0.5.2", features = ["catch-panic"] }
+subtle = "2.6.1"
diff --git a/crates/api/src/middleware/auth.rs b/crates/api/src/middleware/auth.rs
index 08981c3a..3d1d813b 100644
--- a/crates/api/src/middleware/auth.rs
+++ b/crates/api/src/middleware/auth.rs
@@ -5,6 +5,8 @@ use axum::{
     response::Response,
 };
 
+use subtle::ConstantTimeEq;
+
 use tracing::error;
 
 use crate::auth::AuthState;
@@ -48,9 +50,10 @@ pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -
             .expect("missing api config")
             .temp_token2
             .as_ref()
-        // this is NOT how you validate tokens
-        // but this is low abuse risk so we're keeping it for now
-        && app_auth_header == config_token2
+        && app_auth_header
+            .as_bytes()
+            .ct_eq(config_token2.as_bytes())
+            .into()
     {
         authed_app_id = Some(1);
     }