diff --git a/backend/middleware/auth.js b/backend/middleware/auth.js
index b4c750f..e596082 100644
--- a/backend/middleware/auth.js
+++ b/backend/middleware/auth.js
@@ -1,6 +1,9 @@
 const jwt = require('jsonwebtoken');
 
-const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-in-production';
+if (!process.env.JWT_SECRET) {
+  throw new Error('JWT_SECRET environment variable is required');
+}
+const JWT_SECRET = process.env.JWT_SECRET;
 
 function authenticateToken(req, res, next) {
   const authHeader = req.headers['authorization'];
diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 818c195..cd6728f 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -4,7 +4,10 @@ const { JWT_SECRET, authenticateToken } = require('../middleware/auth');
 
 const router = express.Router();
 
-const ADMIN_KEY = process.env.ADMIN_KEY || 'admin123';
+if (!process.env.ADMIN_KEY) {
+  throw new Error('ADMIN_KEY environment variable is required');
+}
+const ADMIN_KEY = process.env.ADMIN_KEY;
 
 // Login with admin key
 router.post('/login', (req, res) => {
diff --git a/docker-compose.yml b/docker-compose.yml
index 93d53ec..db52417 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,8 +9,8 @@ services:
       - PORT=5000
       - NODE_ENV=production
       - DB_PATH=/app/data/jackbox.db
-      - JWT_SECRET=${JWT_SECRET:-change-me-in-production}
-      - ADMIN_KEY=${ADMIN_KEY:-admin123}
+      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET is required}
+      - ADMIN_KEY=${ADMIN_KEY:?ADMIN_KEY is required}
       - DEBUG=false
     volumes:
       - jackbox-data:/app/data