diff --git a/api/src/config.js b/api/src/config.js
index 3a28d7ce..02584212 100644
--- a/api/src/config.js
+++ b/api/src/config.js
@@ -54,6 +54,10 @@ const env = {
 const genericUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36";
 const cobaltUserAgent = `cobalt/${version} (+https://github.com/imputnet/cobalt)`;
 
+if (env.sessionEnabled && env.jwtSecret.length < 16) {
+    throw new Error("JWT_SECRET env is too short (must be at least 16 characters long)");
+}
+
 export {
     env,
     genericUserAgent,