diff --git a/internal/api/v1/auth/auth.go b/internal/api/v1/auth/auth.go
index 40e70899..bbbd6c33 100644
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -90,7 +90,7 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
-	if common.IsDebugSkipAuth {
+	if common.IsDebugSkipAuth || common.APIJWTSecret == nil {
 		return next
 	}
 
diff --git a/internal/common/crypto.go b/internal/common/crypto.go
index f4e9c0b9..367025bf 100644
--- a/internal/common/crypto.go
+++ b/internal/common/crypto.go
@@ -23,6 +23,9 @@ func generateJWTKey(size int) string {
 }
 
 func decodeJWTKey(key string) []byte {
+	if key == "" {
+		return nil
+	}
 	bytes, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
 		log.Panic().Err(err).Msg("failed to decode jwt key")
diff --git a/internal/common/env.go b/internal/common/env.go
index de0b096f..6a3475b3 100644
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -33,12 +33,18 @@ var (
 	APIHTTPPort,
 	APIHTTPURL = GetAddrEnv("GOPROXY_API_ADDR", "127.0.0.1:8888", "http")
 
-	APIJWTSecret    = decodeJWTKey(GetEnv("GOPROXY_API_JWT_SECRET", generateJWTKey(32)))
+	APIJWTSecret    = decodeJWTKey(GetEnv("GOPROXY_API_JWT_SECRET", ""))
 	APIJWTTokenTTL  = GetDurationEnv("GOPROXY_API_JWT_TOKEN_TTL", time.Hour)
 	APIUser         = GetEnv("GOPROXY_API_USER", "admin")
 	APIPasswordHash = HashPassword(GetEnv("GOPROXY_API_PASSWORD", "password"))
 )
 
+func init() {
+	if APIJWTSecret == nil {
+		log.Warn().Msg("API JWT secret is empty, authentication is disabled")
+	}
+}
+
 func GetEnvBool(key string, defaultValue bool) bool {
 	value, ok := os.LookupEnv(key)
 	if !ok || value == "" {