diff --git a/internal/api/v1/auth/oidc.go b/internal/api/v1/auth/oidc.go
index 125c6083..2643a990 100644
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@@ -197,7 +197,7 @@ func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Reque
 		MaxAge:   300,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
-		Secure:   r.TLS != nil,
+		Secure:   common.APIJWTSecure,
 		Path:     "/",
 	})
 
diff --git a/internal/api/v1/auth/utils.go b/internal/api/v1/auth/utils.go
index bd7f9a84..db0501df 100644
--- a/internal/api/v1/auth/utils.go
+++ b/internal/api/v1/auth/utils.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
@@ -43,7 +44,7 @@ func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string,
 		MaxAge:   int(ttl.Seconds()),
 		Domain:   cookieFQDN(r),
 		HttpOnly: true,
-		Secure:   r.TLS != nil,
+		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
 		Path:     "/",
 	})
@@ -56,6 +57,7 @@ func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
 		MaxAge:   -1,
 		Domain:   cookieFQDN(r),
 		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
 		Path:     "/",
 	})
diff --git a/internal/common/env.go b/internal/common/env.go
index 75f33dcb..9df4cb77 100644
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -36,6 +36,7 @@ var (
 
 	PrometheusEnabled = GetEnvBool("PROMETHEUS_ENABLED", false)
 
+	APIJWTSecure   = GetEnvBool("API_JWT_SECURE", true)
 	APIJWTSecret   = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
 	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
 	APIUser        = GetEnvString("API_USER", "admin")