diff --git a/cmd/main.go b/cmd/main.go
index b176bba..63a5205 100755
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -2,16 +2,11 @@ package main
 
 import (
 	"encoding/json"
-	"io"
 	"log"
 	"os"
-	"os/signal"
-	"syscall"
-	"time"
+	"sync"
 
-	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal"
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
 	"github.com/yusing/go-proxy/internal/api/v1/auth"
 	"github.com/yusing/go-proxy/internal/api/v1/favicon"
 	"github.com/yusing/go-proxy/internal/api/v1/query"
@@ -20,7 +15,7 @@ import (
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/route/routes/routequery"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
@@ -84,6 +79,11 @@ func main() {
 			homepage.InitOverridesConfig,
 			favicon.InitIconCache,
 		)
+
+		if common.APIJWTSecret == nil {
+			logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
+			common.APIJWTSecret = common.RandomJWTKey()
+		}
 	} else {
 		logging.DiscardLogger()
 	}
diff --git a/internal/common/crypto.go b/internal/common/crypto.go
index 6214a57..3dcc204 100644
--- a/internal/common/crypto.go
+++ b/internal/common/crypto.go
@@ -1,6 +1,7 @@
 package common
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 
 	"github.com/rs/zerolog/log"
@@ -16,3 +17,12 @@ func decodeJWTKey(key string) []byte {
 	}
 	return bytes
 }
+
+func RandomJWTKey() []byte {
+	key := make([]byte, 32)
+	_, err := rand.Read(key)
+	if err != nil {
+		log.Panic().Err(err).Msg("failed to generate random jwt key")
+	}
+	return key
+}