diff --git a/api/.env.example b/api/.env.example
index dfd8f53b..7a77e2a1 100644
--- a/api/.env.example
+++ b/api/.env.example
@@ -1,6 +1,11 @@
 # vi: ft=sh
 # shellcheck disable=SC2034
 
+# either an hard-coded secret to decode jwts or empty to use keibi's public secret.
+# this should only be used in tests
+JWT_SECRET=
+# keibi's server to retrive the public jwt secret
+AUHT_SERVER=http://auth:4568
 
 POSTGRES_USER=kyoo
 POSTGRES_PASSWORD=password
diff --git a/api/bun.lockb b/api/bun.lockb
index d58c717c..1af685df 100755
Binary files a/api/bun.lockb and b/api/bun.lockb differ
diff --git a/api/package.json b/api/package.json
index 1e3a9830..c75a936e 100644
--- a/api/package.json
+++ b/api/package.json
@@ -8,6 +8,7 @@
 		"test": "bun test"
 	},
 	"dependencies": {
+		"@elysiajs/jwt": "^1.1.1",
 		"@elysiajs/swagger": "^1.1.5",
 		"drizzle-kit": "^0.26.2",
 		"drizzle-orm": "^0.35.3",
diff --git a/api/src/index.ts b/api/src/index.ts
index bac98e54..51978e1e 100644
--- a/api/src/index.ts
+++ b/api/src/index.ts
@@ -3,10 +3,25 @@ import { swagger } from "@elysiajs/swagger";
 import { db } from "./db";
 import { migrate } from "drizzle-orm/node-postgres/migrator";
 import { movies } from "./controllers/movies";
+import jwt from "@elysiajs/jwt";
 
 await migrate(db, { migrationsFolder: "" });
 
+let secret = process.env.JWT_SECRET;
+if (!secret) {
+	const auth = process.env.AUTH_SERVER ?? "http://auth:4568";
+	const ret = await fetch(`${auth}/info`);
+	const info = await ret.json();
+	secret = info.publicKey;
+}
+
+if (!secret) {
+	console.error("missing jwt secret or auth server. exiting");
+	process.exit(1);
+}
+
 const app = new Elysia()
+	.use(jwt({ secret }))
 	.use(swagger())
 	.get("/", () => "Hello Elysia")
 	.use(movies)