diff --git a/src/auth.ts b/src/auth.ts
index 801afea..b7a1d73 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -4,7 +4,25 @@ import { genericOAuth } from "better-auth/plugins";
 import { db } from "@/db/index";
 import * as schema from "@/db/schema";
 
+// Validate required environment variables
+if (!process.env.BETTER_AUTH_SECRET) {
+  throw new Error("BETTER_AUTH_SECRET is required");
+}
+if (!process.env.BETTER_AUTH_URL) {
+  throw new Error("BETTER_AUTH_URL is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
+}
+if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
+  throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
+}
+if (!process.env.AUTH_AUTHENTIK_ISSUER) {
+  throw new Error("AUTH_AUTHENTIK_ISSUER is required");
+}
+
 export const auth = betterAuth({
+  secret: process.env.BETTER_AUTH_SECRET,
 	baseURL: process.env.BETTER_AUTH_URL,
 	database: drizzleAdapter(db, {
 		provider: "pg",
@@ -15,8 +33,8 @@ export const auth = betterAuth({
 			config: [
 				{
 					providerId: "authentik",
-					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID!,
-					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET!,
+					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
+					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
 					discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
 					scopes: ["openid", "email", "profile"],
 				},