diff --git a/auth.lua b/auth.lua
index 7b28f06..1a76049 100644
--- a/auth.lua
+++ b/auth.lua
@@ -1,10 +1,6 @@
 local openidc = require("resty.openidc")
 
 local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
-if not client_secret then
-  ngx.log(ngx.ERR, "Missing KEYCLOAK_CLIENT_SECRET env variable")
-  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-end
 
 local opts = {
   redirect_uri_path = "/redirect_uri",
@@ -24,6 +20,15 @@ if err then
   ngx.exit(ngx.HTTP_FORBIDDEN)
 end
 
+-- Check if token has expired
+if res.id_token and res.id_token.exp then
+  local now = ngx.time()
+  if res.id_token.exp < now then
+    ngx.log(ngx.ERR, "Token expired")
+    ngx.exit(ngx.HTTP_UNAUTHORIZED)
+  end
+end
+
 ngx.req.set_header("X-User", res.user.preferred_username or "")
 ngx.req.set_header("X-Email", res.user.email or "")
-ngx.status = 204  -- empty but valid response to avoid ERR_INVALID_RESPONSE
+ngx.status = 204