diff --git a/src/db.ts b/src/db.ts
index a099f03..92fd9bc 100644
--- a/src/db.ts
+++ b/src/db.ts
@@ -21,6 +21,8 @@ import { id } from "./util";
 export async function ensureAdminUser(env: Env): Promise<void> {
   const existing = await env.DB.prepare("SELECT id FROM users WHERE username = ?").bind(env.ADMIN_USERNAME).first<{ id: string }>();
   if (existing) return;
+  const adminPassword = env.ADMIN_PASSWORD;
+  if (!adminPassword?.trim()) throw new Error("ADMIN_PASSWORD secret is required before creating the admin user");
 
   const keyPair = await crypto.subtle.generateKey(
     { name: "RSASSA-PKCS1-v1_5", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" },
@@ -34,7 +36,7 @@ export async function ensureAdminUser(env: Env): Promise<void> {
   await env.DB.prepare(
     "INSERT OR IGNORE INTO users (id, username, display_name, note, password_hash, private_key_jwk, public_key_jwk, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"
   )
-    .bind(id(), env.ADMIN_USERNAME, env.ADMIN_USERNAME, "", await hashPassword(env.ADMIN_PASSWORD), JSON.stringify(privateKey), JSON.stringify(publicKey), now)
+    .bind(id(), env.ADMIN_USERNAME, env.ADMIN_USERNAME, "", await hashPassword(adminPassword), JSON.stringify(privateKey), JSON.stringify(publicKey), now)
     .run();
 }
 
diff --git a/wrangler.jsonc b/wrangler.jsonc
index b4ab932..dbe7428 100644
--- a/wrangler.jsonc
+++ b/wrangler.jsonc
@@ -9,6 +9,9 @@
     "ADMIN_USERNAME": "sun"
     //"ADMIN_PASSWORD": "change-me-before-deploy"
   },
+  "secrets": {
+    "required": ["ADMIN_PASSWORD"]
+  },
   "d1_databases": [
     {
       "binding": "DB",