diff --git a/packages/api/src/main.js b/packages/api/src/main.js
index 2b09c1e7a..3171aec00 100644
--- a/packages/api/src/main.js
+++ b/packages/api/src/main.js
@@ -31,6 +31,7 @@ const scheduler = require('./controllers/scheduler');
 const { rundir } = require('./utility/directories');
 const platformInfo = require('./utility/platformInfo');
 const processArgs = require('./utility/processArgs');
+const timingSafeCheckToken = require('./utility/timingSafeCheckToken');
 
 let authorization = null;
 let checkLocalhostOrigin = null;
@@ -56,7 +57,7 @@ function start() {
   }
 
   app.use(function (req, res, next) {
-    if (authorization && req.headers.authorization != authorization) {
+    if (authorization && !timingSafeCheckToken(req.headers.authorization, authorization)) {
       return res.status(403).json({ error: 'Not authorized!' });
     }
     if (checkLocalhostOrigin) {
diff --git a/packages/api/src/utility/timingSafeCheckToken.js b/packages/api/src/utility/timingSafeCheckToken.js
new file mode 100644
index 000000000..bdfde432a
--- /dev/null
+++ b/packages/api/src/utility/timingSafeCheckToken.js
@@ -0,0 +1,9 @@
+const crypto = require('crypto');
+
+function timingSafeCheckToken(a, b) {
+  if (!a || !b) return false;
+  if (a.length != b.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+module.exports = timingSafeCheckToken;