diff --git a/apps/server/src/services/etapi_tokens.ts b/apps/server/src/services/etapi_tokens.ts
index 304691c7d..30beb5517 100644
--- a/apps/server/src/services/etapi_tokens.ts
+++ b/apps/server/src/services/etapi_tokens.ts
@@ -85,13 +85,14 @@ function isValidAuthHeader(auth: string | undefined) {
 
         return constantTimeCompare(etapiToken.tokenHash, authTokenHash);
     } else {
+        // Check ALL tokens to prevent timing attacks - do not short-circuit
+        let isValid = false;
         for (const etapiToken of becca.getEtapiTokens()) {
             if (constantTimeCompare(etapiToken.tokenHash, authTokenHash)) {
-                return true;
+                isValid = true;
             }
         }
-
-        return false;
+        return isValid;
     }
 }