diff --git a/package.json b/package.json
index 3800000a..b6f86710 100644
--- a/package.json
+++ b/package.json
@@ -9,6 +9,7 @@
     "blinking": "~0.0.2",
     "bluebird": "^2.9.24",
     "body-parser": "^1.12.0",
+    "buffer-equal-constant-time": "^1.0.1",
     "coffee-script": "~1.9.1",
     "docker-progress": "^2.0.1",
     "dockerode": "~2.2.9",
@@ -22,8 +23,8 @@
     "pinejs-client": "^1.7.1",
     "pubnub": "^3.7.13",
     "request": "^2.51.0",
-    "resin-register-device": "^2.0.0",
     "request-progress": "^0.3.1",
+    "resin-register-device": "^2.0.0",
     "rwlock": "^5.0.0",
     "sqlite3": "3.0.9",
     "typed-error": "~0.1.0"
diff --git a/src/api.coffee b/src/api.coffee
index 9f6d8d9a..53b188c0 100644
--- a/src/api.coffee
+++ b/src/api.coffee
@@ -4,6 +4,7 @@ utils = require './utils'
 knex = require './db'
 express = require 'express'
 bodyParser = require 'body-parser'
+bufferEq = require 'buffer-equal-constant-time'
 request = require 'request'
 config = require './config'
 device = require './device'
@@ -24,7 +25,7 @@ module.exports = (application) ->
 	api.use (req, res, next) ->
 		utils.getOrGenerateSecret('api')
 		.then (secret) ->
-			if req.query.apikey is secret
+			if bufferEq(new Buffer(req.query.apikey), new Buffer(secret))
 				next()
 			else
 				res.sendStatus(401)