diff --git a/src/api/auth.js b/src/api/auth.js
index 4457992..97ce031 100644
--- a/src/api/auth.js
+++ b/src/api/auth.js
@@ -5,7 +5,9 @@
 // ─────────────────────────────────────────────────────────────────────────────
 import { BASE_URL } from 'src/config/erpnext'
 
-const SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414'
+// Service token injected at build time via VITE_ERP_TOKEN env var
+// Fallback: read from window.__ERP_TOKEN__ (set by server-side injection)
+const SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || ''
 
 export function authFetch (url, opts = {}) {
   opts.headers = { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN }
diff --git a/src/stores/auth.js b/src/stores/auth.js
index 41db883..1a39755 100644
--- a/src/stores/auth.js
+++ b/src/stores/auth.js
@@ -9,7 +9,7 @@ import { ref } from 'vue'
 import { BASE_URL } from 'src/config/erpnext'
 
 // Service token for ERPNext API — all dispatch API calls use this
-const ERP_SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414'
+const ERP_SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || ''
 
 export const useAuthStore = defineStore('auth', () => {
   const user    = ref(null)