diff --git a/moonraker/components/authorization.py b/moonraker/components/authorization.py
index 929f44853..1ff7d0133 100644
--- a/moonraker/components/authorization.py
+++ b/moonraker/components/authorization.py
@@ -9,6 +9,7 @@
 import base64
 import uuid
 import hashlib
+import hmac
 import secrets
 import os
 import time
@@ -703,7 +704,7 @@ def validate_jwt(self, token: str) -> UserInfo:
     def validate_api_key(self, api_key: str) -> UserInfo:
         if not self.enable_api_key:
             raise self.server.error("API Key authentication is disabled", 401)
-        if api_key and api_key == self.api_key:
+        if api_key and self.api_key and hmac.compare_digest(api_key, self.api_key):
             return self.users[API_USER]
         raise self.server.error("Invalid API Key", 401)
 
@@ -875,7 +876,7 @@ async def authenticate_request(
         # Check API Key Header
         if self.enable_api_key:
             key: Optional[str] = request.headers.get("X-Api-Key")
-            if key and key == self.api_key:
+            if key and self.api_key and hmac.compare_digest(key, self.api_key):
                 return self.users[API_USER]
 
         # If the force_logins option is enabled and at least one user is created