diff --git a/api/components/Tokens/Component.php b/api/components/Tokens/Component.php
index 8872e7c..ec19bbf 100644
--- a/api/components/Tokens/Component.php
+++ b/api/components/Tokens/Component.php
@@ -8,6 +8,7 @@ use Exception;
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Token;
+use Webmozart\Assert\Assert;
 use yii\base\Component as BaseComponent;
 
 class Component extends BaseComponent {
@@ -39,6 +40,13 @@ class Component extends BaseComponent {
      */
     private $algorithmManager;
 
+    public function init(): void {
+        parent::init();
+        Assert::notEmpty($this->hmacKey, 'hmacKey must be set');
+        Assert::notEmpty($this->privateKeyPath, 'privateKeyPath must be set');
+        Assert::notEmpty($this->publicKeyPath, 'publicKeyPath must be set');
+    }
+
     public function create(array $payloads = [], array $headers = []): Token {
         $now = Carbon::now();
         $builder = (new Builder())
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 9d1a6a0..851cf7a 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -27,6 +27,8 @@ services:
       - db
       - redis
     env_file: .env
+    volumes:
+      - certs-storage:/var/www/html/data/certs
     networks:
       default:
         aliases:
@@ -71,6 +73,14 @@ services:
     volumes:
       - ./data/redis:/data
 
+volumes:
+  certs-storage:
+    driver: local
+    driver_opts:
+      type: none
+      device: $PWD/data/certs
+      o: bind
+
 networks:
   nginx-proxy:
     external:
diff --git a/docker/php/docker-entrypoint.sh b/docker/php/docker-entrypoint.sh
index 7898d21..9cf1d5e 100755
--- a/docker/php/docker-entrypoint.sh
+++ b/docker/php/docker-entrypoint.sh
@@ -31,6 +31,14 @@ fi
 # Fix permissions for cron tasks
 chmod 644 /etc/cron.d/*
 
+JWT_PRIVATE_PEM_LOCATION="/var/www/html/data/certs/private.pem"
+JWT_PUBLIC_PEM_LOCATION="/var/www/html/data/certs/public.pem"
+if [ ! -f "$JWT_PRIVATE_PEM_LOCATION" ] ; then
+  echo "There is no private key. Generating the new one."
+  openssl ecparam -name prime256v1 -genkey -noout -out "$JWT_PRIVATE_PEM_LOCATION"
+  openssl ec -in "$JWT_PRIVATE_PEM_LOCATION" -pubout -out "$JWT_PUBLIC_PEM_LOCATION"
+fi
+
 if [ "$1" = "crond" ] ; then
     # see: https://github.com/dubiousjim/dcron/issues/13
     # ignore using `exec` for `dcron` to get another pid instead of `1`