diff --git a/README.md b/README.md
index 7218534..0e0b490 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ Here is our [Demo Application](https://docs-demo.codex.so/) where you can try Co
 git clone https://github.com/codex-team/codex.docs
 ```
 
-### 2. Fill the appConfig
+### 2. Fill the config
 
 Read about available [configuration](https://docs.codex.so/configuration) options.
 
diff --git a/app-config.yaml b/app-config.yaml
index 71284f9..3eace66 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -1,7 +1,7 @@
 port: 4000
 host: "localhost"
 uploads: "./uploads"
-
+password: secretpassword
 frontend:
   title: "CodeX Docs"
   description: "A block-styled editor with clean JSON output"
diff --git a/src/backend/routes/auth.ts b/src/backend/routes/auth.ts
index 455ff6f..e3abdb9 100644
--- a/src/backend/routes/auth.ts
+++ b/src/backend/routes/auth.ts
@@ -22,7 +22,7 @@ router.get('/auth', csrfProtection, function (req: Request, res: Response) {
  */
 router.post('/auth', parseForm, csrfProtection, async (req: Request, res: Response) => {
   try {
-    if (!process.env.PASSWORD) {
+    if (!appConfig.password) {
       res.render('auth', {
         title: 'Login page',
         header: 'Password not set',
@@ -32,7 +32,7 @@ router.post('/auth', parseForm, csrfProtection, async (req: Request, res: Respon
       return;
     }
 
-    if (req.body.password !== process.env.PASSWORD) {
+    if (req.body.password !== appConfig.password) {
       res.render('auth', {
         title: 'Login page',
         header: 'Wrong password',
@@ -46,7 +46,7 @@ router.post('/auth', parseForm, csrfProtection, async (req: Request, res: Respon
       iss: 'Codex Team',
       sub: 'auth',
       iat: Date.now(),
-    }, process.env.PASSWORD + appConfig.auth.secret);
+    }, appConfig.password + appConfig.auth.secret);
 
     res.cookie('authToken', token, {
       httpOnly: true,
diff --git a/src/backend/routes/middlewares/token.ts b/src/backend/routes/middlewares/token.ts
index c455b8c..f8d4ded 100644
--- a/src/backend/routes/middlewares/token.ts
+++ b/src/backend/routes/middlewares/token.ts
@@ -14,14 +14,14 @@ export default async function verifyToken(req: Request, res: Response, next: Nex
   const token = req.cookies.authToken;
 
   try {
-    if (!process.env.PASSWORD) {
+    if (!appConfig.password) {
       res.locals.isAuthorized = false;
       next();
 
       return;
     }
 
-    const decodedToken = jwt.verify(token, process.env.PASSWORD + appConfig.auth.secret);
+    const decodedToken = jwt.verify(token, appConfig.password + appConfig.auth.secret);
 
     res.locals.isAuthorized = !!decodedToken;
 
diff --git a/src/backend/utils/appConfig.ts b/src/backend/utils/appConfig.ts
index 726dddb..2ab6b43 100644
--- a/src/backend/utils/appConfig.ts
+++ b/src/backend/utils/appConfig.ts
@@ -45,6 +45,7 @@ const AppConfig = z.object({
   favicon: z.string().optional(), // Path or URL to favicon
   uploads: z.string(), // Path to uploads folder
   hawk: HawkConfig.optional().nullable(), // Hawk configuration
+  password: z.string(), // Password for admin panel
   frontend: FrontendConfig, // Frontend configuration
   auth: AuthConfig, // Auth configuration
   database: LocalDatabaseConfig, // Database configuration