diff --git a/README.md b/README.md
index 74c5933..41a970c 100644
--- a/README.md
+++ b/README.md
@@ -125,7 +125,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret
+* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
+
 
 ### Metrics endpoint configuration
 
diff --git a/tasks/check-variables.yml b/tasks/check-variables.yml
new file mode 100644
index 0000000..7d4299b
--- /dev/null
+++ b/tasks/check-variables.yml
@@ -0,0 +1,7 @@
+---
+- name: run checks to ensure set variables do not crash gitea
+  block:
+    - fail:
+        msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters. Please reduce the length of your token'
+      when: gitea_oauth2_jwt_secret | length > 32
+
diff --git a/tasks/main.yml b/tasks/main.yml
index aaa6218..a57b1e2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,7 @@
 ---
+
+- include: check-variables.yml
+
 - name: "Check gitea version"
   shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
   register: gitea_active_version