diff --git a/lib/knock.rb b/lib/knock.rb
index 0337700..d7f31c4 100644
--- a/lib/knock.rb
+++ b/lib/knock.rb
@@ -16,8 +16,18 @@ module Knock
   self.token_signature_algorithm = "HS256"
 
   # Configure the key used to sign tokens.
-  mattr_accessor :token_secret_signature_key
-  self.token_secret_signature_key = -> { Rails.application.secrets.secret_key_base }
+  mattr_writer :token_secret_signature_key, default: -> { Rails.application.secrets.secret_key_base }
+
+  class EmptySecretKey < StandardError
+    def initialize(msg="Knock secret signature key can't be empty")
+      super
+    end
+  end
+
+  def self.token_secret_signature_key
+    raise EmptySecretKey unless @@token_secret_signature_key
+    @@token_secret_signature_key
+  end
 
   # Configure the public key used to decode tokens, when required.
   mattr_accessor :token_public_key
diff --git a/test/dummy/test/controllers/protected_resources_controller_test.rb b/test/dummy/test/controllers/protected_resources_controller_test.rb
index da14ffe..9008f75 100644
--- a/test/dummy/test/controllers/protected_resources_controller_test.rb
+++ b/test/dummy/test/controllers/protected_resources_controller_test.rb
@@ -15,6 +15,12 @@ def authenticate token: @token
     assert_response :unauthorized
   end
 
+  test "responds with unauthorized with empty token in header" do
+    authenticate token: ""
+    get :index
+    assert_response :unauthorized
+  end
+
   test "responds with success with valid token in header" do
     authenticate
     get :index