diff --git a/api/src/core/sso/sso-setup.ts b/api/src/core/sso/sso-setup.ts
index 9ffdd3b00..f01b0222f 100755
--- a/api/src/core/sso/sso-setup.ts
+++ b/api/src/core/sso/sso-setup.ts
@@ -23,8 +23,11 @@ function verifyUsernamePasswordAndSSO(string $username, string $password): bool
     // We may have an SSO token, attempt validation
     if (strlen($password) > 800) {
         $safePassword = escapeshellarg($password);
+        if (!preg_match('/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/', $password)) {
+            my_logger("SSO Login Attempt Failed: Invalid token format");
+        }
         $response = exec("/usr/local/bin/unraid-api sso validate-token $safePassword", $output, $code);
-        my_logger("SSO Login Response: $response");
+        my_logger("SSO Login Attempt: $response");
         if ($code === 0 && $response && strpos($response, '"valid":true') !== false) {
             return true;
         }
diff --git a/api/src/unraid-api/cli/sso/validate-token.command.ts b/api/src/unraid-api/cli/sso/validate-token.command.ts
index 902fa28da..1af7cc41c 100644
--- a/api/src/unraid-api/cli/sso/validate-token.command.ts
+++ b/api/src/unraid-api/cli/sso/validate-token.command.ts
@@ -38,10 +38,15 @@ export class ValidateTokenCommand extends CommandRunner {
         }
 
         const token = passedParams[0];
+
         if (typeof token !== 'string' || token.trim() === '') {
             this.createErrorAndExit('Invalid token provided');
         }
 
+        if (!/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/.test(token)) {
+            this.createErrorAndExit('Token format is invalid');
+        }
+
         let caughtError: null | unknown = null;
         let tokenPayload: null | JWTPayload = null;
         try {