diff --git a/app/api/cron/check-renders/route.ts b/app/api/cron/check-renders/route.ts
index 90be062c..5a66dd40 100644
--- a/app/api/cron/check-renders/route.ts
+++ b/app/api/cron/check-renders/route.ts
@@ -527,8 +527,13 @@ async function handleStuckDocs(client: SanityClient): Promise<{ audioGen: number
  */
 export async function GET(request: NextRequest) {
   // Auth check
+  const cronSecret = process.env.CRON_SECRET;
+  if (!cronSecret) {
+    console.error('[PIPELINE] CRON_SECRET not configured');
+    return Response.json({ error: 'Server misconfigured' }, { status: 503 });
+  }
   const authHeader = request.headers.get('authorization');
-  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+  if (authHeader !== `Bearer ${cronSecret}`) {
     console.error('[PIPELINE] Unauthorized cron request');
     return Response.json({ error: 'Unauthorized' }, { status: 401 });
   }
diff --git a/app/api/cron/sponsor-outreach/route.ts b/app/api/cron/sponsor-outreach/route.ts
index f588e483..e3806ab3 100644
--- a/app/api/cron/sponsor-outreach/route.ts
+++ b/app/api/cron/sponsor-outreach/route.ts
@@ -11,8 +11,13 @@ const COOLDOWN_DAYS = 14
 
 export async function POST(request: Request) {
   // Auth: Bearer token check against CRON_SECRET
+  const cronSecret = process.env.CRON_SECRET;
+  if (!cronSecret) {
+    console.error('[SPONSOR] CRON_SECRET not configured');
+    return new Response('Server misconfigured', { status: 503 });
+  }
   const authHeader = request.headers.get('authorization')
-  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+  if (authHeader !== `Bearer ${cronSecret}`) {
     console.error('[SPONSOR] Outreach cron: unauthorized request')
     return new Response('Unauthorized', { status: 401 })
   }