diff --git a/backend/auth/token.py b/backend/auth/token.py
index c636a11..22ab9ed 100644
--- a/backend/auth/token.py
+++ b/backend/auth/token.py
@@ -21,6 +21,11 @@ def verify_token():
     token = auth_header[7:]  # len("Bearer ") == 7; safe because startswith is verified above
     try:
         decoded = decode(token, SECRET_KEY, algorithms=["HS256"])
+        # Reject tokens that are missing required fields (e.g. issued before
+        # 'id' was added to the payload) so callers never get a KeyError.
+        if not all(k in decoded for k in ("id", "username", "role")):
+            logger.warning("🔐 Token missing required fields — forcing re-login")
+            return None
         return decoded
     except ExpiredSignatureError:
         logger.warning("🔐 Token expired")