diff --git a/config.go b/config.go
index 96f1913d3..983a35940 100644
--- a/config.go
+++ b/config.go
@@ -177,13 +177,13 @@ type TokenEntropyProvider interface {
 // GlobalSecretProvider returns the provider for configuring the global secret.
 type GlobalSecretProvider interface {
 	// GetGlobalSecret returns the global secret.
-	GetGlobalSecret(ctx context.Context) []byte
+	GetGlobalSecret(ctx context.Context) ([]byte, error)
 }
 
 // RotatedGlobalSecretsProvider returns the provider for configuring the rotated global secrets.
 type RotatedGlobalSecretsProvider interface {
 	// GetRotatedGlobalSecrets returns the rotated global secrets.
-	GetRotatedGlobalSecrets(ctx context.Context) [][]byte
+	GetRotatedGlobalSecrets(ctx context.Context) ([][]byte, error)
 }
 
 // HMACHashingProvider returns the provider for configuring the hash function.
diff --git a/config_default.go b/config_default.go
index 5f2172e0a..df6fa2a50 100644
--- a/config_default.go
+++ b/config_default.go
@@ -214,16 +214,16 @@ type Config struct {
 	IsPushedAuthorizeEnforced bool
 }
 
-func (c *Config) GetGlobalSecret(ctx context.Context) []byte {
-	return c.GlobalSecret
+func (c *Config) GetGlobalSecret(ctx context.Context) ([]byte, error) {
+	return c.GlobalSecret, nil
 }
 
 func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) bool {
 	return c.UseLegacyErrorFormat
 }
 
-func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) [][]byte {
-	return c.RotatedGlobalSecrets
+func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) ([][]byte, error) {
+	return c.RotatedGlobalSecrets, nil
 }
 
 func (c *Config) GetHMACHasher(ctx context.Context) func() hash.Hash {
diff --git a/token/hmac/hmacsha.go b/token/hmac/hmacsha.go
index d7dab7cd0..3d064286f 100644
--- a/token/hmac/hmacsha.go
+++ b/token/hmac/hmacsha.go
@@ -51,12 +51,17 @@ func (c *HMACStrategy) Generate(ctx context.Context) (string, string, error) {
 	c.Lock()
 	defer c.Unlock()
 
-	if len(c.Config.GetGlobalSecret(ctx)) < minimumSecretLength {
-		return "", "", errors.Errorf("secret for signing HMAC-SHA512/256 is expected to be 32 byte long, got %d byte", len(c.Config.GetGlobalSecret(ctx)))
+	secrets, err := c.Config.GetGlobalSecret(ctx)
+	if err != nil {
+		return "", "", err
+	}
+
+	if len(secrets) < minimumSecretLength {
+		return "", "", errors.Errorf("secret for signing HMAC-SHA512/256 is expected to be 32 byte long, got %d byte", len(secrets))
 	}
 
 	var signingKey [32]byte
-	copy(signingKey[:], c.Config.GetGlobalSecret(ctx))
+	copy(signingKey[:], secrets)
 
 	entropy := c.Config.GetTokenEntropy(ctx)
 	if entropy < minimumEntropy {
@@ -86,11 +91,21 @@ func (c *HMACStrategy) Generate(ctx context.Context) (string, string, error) {
 func (c *HMACStrategy) Validate(ctx context.Context, token string) (err error) {
 	var keys [][]byte
 
-	if len(c.Config.GetGlobalSecret(ctx)) > 0 {
-		keys = append(keys, c.Config.GetGlobalSecret(ctx))
+	secrets, err := c.Config.GetGlobalSecret(ctx)
+	if err != nil {
+		return err
+	}
+
+	rotatedSecrets, err := c.Config.GetRotatedGlobalSecrets(ctx)
+	if err != nil {
+		return err
+	}
+
+	if len(secrets) > 0 {
+		keys = append(keys, secrets)
 	}
 
-	keys = append(keys, c.Config.GetRotatedGlobalSecrets(ctx)...)
+	keys = append(keys, rotatedSecrets...)
 	for _, key := range keys {
 		if err = c.validate(ctx, key, token); err == nil {
 			return nil