diff --git a/logic/jwts.go b/logic/jwts.go
index 3fd3ae92..7750a2a7 100644
--- a/logic/jwts.go
+++ b/logic/jwts.go
@@ -262,6 +262,12 @@ func VerifyHostToken(tokenString string) (hostID string, mac string, network str
 	})
 
 	if token != nil && token.Valid {
+		if !strings.HasPrefix(claims.Subject, "node|") {
+			return "", "", "", errors.New("not a host token")
+		}
+		if claims.ID == "" {
+			return "", "", "", errors.New("invalid host token: missing host ID")
+		}
 		return claims.ID, claims.MacAddress, claims.Network, nil
 	}
 	return "", "", "", err