diff --git a/PKGBUILD b/PKGBUILD
index c93891f..755af54 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,7 +10,7 @@ backup=(etc/pkgstash/pkgstash.toml etc/pkgstash/pkgstash.env)
 license=(GPL-2.0-only)
 install=pkgstash.install
 source=("https://github.com/ewpt3ch/${pkgname}/releases/download/v${pkgver}/pkgstash-v${pkgver}-$CARCH.tar.gz")
-sha256sums=('ccad5b513ed37b5c626c74f783127f2fb468b53080fc6deb3e4e44e1e7e99e99')
+sha256sums=('e1eed03e58259f037c71459f729b6544ff02264dc7243107bc9b0ed25b854e28')
 
 package() {
   cd deploy
diff --git a/cmd/server/config.go b/cmd/server/config.go
index 71cd01d..78c881e 100644
--- a/cmd/server/config.go
+++ b/cmd/server/config.go
@@ -61,7 +61,7 @@ func (c *Config) loadToken(path string) error {
 		return fmt.Errorf("failed to stat env file: %v", err)
 	}
 
-	if info.Mode().Perm() != 0600 {
+	if info.Mode().Perm() != 0640 {
 		return fmt.Errorf("env file perms not secure, expected 0600 got %o", info.Mode().Perm())
 	}
 	//#nosec G304 -- config is known path
diff --git a/cmd/server/config_test.go b/cmd/server/config_test.go
index 0bee4cf..f95b487 100644
--- a/cmd/server/config_test.go
+++ b/cmd/server/config_test.go
@@ -54,7 +54,7 @@ func defaultCfgMap() map[string]string {
 
 func TestReadConfig(t *testing.T) {
 	cfgMap := defaultCfgMap()
-	path := writeConfigFiles(t, cfgMap, 0600)
+	path := writeConfigFiles(t, cfgMap, 0640)
 
 	cfg, err := ReadConfig(path)
 	if err != nil {