diff --git a/.env.example b/.env.example
index 721e935..d507cbe 100644
--- a/.env.example
+++ b/.env.example
@@ -23,6 +23,7 @@ DOCKER_IMAGE_BACKEND=kaapi-guardrails-backend
 
 OPENAI_API_KEY="<ADD-KEY>"
 GUARDRAILS_HUB_API_KEY="<ADD-KEY>"
+HF_TOKEN="<ADD-HF-KEY>"
 # SHA-256 hex digest of your bearer token (64 lowercase hex chars)
 AUTH_TOKEN="<ADD-HASH-TOKEN>"
 KAAPI_AUTH_URL="<ADD-KAAPI-AUTH-URL>"
diff --git a/backend/Dockerfile b/backend/Dockerfile
index feadbe6..e8900cc 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -51,10 +51,19 @@ RUN python -m pip install --no-deps "${SPACY_MODEL_WHEEL_URL}"
 ENV HF_HOME=/app/hf_cache
 
 # Pre-download HuggingFace model
-RUN /app/.venv/bin/python -c "from transformers import AutoTokenizer, AutoModelForSequenceClassification; \
+RUN --mount=type=secret,id=HF_TOKEN \
+    HF_TOKEN="$(cat /run/secrets/HF_TOKEN 2>/dev/null || true)" \
+    /app/.venv/bin/python -c "from transformers import AutoTokenizer, AutoModelForSequenceClassification; \
 AutoTokenizer.from_pretrained('textdetox/xlmr-large-toxicity-classifier', cache_dir='/app/hf_cache'); \
 AutoModelForSequenceClassification.from_pretrained('textdetox/xlmr-large-toxicity-classifier', cache_dir='/app/hf_cache')"
 
+# Pre-install Guardrails hub validators so container startup is not blocked by downloads
+RUN --mount=type=secret,id=GUARDRAILS_HUB_API_KEY \
+    GUARDRAILS_HUB_API_KEY="$(cat /run/secrets/GUARDRAILS_HUB_API_KEY 2>/dev/null || true)" \
+    ENABLE_METRICS="false" \
+    ENABLE_REMOTE_INFERENCING="true" \
+    /app/scripts/install_guardrails_from_hub.sh
+    
 # -------------------------------
 # Entrypoint (runtime setup)
 # -------------------------------
diff --git a/docker-compose.yml b/docker-compose.yml
index b96b67e..2cb47ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,11 @@
 version: "3.9"
 
+secrets:
+  HF_TOKEN:
+    environment: HF_TOKEN
+  GUARDRAILS_HUB_API_KEY:
+    environment: GUARDRAILS_HUB_API_KEY
+
 services:
 
   prestart:
@@ -8,6 +14,9 @@ services:
     entrypoint: []
     build:
       context: ./backend
+      secrets:
+        - HF_TOKEN
+        - GUARDRAILS_HUB_API_KEY
     command: bash scripts/prestart.sh
     env_file:
       - .env
@@ -21,6 +30,9 @@ services:
     restart: always
     build:
       context: ./backend
+      secrets:
+        - HF_TOKEN
+        - GUARDRAILS_HUB_API_KEY
     env_file:
       - .env
     extra_hosts: