diff --git a/tools/flash_device.py b/tools/flash_device.py
index 7b1018d..f6fee27 100755
--- a/tools/flash_device.py
+++ b/tools/flash_device.py
@@ -15,11 +15,14 @@ Usage:
 """
 import argparse
 import os
+import re
 import secrets
 import subprocess
 import sys
 import tempfile
 
+HMAC_SECRET_RE = re.compile(r"^[0-9a-fA-F]{64}$")
+
 
 NVS_NAMESPACE        = "doorcounter"
 NVS_PARTITION_OFFSET = "0x9000"
@@ -63,6 +66,10 @@ def main():
     args = parser.parse_args()
 
     hmac_secret = args.hmac_secret or secrets.token_hex(32)
+    if not HMAC_SECRET_RE.match(hmac_secret):
+        print("Error: --hmac-secret must be exactly 64 hex characters (32 bytes)",
+              file=sys.stderr)
+        sys.exit(1)
     if args.hmac_secret is None:
         print(f"Generated HMAC secret: {hmac_secret}")
         print("  *** SAVE THIS — you need it to register the device on the server ***")