diff --git a/rpc-server/src/main/java/com/bt/rpc/server/jws/CredentialVerify.java b/rpc-server/src/main/java/com/bt/rpc/server/jws/CredentialVerify.java
index d6f6063..a22a4fb 100644
--- a/rpc-server/src/main/java/com/bt/rpc/server/jws/CredentialVerify.java
+++ b/rpc-server/src/main/java/com/bt/rpc/server/jws/CredentialVerify.java
@@ -29,11 +29,15 @@ public interface CredentialVerify {
     Key<String> AUTHORIZATION = Metadata.Key.of(HttpConst.AUTHORIZATION_HEADER, Metadata.ASCII_STRING_MARSHALLER);
 
 
+    int TOKEN_INDEX = BEARER_FLAG.length() + 1;
+
     static String bearerToken(Metadata headers) {
         var tokenPlace = headers.get(AUTHORIZATION);
         String token = null;
-        if (null != tokenPlace && tokenPlace.startsWith(BEARER_FLAG)) {
-            token = tokenPlace.substring(BEARER_FLAG.length() + 1);
+        if (null != tokenPlace
+                && tokenPlace.length() > TOKEN_INDEX
+                && tokenPlace.startsWith(BEARER_FLAG)) {
+            token = tokenPlace.substring(TOKEN_INDEX);
         }
         return token;
     }