diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 5f0d38cfd..65fec623f 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -193,6 +193,8 @@ jobs:
           platforms: ${{ matrix.platform }}
           cache-from: type=registry,ref=${{ steps.image.outputs.name }}:buildcache-${{ matrix.variant }}-${{ matrix.suffix }}
           cache-to: type=registry,ref=${{ steps.image.outputs.name }}:buildcache-${{ matrix.variant }}-${{ matrix.suffix }},mode=max,image-manifest=true,oci-mediatypes=true
+          secrets: |
+            HF_TOKEN=${{ secrets.HF_TOKEN }}
           provenance: false
           build-args: |
             ${{ matrix.image == 'backend' && format('USE_CUDA={0}', matrix.use_cuda) || '' }}
diff --git a/surfsense_backend/Dockerfile b/surfsense_backend/Dockerfile
index 1cf6e9793..d886f48bc 100644
--- a/surfsense_backend/Dockerfile
+++ b/surfsense_backend/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker.io/docker/dockerfile:1
 # =============================================================================
 # SurfSense Backend — Multi-stage Dockerfile
 # =============================================================================
@@ -104,7 +105,9 @@ RUN printf '%s\n' \
     | python || true
 
 ARG EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
-RUN python -c "from chonkie import AutoEmbeddings; AutoEmbeddings.get_embeddings('${EMBEDDING_MODEL}')"
+RUN --mount=type=secret,id=HF_TOKEN \
+    HF_TOKEN="$(cat /run/secrets/HF_TOKEN 2>/dev/null || true)" \
+    python -c "from chonkie import AutoEmbeddings; AutoEmbeddings.get_embeddings('${EMBEDDING_MODEL}')"
 
 # Install Playwright browsers (the playwright python package itself is in deps)
 RUN playwright install chromium --with-deps