diff --git a/server/.env.template b/server/.env.template
index f78a16d..52e80be 100644
--- a/server/.env.template
+++ b/server/.env.template
@@ -43,4 +43,8 @@
 # Vygenerovat pomocí: npx web-push generate-vapid-keys
 # VAPID_PUBLIC_KEY=
 # VAPID_PRIVATE_KEY=
-# VAPID_SUBJECT=mailto:admin@example.com
\ No newline at end of file
+# VAPID_SUBJECT=mailto:admin@example.com
+
+# Heslo pro bypass rate limitu na endpointu /api/food/refresh (pro skripty/admin).
+# Bez hesla může refresh volat každý přihlášený uživatel (podléhá rate limitu).
+# REFRESH_BYPASS_PASSWORD=
\ No newline at end of file
diff --git a/server/src/routes/foodRoutes.ts b/server/src/routes/foodRoutes.ts
index ba4bdd4..2688d7e 100644
--- a/server/src/routes/foodRoutes.ts
+++ b/server/src/routes/foodRoutes.ts
@@ -191,13 +191,20 @@ router.post("/updateBuyer", async (req, res, next) => {
     } catch (e: any) { next(e) }
 });
 
-// /api/food/refresh?type=week&heslo=docasnyheslo
+// /api/food/refresh?type=week  (přihlášený uživatel, nebo ?heslo=... pro bypass rate limitu)
 export const refreshMetoda = async (req: Request, res: Response) => {
     const { type, heslo } = req.query as { type?: string; heslo?: string };
-    if (heslo !== "docasnyheslo" && heslo !== "tohleheslopavelnesmizjistit123") {
-        return res.status(403).json({ error: "Neplatné heslo" });
+    const bypassPassword = process.env.REFRESH_BYPASS_PASSWORD;
+    const isBypass = !!bypassPassword && heslo === bypassPassword;
+
+    if (!isBypass) {
+        try {
+            getLogin(parseToken(req));
+        } catch {
+            return res.status(403).json({ error: "Přihlaste se prosím" });
+        }
     }
-    if (!checkRateLimit("refresh") && heslo !== "tohleheslopavelnesmizjistit123") {
+    if (!checkRateLimit("refresh") && !isBypass) {
         return res.status(429).json({ error: "Refresh už se zavolal, chvíli počkej :))" });
     }
     if (type !== "week" && type !== "day") {