diff --git a/src/commands/configure.gateway-auth.test.ts b/src/commands/configure.gateway-auth.test.ts
index 50c6635778e..be7fe347a53 100644
--- a/src/commands/configure.gateway-auth.test.ts
+++ b/src/commands/configure.gateway-auth.test.ts
@@ -43,4 +43,43 @@ describe("buildGatewayAuthConfig", () => {
 
     expect(result).toEqual({ mode: "password", password: "secret" });
   });
+
+  it("generates random token when token param is undefined", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: undefined,
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
+
+  it("generates random token when token param is empty string", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: "",
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
+
+  it("generates random token when token param is whitespace only", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: "   ",
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
 });
diff --git a/src/commands/configure.gateway-auth.ts b/src/commands/configure.gateway-auth.ts
index 0296c512922..396e0925746 100644
--- a/src/commands/configure.gateway-auth.ts
+++ b/src/commands/configure.gateway-auth.ts
@@ -12,6 +12,7 @@ import {
   promptModelAllowlist,
 } from "./model-picker.js";
 import { promptCustomApiConfig } from "./onboard-custom.js";
+import { randomToken } from "./onboard-helpers.js";
 
 type GatewayAuthChoice = "token" | "password";
 
@@ -35,7 +36,9 @@ export function buildGatewayAuthConfig(params: {
   }
 
   if (params.mode === "token") {
-    return { ...base, mode: "token", token: params.token };
+    // Guard against undefined/empty token to prevent JSON.stringify from writing the string "undefined"
+    const safeToken = params.token?.trim() || randomToken();
+    return { ...base, mode: "token", token: safeToken };
   }
   return { ...base, mode: "password", password: params.password };
 }