diff --git a/backend/src/auth/auth.guard.ts b/backend/src/auth/auth.guard.ts
index 66d3cc5..402b07d 100644
--- a/backend/src/auth/auth.guard.ts
+++ b/backend/src/auth/auth.guard.ts
@@ -12,6 +12,7 @@ interface CacheEntry {
 }
 
 const TOKEN_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const MAX_CACHE_SIZE = 1000;
 
 @Injectable()
 export class AuthGuard implements CanActivate {
@@ -49,6 +50,10 @@ export class AuthGuard implements CanActivate {
 
     const user = await this.introspect(token);
     if (user) {
+      if (this.cache.size >= MAX_CACHE_SIZE) {
+        const oldest = this.cache.keys().next().value;
+        if (oldest) this.cache.delete(oldest);
+      }
       this.cache.set(token, {
         user,
         expiresAt: Date.now() + TOKEN_CACHE_TTL_MS,