diff --git a/routes/api/link.py b/routes/api/link.py
index a73a2f4..44d733c 100644
--- a/routes/api/link.py
+++ b/routes/api/link.py
@@ -10,13 +10,14 @@ limited and body-size capped. Keep /rpc on the internal node network.
 from __future__ import annotations
 
 import base64
+import os
 
 from quart import current_app
 
 from my_modules.app.setup import LIMITER
 from my_modules.expiry import ensure_utc, parse_expires
 from my_modules.file_meta import format_size, iso_stamp_filename
-from servicelink import InvalidParams, NotFound, Router, Unauthorized, bearer_verifier, create_link_blueprint
+from servicelink import InvalidParams, NotFound, Router, Unauthorized, any_verifier, bearer_verifier, create_link_blueprint, shared_secret_verifier
 
 MAX_RPC_BODY = 16 * 1024 * 1024
 MESH_SCOPE = 'mesh'
@@ -107,5 +108,12 @@ async def _decode_access_token(token):
     raise ValueError((payload or {}).get('error', 'invalid token'))
   return payload
 
-verify = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+def _build_verify():
+  # Accept a JWT access token with the mesh scope (public path) OR, on the
+  # trusted Docker network, a static shared secret from SERVICELINK_MESH_SECRET.
+  jwt = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+  secret = os.getenv('SERVICELINK_MESH_SECRET')
+  return any_verifier(shared_secret_verifier(secret, scopes=(MESH_SCOPE,)), jwt) if secret else jwt
+
+verify = _build_verify()
 link_bp = create_link_blueprint(router, verify=verify, limiter=LIMITER.limit('30 per minute'), max_body=MAX_RPC_BODY)
diff --git a/servicelink b/servicelink
index 094bdc8..7b9a51e 160000
--- a/servicelink
+++ b/servicelink
@@ -1 +1 @@
-Subproject commit 094bdc8c569d2980d00a42b55039abd62254898f
+Subproject commit 7b9a51ee525862a6e5eb99732a20aa1927d3ae62