diff --git a/rust/headless-client/src/main.rs b/rust/headless-client/src/main.rs
index 988747e84..80b819100 100644
--- a/rust/headless-client/src/main.rs
+++ b/rust/headless-client/src/main.rs
@@ -86,12 +86,6 @@ struct Cli {
     #[arg(long, env = "FIREZONE_NO_TELEMETRY", default_value_t = false)]
     no_telemetry: bool,
 
-    /// Token generated by the portal to authorize websocket connection.
-    // systemd recommends against passing secrets through env vars:
-    // <https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Environment=>
-    #[arg(env = TOKEN_ENV_KEY, hide = true)]
-    token: Option<String>,
-
     /// A filesystem path where the token can be found
     // Apparently passing secrets through stdin is the most secure method, but
     // until anyone asks for it, env vars are okay and files on disk are slightly better.
@@ -119,7 +113,13 @@ fn main() -> Result<()> {
         .install_default()
         .expect("Calling `install_default` only once per process should always succeed");
 
-    let mut cli = Cli::try_parse()?;
+    let cli = Cli::try_parse()?;
+
+    // Modifying the environment of a running process is unsafe. If any other
+    // thread is reading or writing the environment, something bad can happen.
+    // So `run` must take over as early as possible during startup, and
+    // read the token env var before any other threads spawn.
+    let token_env_var = std::env::var(TOKEN_ENV_KEY).ok().map(SecretString::from);
 
     // Docs indicate that `remove_var` should actually be marked unsafe
     // SAFETY: We haven't spawned any other threads, this code should be the first
@@ -131,12 +131,6 @@ fn main() -> Result<()> {
     }
     assert!(std::env::var(TOKEN_ENV_KEY).is_err());
 
-    // Modifying the environment of a running process is unsafe. If any other
-    // thread is reading or writing the environment, something bad can happen.
-    // So `run` must take over as early as possible during startup, and
-    // take the token env var before any other threads spawn.
-    let token_env_var = cli.token.take().map(SecretString::from);
-
     // TODO: This might have the same issue with fatal errors not getting logged
     // as addressed for the IPC service in PR #5216
     let (layer, _handle) = cli
diff --git a/website/src/components/Changelog/Headless.tsx b/website/src/components/Changelog/Headless.tsx
index 13e0845cc..cb1af77b0 100644
--- a/website/src/components/Changelog/Headless.tsx
+++ b/website/src/components/Changelog/Headless.tsx
@@ -27,6 +27,10 @@ export default function Headless() {
         <ChangeItem pull="7551">
           Fixes an issue where large DNS responses were incorrectly discarded.
         </ChangeItem>
+        <ChangeItem pull="7770">
+          BREAKING: Removes the positional token argument on the CLI. Use
+          `FIREZONE_TOKEN` or `FIREZONE_TOKEN_PATH` env variables instead.
+        </ChangeItem>
       </Unreleased>
       <Entry version="1.4.0" date={new Date("2024-12-13")}>
         <ChangeItem pull="7350">