diff --git a/cmd/dex/config.go b/cmd/dex/config.go
index 831156fd..29581620 100644
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -103,6 +103,9 @@ func (p *password) UnmarshalJSON(b []byte) error {
 	})
 	if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 {
 		data.Hash = os.Getenv(data.HashFromEnv)
+		if data.Hash == "" {
+			return fmt.Errorf("invalid config: could not find HashFromEnv %q", data.HashFromEnv)
+		}
 	}
 	if len(data.Hash) == 0 {
 		return fmt.Errorf("no password hash provided")
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 47b090ae..5451beac 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -188,7 +188,11 @@ func runServe(options serveOptions) error {
 				if client.ID != "" {
 					return fmt.Errorf("invalid config: ID and IDEnv fields are exclusive for client %q", client.ID)
 				}
-				c.StaticClients[i].ID = os.Getenv(client.IDEnv)
+				id := os.Getenv(client.IDEnv)
+				if id == "" {
+					return fmt.Errorf("invalid config: could not find IDEnv %q", id)
+				}
+				c.StaticClients[i].ID = id
 			}
 			if client.Secret == "" && client.SecretEnv == "" && !client.Public {
 				return fmt.Errorf("invalid config: Secret or SecretEnv field is required for client %q", client.ID)
@@ -197,7 +201,11 @@ func runServe(options serveOptions) error {
 				if client.Secret != "" {
 					return fmt.Errorf("invalid config: Secret and SecretEnv fields are exclusive for client %q", client.ID)
 				}
-				c.StaticClients[i].Secret = os.Getenv(client.SecretEnv)
+				secret := os.Getenv(client.SecretEnv)
+				if secret == "" {
+					return fmt.Errorf("invalid config: could not find SecretEnv %q", client.SecretEnv)
+				}
+				c.StaticClients[i].Secret = secret
 			}
 			logger.Infof("config static client: %s", client.Name)
 		}