diff --git a/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java b/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
index a96e70bc..845fe890 100644
--- a/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
+++ b/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
@@ -193,7 +193,10 @@ public String userAuthenticate(
 			String jwtToken = null;
 			String refreshToken = null;
 			if (mUser.size() == 1) {
-				jwtToken = jwtUtil.generateToken(m_User.getUserName(), mUser.get(0).getUserID().toString());
+				String userIdStr = mUser.get(0).getUserID().toString();
+				jwtToken = isMobile
+						? jwtUtil.generateSecureToken(userIdStr)
+						: jwtUtil.generateToken(m_User.getUserName(), userIdStr);
 
 				User user = new User(); // Assuming the Users class exists
 				user.setUserID(mUser.get(0).getUserID());
@@ -209,7 +212,7 @@ public String userAuthenticate(
 				);
 
 				if (isMobile) {
-					refreshToken = jwtUtil.generateRefreshToken(m_User.getUserName(), user.getUserID().toString());
+					refreshToken = jwtUtil.generateSecureRefreshToken(user.getUserID().toString());
 					logger.debug("Refresh token generated successfully for user: {}", user.getUserName());
 					String jti = jwtUtil.getJtiFromToken(refreshToken);
 					redisTemplate.opsForValue().set(
@@ -555,7 +558,7 @@ public String superUserAuthenticate(
 				);
 
 				if (isMobile) {
-					refreshToken = jwtUtil.generateRefreshToken(m_User.getUserName(), user.getUserID().toString());
+					refreshToken = jwtUtil.generateSecureRefreshToken(user.getUserID().toString());
 					logger.debug("Refresh token generated successfully for user: {}", user.getUserName());
 					String jti = jwtUtil.getJtiFromToken(refreshToken);
 					redisTemplate.opsForValue().set(
diff --git a/src/main/java/com/iemr/common/utils/JwtUtil.java b/src/main/java/com/iemr/common/utils/JwtUtil.java
index d7f6c270..98ff7b7b 100644
--- a/src/main/java/com/iemr/common/utils/JwtUtil.java
+++ b/src/main/java/com/iemr/common/utils/JwtUtil.java
@@ -46,6 +46,27 @@ public String generateToken(String username, String userId) {
         return buildToken(username, userId, "access", ACCESS_EXPIRATION_TIME);
     }
 
+    // Mobile login: token without PII in sub
+    public String generateSecureToken(String userId) {
+        return buildSecureToken(userId, "access", ACCESS_EXPIRATION_TIME);
+    }
+
+    public String generateSecureRefreshToken(String userId) {
+        return buildSecureToken(userId, "refresh", REFRESH_EXPIRATION_TIME);
+    }
+
+    private String buildSecureToken(String userId, String tokenType, long expiration) {
+        return Jwts.builder()
+                .subject(userId)
+                .claim("userId", userId)
+                .claim("token_type", tokenType)
+                .id(UUID.randomUUID().toString())
+                .issuedAt(new Date())
+                .expiration(new Date(System.currentTimeMillis() + expiration))
+                .signWith(getSigningKey())
+                .compact();
+    }
+
     /**
      * Generate a refresh token.
      *