diff --git a/changes/6978-device-token-validation b/changes/6978-device-token-validation
new file mode 100644
index 0000000000..aa6fa57336
--- /dev/null
+++ b/changes/6978-device-token-validation
@@ -0,0 +1 @@
+Added character validation to /api/fleet/orbit/device_token endpoint
diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go
index 99bdca4188..e7b4d265eb 100644
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@@ -11187,6 +11187,13 @@ func (s *integrationTestSuite) TestHostDeviceToken() {
 	}
 	s.DoJSON("POST", "/api/fleet/orbit/device_token", body, http.StatusBadRequest, &response{})
 
+	// Use illegal characters
+	body = setOrUpdateDeviceTokenRequest{
+		OrbitNodeKey:    *orbitHost.OrbitNodeKey,
+		DeviceAuthToken: "../.",
+	}
+	s.DoJSON("POST", "/api/fleet/orbit/device_token", body, http.StatusBadRequest, &response{})
+
 	// Write bad node key
 	body = setOrUpdateDeviceTokenRequest{
 		OrbitNodeKey:    "",
diff --git a/server/service/orbit.go b/server/service/orbit.go
index 50bf1d8d28..5bd37a8752 100644
--- a/server/service/orbit.go
+++ b/server/service/orbit.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/fleetdm/fleet/v4/server"
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
@@ -490,6 +491,10 @@ func (svc *Service) SetOrUpdateDeviceAuthToken(ctx context.Context, deviceAuthTo
 		return badRequest("device auth token cannot be empty")
 	}
 
+	if url.QueryEscape(deviceAuthToken) != deviceAuthToken {
+		return badRequest("device auth token contains invalid characters")
+	}
+
 	host, ok := hostctx.FromContext(ctx)
 	if !ok {
 		return newOsqueryError("internal error: missing host from request context")