diff --git a/pkg/indieauth/auth.go b/pkg/indieauth/auth.go
index 82c93c4..865da19 100644
--- a/pkg/indieauth/auth.go
+++ b/pkg/indieauth/auth.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/pstuifzand/ekster/pkg/util"
 	"willnorris.com/go/microformats"
 )
 
@@ -70,7 +71,7 @@ func Authorize(me *url.URL, endpoints Endpoints, clientID, scope string) (TokenR
 
 	local := ln.Addr().String()
 	redirectURI := fmt.Sprintf("http://%s/", local)
-	state := "12345344"
+	state := util.RandStringBytes(16)
 
 	q := authURL.Query()
 	q.Add("response_type", "code")