diff --git a/elixir/apps/web/lib/web/controllers/auth_controller.ex b/elixir/apps/web/lib/web/controllers/auth_controller.ex
index d791fb7c6..488ae0651 100644
--- a/elixir/apps/web/lib/web/controllers/auth_controller.ex
+++ b/elixir/apps/web/lib/web/controllers/auth_controller.ex
@@ -167,7 +167,14 @@ defmodule Web.AuthController do
               # by looking at the cookies
               Domain.Tokens.encode_fragment!(%Domain.Tokens.Token{
                 type: :email,
-                secret_fragment: Domain.Crypto.random_token(27)
+                secret_nonce: Domain.Crypto.random_token(5, encoder: :user_friendly),
+                secret_fragment: Domain.Crypto.random_token(27, encoder: :hex32),
+                account_id: Ecto.UUID.generate(),
+                actor_id: Ecto.UUID.generate(),
+                id: Ecto.UUID.generate(),
+                expires_at: DateTime.utc_now(),
+                created_by_user_agent: context.user_agent,
+                created_by_remote_ip: context.remote_ip
               })
           end
         end,
diff --git a/elixir/apps/web/test/web/controllers/auth_controller_test.exs b/elixir/apps/web/test/web/controllers/auth_controller_test.exs
index 121abb5e1..bac23e1c7 100644
--- a/elixir/apps/web/test/web/controllers/auth_controller_test.exs
+++ b/elixir/apps/web/test/web/controllers/auth_controller_test.exs
@@ -470,6 +470,12 @@ defmodule Web.AuthControllerTest do
                "signed_provider_identifier",
                signed_provider_identifier
              ) == {:ok, "foo@bar"}
+
+      assert {nonce, "foo@bar", %{}} =
+               conn.cookies["fz_auth_state_#{provider.id}"]
+               |> :erlang.binary_to_term()
+
+      assert String.length(nonce) == 259
     end
   end