diff --git a/src/xtokens_db.go b/src/xtokens_db.go
index 90858a3..ff9682b 100644
--- a/src/xtokens_db.go
+++ b/src/xtokens_db.go
@@ -32,7 +32,7 @@ func (dbobj dbcon) createRootXtoken() (string, error) {
 		return "", err
 	}
 	bdoc := bson.M{}
-	bdoc["xtoken"] = rootToken
+	bdoc["xtoken"] = hashString(dbobj.hash, rootToken)
 	bdoc["type"] = "root"
 	_, err = dbobj.createRecord(TblName.Xtokens, bdoc)
 	if err != nil {
@@ -41,13 +41,13 @@ func (dbobj dbcon) createRootXtoken() (string, error) {
 	return rootToken, nil
 }
 
-func (dbobj dbcon) generateUserLoginXtoken(userXTOKEN string) (string, error) {
-	if isValidUUID(userXTOKEN) == false {
+func (dbobj dbcon) generateUserLoginXtoken(userTOKEN string) (string, error) {
+	if isValidUUID(userTOKEN) == false {
 		return "", errors.New("bad token format")
 	}
 
 	// check if user record exists
-	record, err := dbobj.lookupUserRecord(userXTOKEN)
+	record, err := dbobj.lookupUserRecord(userTOKEN)
 	if record == nil || err != nil {
 		// not found
 		return "", errors.New("not found")
@@ -60,8 +60,8 @@ func (dbobj dbcon) generateUserLoginXtoken(userXTOKEN string) (string, error) {
 	// by default login token for 30 minutes only
 	expired := int32(time.Now().Unix()) + 10*60
 	bdoc := bson.M{}
-	bdoc["token"] = userXTOKEN
-	bdoc["xtoken"] = tokenUUID
+	bdoc["token"] = userTOKEN
+	bdoc["xtoken"] = hashString(dbobj.hash, tokenUUID)
 	bdoc["type"] = "login"
 	bdoc["endtime"] = expired
 	_, err = dbobj.createRecord(TblName.Xtokens, bdoc)
@@ -76,18 +76,18 @@ func (dbobj dbcon) checkXtoken(xtokenUUID string) bool {
 	if isValidUUID(xtokenUUID) == false {
 		return false
 	}
-	if len(rootXTOKEN) > 0 && rootXTOKEN == xtokenUUID {
+	xtokenHashed := hashString(dbobj.hash, xtokenUUID)
+	if len(rootXTOKEN) > 0 && rootXTOKEN == xtokenHashed {
 		fmt.Println("It is a root token")
 		return true
 	}
-
-	record, err := dbobj.getRecord(TblName.Xtokens, "xtoken", xtokenUUID)
+	record, err := dbobj.getRecord(TblName.Xtokens, "xtoken", xtokenHashed)
 	if record == nil || err != nil {
 		return false
 	}
 	tokenType := record["type"].(string)
 	if tokenType == "root" {
-		rootXTOKEN = xtokenUUID
+		rootXTOKEN = xtokenHashed
 		return true
 	}
 	return false
@@ -98,13 +98,14 @@ func (dbobj dbcon) checkUserAuthXToken(xtokenUUID string) (tokenAuthResult, erro
 	if isValidUUID(xtokenUUID) == false {
 		return result, errors.New("failed to authenticate")
 	}
-	if len(rootXTOKEN) > 0 && rootXTOKEN == xtokenUUID {
+	xtokenHashed := hashString(dbobj.hash, xtokenUUID)
+	if len(rootXTOKEN) > 0 && rootXTOKEN == xtokenHashed {
 		//fmt.Println("It is a root token")
 		result.ttype = "root"
 		result.name = "root"
 		return result, nil
 	}
-	record, err := dbobj.getRecord(TblName.Xtokens, "xtoken", xtokenUUID)
+	record, err := dbobj.getRecord(TblName.Xtokens, "xtoken", xtokenHashed)
 	if record == nil || err != nil {
 		return result, errors.New("failed to authenticate")
 	}
@@ -112,12 +113,12 @@ func (dbobj dbcon) checkUserAuthXToken(xtokenUUID string) (tokenAuthResult, erro
 	fmt.Printf("token type: %s\n", tokenType)
 	if tokenType == "root" {
 		// we have this admin user
-		rootXTOKEN = xtokenUUID
+		rootXTOKEN = xtokenHashed
 		result.ttype = "root"
 		result.name = "root"
 		return result, nil
 	}
-	result.name = xtokenUUID
+	result.name = xtokenHashed
 	// tokenType = temp
 	now := int32(time.Now().Unix())
 	if now > record["endtime"].(int32) {