diff --git a/app/controllers/Challenge.scala b/app/controllers/Challenge.scala
index c9fc01ecf4..6afc3cf9a3 100644
--- a/app/controllers/Challenge.scala
+++ b/app/controllers/Challenge.scala
@@ -202,7 +202,7 @@ final class Challenge(
     Action.async { req =>
       import cats.implicits._
       val scopes = List(OAuthScope.Challenge.Write)
-      (get("token1", req) map AccessToken.Id, get("token2", req) map AccessToken.Id).mapN {
+      (get("token1", req) map AccessToken.Id.apply, get("token2", req) map AccessToken.Id.apply).mapN {
         env.oAuth.server.authBoth(scopes)
       } ?? {
         _ flatMap {
diff --git a/modules/oauth/src/main/AccessToken.scala b/modules/oauth/src/main/AccessToken.scala
index b1c8a9b2e5..e2d6d14d84 100644
--- a/modules/oauth/src/main/AccessToken.scala
+++ b/modules/oauth/src/main/AccessToken.scala
@@ -23,14 +23,11 @@ case class AccessToken(
 
 object AccessToken {
 
-  val idSize = 16
-
-  case class Id(value: String) extends AnyVal {
-    def isPersonal = value.lengthIs == idSize
+  case class Id(value: String) extends AnyVal
+  object Id {
+    def random() = Id(s"lio_${SecureRandom.nextString(32)}")
   }
 
-  def makeId = Id(SecureRandom nextString idSize)
-
   case class ForAuth(userId: User.ID, scopes: List[OAuthScope])
 
   case class WithApp(token: AccessToken, app: OAuthApp)
diff --git a/modules/oauth/src/main/AccessTokenApi.scala b/modules/oauth/src/main/AccessTokenApi.scala
index 5896d0e8e6..bcbd3b968c 100644
--- a/modules/oauth/src/main/AccessTokenApi.scala
+++ b/modules/oauth/src/main/AccessTokenApi.scala
@@ -15,7 +15,7 @@ final class AccessTokenApi(colls: OauthColls)(implicit ec: scala.concurrent.Exec
 
   def create(granted: AccessTokenRequest.Granted): Fu[AccessToken] = {
     val token = AccessToken(
-      id = AccessToken.Id(Protocol.Secret.random("lio_").value),
+      id = AccessToken.Id.random(),
       publicId = BSONObjectID.generate(),
       clientId = PersonalToken.clientId, // TODO
       userId = granted.userId,
diff --git a/modules/oauth/src/main/AuthorizationApi.scala b/modules/oauth/src/main/AuthorizationApi.scala
index cd7e306956..0504320bec 100644
--- a/modules/oauth/src/main/AuthorizationApi.scala
+++ b/modules/oauth/src/main/AuthorizationApi.scala
@@ -13,7 +13,7 @@ final class AuthorizationApi(val coll: Coll)(implicit ec: scala.concurrent.Execu
     val code = Protocol.AuthorizationCode.random()
     coll.insert.one(
       PendingAuthorizationBSONHandler write PendingAuthorization(
-        code.secret.hashed,
+        code.hashed,
         request.clientId,
         request.user,
         request.redirectUri,
@@ -27,7 +27,7 @@ final class AuthorizationApi(val coll: Coll)(implicit ec: scala.concurrent.Execu
   def consume(
       request: AccessTokenRequest.Prepared
   ): Fu[Validated[Protocol.Error, AccessTokenRequest.Granted]] =
-    coll.findAndModify($doc(F.hashedCode -> request.code.secret.hashed), coll.removeModifier) map {
+    coll.findAndModify($doc(F.hashedCode -> request.code.hashed), coll.removeModifier) map {
       _.result[PendingAuthorization]
         .toValid(Protocol.Error.AuthorizationCodeInvalid)
         .ensure(Protocol.Error.AuthorizationCodeExpired)(_.expires.isAfter(DateTime.now()))
diff --git a/modules/oauth/src/main/OAuthForm.scala b/modules/oauth/src/main/OAuthForm.scala
index ae734b8349..c374b8b67a 100644
--- a/modules/oauth/src/main/OAuthForm.scala
+++ b/modules/oauth/src/main/OAuthForm.scala
@@ -29,7 +29,7 @@ object OAuthForm {
     ) {
       def make(user: lila.user.User) =
         AccessToken(
-          id = AccessToken.makeId,
+          id = AccessToken.Id.random(),
           publicId = BSONObjectID.generate(),
           clientId = PersonalToken.clientId,
           userId = user.id,
diff --git a/modules/oauth/src/main/Protocol.scala b/modules/oauth/src/main/Protocol.scala
index 97a59eb6ec..4b7a169dbf 100644
--- a/modules/oauth/src/main/Protocol.scala
+++ b/modules/oauth/src/main/Protocol.scala
@@ -10,23 +10,12 @@ import io.lemonlabs.uri.AbsoluteUrl
 import lila.common.SecureRandom
 
 object Protocol {
-  case class Secret(value: String) {
-    def hashed: String    = Algo.sha256(value).hex
-    override def toString = "Secret(***)"
-    override def equals(other: Any) = other match {
-      case other: Secret => hashed == other.hashed
-      case _             => false
-    }
-    override def hashCode = hashed.hashCode()
+  case class AuthorizationCode(secret: String) extends AnyVal {
+    def hashed = Algo.sha256(secret).hex
+    override def toString = "AuthorizationCode(***)"
   }
-  object Secret {
-    def random(prefix: String) = Secret(s"$prefix${SecureRandom.nextString(32)}")
-  }
-
-  case class AuthorizationCode(secret: Secret) extends AnyVal
   object AuthorizationCode {
-    def apply(value: String): AuthorizationCode = AuthorizationCode(Secret(value))
-    def random()                                = AuthorizationCode(Secret.random("liu_"))
+    def random() = AuthorizationCode(s"liu_${SecureRandom.nextString(32)}")
   }
 
   case class ClientId(value: String) extends AnyVal
@@ -91,7 +80,7 @@ object Protocol {
 
     def code(code: AuthorizationCode, state: Option[State]): String = value
       .withQueryString(
-        "code"  -> Some(code.secret.value),
+        "code"  -> Some(code.secret),
         "state" -> state.map(_.value)
       )
       .toString