diff --git a/areas/auth/auth.py b/areas/auth/auth.py
index 2bfd938dadcfd5c332da1c6349466f96499e0169..b7a05ebde77d2da4086105ab2b1a8ed5cf8c69d7 100644
--- a/areas/auth/auth.py
+++ b/areas/auth/auth.py
@@ -1,11 +1,11 @@
-from flask import jsonify
+from flask import jsonify, request
 from flask_jwt_extended import create_access_token
 from flask_cors import cross_origin
 from datetime import timedelta
 
 from areas import api_v1
 from config import *
-from helpers import HydraOauth
+from helpers import HydraOauth, BadRequest
 
 
 @api_v1.route("/login", methods=["POST"])
@@ -18,7 +18,11 @@ def login():
 @api_v1.route("/hydra/callback")
 @cross_origin()
 def hydra_callback():
-    token = HydraOauth.get_token()
+    state = request.args.get("state")
+    if state == None:
+        raise BadRequest("Missing state query param")
+
+    token = HydraOauth.get_token(state)
     access_token = create_access_token(
         identity=token, expires_delta=timedelta(days=365)
     )
diff --git a/helpers/hydra_oauth.py b/helpers/hydra_oauth.py
index ea846951b38d519ab04b9151e8bc1cb5babdb124..96bd13d4e17475e41d8ab485ff424bd222b71bbf 100644
--- a/helpers/hydra_oauth.py
+++ b/helpers/hydra_oauth.py
@@ -24,11 +24,9 @@ class HydraOauth:
             raise HydraError(str(err), 500)
 
     @staticmethod
-    def get_token():
+    def get_token(state):
         try:
-            hydra = OAuth2Session(
-                HYDRA_CLIENT_ID, state=session[HydraOauth.SESSION_KEY]
-            )
+            hydra = OAuth2Session(HYDRA_CLIENT_ID, state=state)
             token = hydra.fetch_token(
                 TOKEN_URL,
                 client_secret=HYDRA_CLIENT_SECRET,
diff --git a/run_app.sh b/run_app.sh
index 302f141d3cea3b1145a8a8a8c96e63583dcbcc0c..b1c9342fd1ab86bf249d42dfa86e159a8800621f 100755
--- a/run_app.sh
+++ b/run_app.sh
@@ -23,7 +23,7 @@ export FLASK_ENV=development
 export SECRET_KEY="e38hq!@0n64g@qe6)5csk41t=ljo2vllog(%k7njnm4b@kh42c"
 export KRATOS_URL="http://127.0.0.1:8000"
 export HYDRA_CLIENT_ID="dashboard"
-export HYDRA_CLIENT_SECRET="BrYRtKygtrcwGHviUSqybvFTgfnaZgPh"
+export HYDRA_CLIENT_SECRET="gDSEuakxzybHBHJocnmtDOLMwlWWEvPh"
 export HYDRA_AUTHORIZATION_BASE_URL="https://sso.init.stackspin.net/oauth2/auth"
 export TOKEN_URL="https://sso.init.stackspin.net/oauth2/token"
 flask run