diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index e354a19b9a..18e2aed277 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -2490,7 +2490,11 @@ App::put('/v1/account/sessions/magic-url')
     ->inject('queueForEvents')
     ->inject('queueForMails')
     ->inject('store')
-    ->action(fn ($userId, $secret, $request, $response, $user, $dbForProject, $project, $locale, $geodb, $queueForEvents, $queueForMails, $store) => $createSession($userId, $secret, $request, $response, $user, $dbForProject, $project, $locale, $geodb, $queueForEvents, $queueForMails, $store, new ProofsToken(TOKEN_LENGTH_MAGIC_URL)));
+    ->action(function ($userId, $secret, $request, $response, $user, $dbForProject, $project, $locale, $geodb, $queueForEvents, $queueForMails, $store) use ($createSession) {
+        $proofForToken = new ProofsToken(TOKEN_LENGTH_MAGIC_URL);
+        $proofForToken->setHash(new Sha());
+        $createSession($userId, $secret, $request, $response, $user, $dbForProject, $project, $locale, $geodb, $queueForEvents, $queueForMails, $store, $proofForToken);
+    });
 
 App::put('/v1/account/sessions/phone')
     ->desc('Update phone session')
diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php
index 8b4967144d..536adcf128 100644
--- a/app/controllers/api/users.php
+++ b/app/controllers/api/users.php
@@ -2315,6 +2315,7 @@ App::post('/v1/users/:userId/tokens')
         }
 
         $proofForToken = new Token($length);
+        $proofForToken->setHash(new Sha());
         $secret = $proofForToken->generate();
         $expire = DateTime::formatTz(DateTime::addSeconds(new \DateTime(), $expire));