diff --git a/everyrow-mcp/src/everyrow_mcp/auth.py b/everyrow-mcp/src/everyrow_mcp/auth.py
index 6858bd56..e9b8f077 100644
--- a/everyrow-mcp/src/everyrow_mcp/auth.py
+++ b/everyrow-mcp/src/everyrow_mcp/auth.py
@@ -276,11 +276,12 @@ async def _validate_auth_request(
             raise HTTPException(status_code=400, detail="Missing state")
 
         key = build_key("pending", state)
-        pending_data = (
+        pending_data_encrypted = (
             await self._redis.getdel(key) if consume else await self._redis.get(key)
         )
-        if pending_data is None:
+        if pending_data_encrypted is None:
             raise HTTPException(status_code=400, detail="Invalid or expired state")
+        pending_data = decrypt_value(pending_data_encrypted)
         return PendingAuth.model_validate_json(pending_data)
 
     async def _validate_client(self, pending: PendingAuth) -> None:
@@ -357,7 +358,7 @@ async def authorize(
         await self._redis.setex(
             name=build_key("pending", state),
             time=settings.pending_auth_ttl,
-            value=pending.model_dump_json(),
+            value=encrypt_value(pending.model_dump_json()),
         )
         return f"{settings.mcp_server_url}/auth/start/{state}"
 
@@ -370,7 +371,7 @@ async def handle_start(self, request: Request) -> RedirectResponse:
         await self._redis.setex(
             name=build_key("pending", state),
             time=settings.pending_auth_ttl,
-            value=pending.model_dump_json(),
+            value=encrypt_value(pending.model_dump_json()),
         )
         response = RedirectResponse(url=pending.supabase_redirect_url, status_code=302)
         response.set_cookie(
diff --git a/everyrow-mcp/src/everyrow_mcp/http_config.py b/everyrow-mcp/src/everyrow_mcp/http_config.py
index 04afe553..faa0db2a 100644
--- a/everyrow-mcp/src/everyrow_mcp/http_config.py
+++ b/everyrow-mcp/src/everyrow_mcp/http_config.py
@@ -72,9 +72,9 @@ def configure_http_mode(
     mcp.settings.host = host
     mcp.settings.port = port
 
-    if not settings.upload_secret:
+    if not settings.upload_secret or len(settings.upload_secret) < 32:
         raise RuntimeError(
-            "UPLOAD_SECRET must be set in HTTP mode for HMAC signing. "
+            "UPLOAD_SECRET must be at least 32 characters in HTTP mode for HMAC signing. "
             'Generate one with: python -c "import secrets; print(secrets.token_urlsafe(32))"'
         )
     if not no_auth and not settings.redis_password: