diff --git a/Cargo.lock b/Cargo.lock
index 3e52103..46c2198 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -575,8 +575,10 @@ checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
 dependencies = [
  "aes-gcm",
  "base64 0.22.1",
+ "hkdf",
  "percent-encoding",
  "rand 0.8.5",
+ "sha2",
  "subtle",
  "time",
  "version_check",
@@ -4268,6 +4270,7 @@ dependencies = [
  "axum-extra",
  "bollard",
  "config",
+ "cookie",
  "futures-util",
  "http-body-util",
  "hyper",
diff --git a/Cargo.toml b/Cargo.toml
index 34b9865..ae93159 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,6 +15,7 @@ askama_web = { version = "0.14.4", features = ["axum-0.8"] }
 axum = { version = "0.8", features = ["tokio", "http1", "http2", "macros"] }
 axum-extra = { version = "0.10", features = ["cookie-private", "typed-header"] }
 config = { version = "0.15", features = ["toml"] }
+cookie = { version = "0.18.1", features = ["key-expansion"] }
 futures-util = "0.3"
 hyper = "1.1"
 lettre = { version = "0.11.17", features = ["tokio1", "tokio1-native-tls", "tracing", "web"] }
diff --git a/conf/default.toml b/conf/default.toml
index f25c35e..0870f57 100644
--- a/conf/default.toml
+++ b/conf/default.toml
@@ -1,5 +1,6 @@
 [app]
 listen = "[::]:3742"
+key = "Q^,zH6M}*JY-W[oWCn6T7W!G=TvN,a5[~%cfRKZ7jse1EMDgG7GdTFy)ez*E(9I"
 
 [email]
 server = "smtp.fastmail.com"
diff --git a/src/conf.rs b/src/conf.rs
index abf84ce..fbac645 100644
--- a/src/conf.rs
+++ b/src/conf.rs
@@ -12,6 +12,7 @@ pub struct Database {
 pub struct App {
     pub listen: SocketAddr,
     pub public_url: String,
+    pub key: String,
 }
 
 #[derive(Debug, Deserialize, Clone)]
diff --git a/src/server/mod.rs b/src/server/mod.rs
index 259278f..021b6f7 100644
--- a/src/server/mod.rs
+++ b/src/server/mod.rs
@@ -55,8 +55,7 @@ impl ZeroToAxum {
 
         let app_state = AppState {
             conf: Arc::new(conf.clone()),
-            // TODO: pull from config
-            key: Key::generate(),
+            key: Key::derive_from(conf.app.key.as_bytes()),
             db,
             email_client,
         };
diff --git a/tests/fixture/mod.rs b/tests/fixture/mod.rs
index 118a9a0..e1f9e64 100644
--- a/tests/fixture/mod.rs
+++ b/tests/fixture/mod.rs
@@ -49,6 +49,7 @@ impl TestServer {
                 listen: "[::]:0".parse().unwrap(),
                 // TODO: how do I both configure this and use a random port?
                 public_url: "http://localhost/".to_string(),
+                key: "Q^,zH6M}*JY-W[oWCn6T7W!G=TvN,a5[~%cfRKZ7jse1EMDgG7GdTFy)ez*E(9I".to_string(),
             },
             database: conf::Database { url },
             debug: true,