diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 4de3e580..b37b4493 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -3,6 +3,7 @@ import flask_bootstrap
 
 from mailu import utils, debug, models, manage, configuration
 
+import hmac
 
 def create_app_from_config(config):
     """ Create a new application based on the given configuration
@@ -24,6 +25,8 @@ def create_app_from_config(config):
     utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
+    app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
+
     # Initialize debugging tools
     if app.config.get("DEBUG"):
         debug.toolbar.init_app(app)
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 6230e252..c3f79b92 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -429,10 +429,10 @@ class User(Base, Email):
     @classmethod
     def get_temp_token(cls, email):
         user = cls.query.get(email)
-        return hmac.new(bytearray(app.secret_key,'utf-8'), bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
+        return hmac.new(app.temp_token_key, bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
 
     def verify_temp_token(self, token):
-        return hmac.compare_digest(b''.fromhex(self.get_temp_token(self.email)), b''.fromhex(token))
+        return hmac.compare_digest(self.get_temp_token(self.email), token)