diff --git a/apps/app/Cargo.toml b/apps/app/Cargo.toml
index ad3a1bc..580f0bf 100644
--- a/apps/app/Cargo.toml
+++ b/apps/app/Cargo.toml
@@ -18,6 +18,7 @@ uuid = { workspace = true }
 service = { workspace = true }
 observability = { workspace = true }
 room = { workspace = true }
+sha2 = { workspace = true }
 api = { workspace = true }
 session = { workspace = true }
 config = { workspace = true }
diff --git a/apps/app/src/main.rs b/apps/app/src/main.rs
index 0608d58..3c27a56 100644
--- a/apps/app/src/main.rs
+++ b/apps/app/src/main.rs
@@ -114,11 +114,12 @@ fn build_session_key(cfg: &AppConfig) -> anyhow::Result<Key> {
             );
             return Ok(Key::generate());
         }
-        use sha2::{Digest, Sha256};
-        let mut hasher = Sha256::new();
+        use sha2::{Digest, Sha512};
+        let mut hasher = Sha512::new();
         hasher.update(secret.as_bytes());
         let hash = hasher.finalize();
-        return Ok(Key::from(hash.as_slice()));
+        // cookie::Key requires exactly 64 bytes; SHA-512 produces 64 bytes
+        return Ok(Key::from(&hash[..64]));
     }
     Ok(Key::generate())
 }