diff --git a/tests/e2e/test_idp_seed.py b/tests/e2e/test_idp_seed.py
index a04368e..8cf6c9e 100644
--- a/tests/e2e/test_idp_seed.py
+++ b/tests/e2e/test_idp_seed.py
@@ -166,8 +166,10 @@ async def test_seed_preserves_providers_not_in_yaml(clean_config, monkeypatch):
 
 
 async def test_seed_invalid_yaml(clean_config, monkeypatch):
-    path = Path(tempfile.mktemp(suffix=".yaml"))
-    path.write_text(": : : invalid yaml [[[")
+    f = tempfile.NamedTemporaryFile(suffix=".yaml", delete=False, mode="w")
+    f.write(": : : invalid yaml [[[")
+    f.close()
+    path = Path(f.name)
     monkeypatch.setattr("wiregui.auth.seed.get_settings", lambda: type("S", (), {"idp_config_file": str(path)})())
     await seed_idp_providers()
     async with async_session() as session:
diff --git a/tests/test_api.py b/tests/test_api.py
index a793e34..56d8ec6 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -15,7 +15,7 @@ from wiregui.utils.time import utcnow
 def test_generate_api_token():
     plaintext, token_hash = generate_api_token()
     assert len(plaintext) > 20
-    assert token_hash == hashlib.sha256(plaintext.encode()).hexdigest()
+    assert token_hash == hashlib.sha512(plaintext.encode()).hexdigest()
 
 
 def test_generate_api_token_unique():
diff --git a/wiregui/auth/api_token.py b/wiregui/auth/api_token.py
index 125d256..d930e9f 100644
--- a/wiregui/auth/api_token.py
+++ b/wiregui/auth/api_token.py
@@ -15,13 +15,13 @@ from wiregui.utils.time import utcnow
 def generate_api_token() -> tuple[str, str]:
     """Generate a new API token. Returns (plaintext_token, token_hash)."""
     plaintext = secrets.token_urlsafe(32)
-    token_hash = hashlib.sha256(plaintext.encode()).hexdigest()
+    token_hash = hashlib.sha512(plaintext.encode()).hexdigest()
     return plaintext, token_hash
 
 
 async def resolve_bearer_token(session: AsyncSession, token: str) -> User | None:
     """Look up a Bearer token and return the associated user, or None."""
-    token_hash = hashlib.sha256(token.encode()).hexdigest()
+    token_hash = hashlib.sha512(token.encode()).hexdigest()
     result = await session.execute(
         select(ApiToken).where(ApiToken.token_hash == token_hash)
     )