diff --git a/auth.go b/auth.go
index c2590d1..9781019 100644
--- a/auth.go
+++ b/auth.go
@@ -1,9 +1,11 @@
 package couchdb
 
 import (
+	"crypto/hmac"
 	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 )
@@ -34,9 +36,9 @@ type proxyauth struct {
 func ProxyAuth(username string, roles []string, secret string) Auth {
 	pa := &proxyauth{username, strings.Join(roles, ","), ""}
 	if secret != "" {
-		hash := sha1.New()
-		hash.Write([]byte(secret + username))
-		pa.tok = fmt.Sprintf("%x", hash.Sum(nil))
+		mac := hmac.New(sha1.New, []byte(secret))
+		io.WriteString(mac, username)
+		pa.tok = fmt.Sprintf("%x", mac.Sum(nil))
 	}
 	return pa
 }
diff --git a/auth_test.go b/auth_test.go
index a8e07c8..173a78f 100644
--- a/auth_test.go
+++ b/auth_test.go
@@ -44,7 +44,7 @@ func TestProxyAuthWithToken(t *testing.T) {
 	expected := http.Header{
 		"X-Auth-Couchdb-Username": {"user"},
 		"X-Auth-Couchdb-Roles":    {"role1,role2"},
-		"X-Auth-Couchdb-Token":    {"0eefaf44991ac21b04262ada13c1ec5f01b71596"},
+		"X-Auth-Couchdb-Token":    {"027da48c8c642ca4c58eb982eec81915179e77a3"},
 	}
 	check(t, "req headers", expected, req.Header)
 }