diff --git a/froide/foirequest/auth.py b/froide/foirequest/auth.py
index 866c3a9a6..d303f2bab 100644
--- a/froide/foirequest/auth.py
+++ b/froide/foirequest/auth.py
@@ -139,22 +139,45 @@ def can_read_foirequest_anonymous(foirequest, request):
     return False
 
 
-def get_foirequest_auth_code(foirequest):
-    return salted_hmac("FoiRequestPublicBodyAuth",
+def _get_foirequest_auth_code(foirequest):
+    return [
+        salted_hmac("FoiRequestPublicBodyAuth",
+            '%s#%s' % (foirequest.id, foirequest.get_secret())).hexdigest(),
+        salted_hmac("FoiRequestPublicBodyAuth",
             '%s#%s' % (foirequest.id, foirequest.secret_address)).hexdigest()
+    ]
 
 
-def get_foirequest_upload_code(foirequest):
-    return salted_hmac("FoiRequestPublicBodyUpload",
+def _get_foirequest_upload_code(foirequest):
+    secret = foirequest.get_secret()
+    return [
+        salted_hmac("FoiRequestPublicBodyUpload",
+            '%s#%s' % (foirequest.id, secret)).hexdigest(),
+        salted_hmac("FoiRequestPublicBodyUpload",
             '%s#%s' % (foirequest.id, foirequest.secret_address)).hexdigest()
+    ]
+
+
+def get_foirequest_upload_code(foirequest):
+    return _get_foirequest_upload_code(foirequest)[0]
+
+
+def get_foirequest_auth_code(foirequest):
+    return _get_foirequest_auth_code(foirequest)[0]
 
 
 def check_foirequest_auth_code(foirequest, code):
-    return constant_time_compare(code, get_foirequest_auth_code(foirequest))
+    for gen_code in _get_foirequest_auth_code(foirequest):
+        if constant_time_compare(code, gen_code):
+            return True
+    return False
 
 
 def check_foirequest_upload_code(foirequest, code):
-    return constant_time_compare(code, get_foirequest_upload_code(foirequest))
+    for gen_code in _get_foirequest_upload_code(foirequest):
+        if constant_time_compare(code, gen_code):
+            return True
+    return False
 
 
 def is_attachment_public(foirequest, attachment):
diff --git a/froide/foirequest/models/request.py b/froide/foirequest/models/request.py
index 97a178288..a146f13fe 100644
--- a/froide/foirequest/models/request.py
+++ b/froide/foirequest/models/request.py
@@ -10,6 +10,7 @@
 from django.contrib.sites.models import Site
 from django.contrib.sites.managers import CurrentSiteManager
 from django.urls import reverse
+from django.utils.crypto import get_random_string
 
 import django.dispatch
 from django.utils import timezone
@@ -483,6 +484,12 @@ def get_absolute_domain_url(self):
     def get_absolute_domain_short_url(self):
         return get_absolute_domain_short_url(self.id)
 
+    def get_secret(self):
+        if not self.secret:
+            self.secret = get_random_string(25)
+            self.save()
+        return self.secret
+
     def get_auth_link(self):
         from ..auth import get_foirequest_auth_code