diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php
index 74368e408..995434582 100644
--- a/Zotlabs/Module/Authorize.php
+++ b/Zotlabs/Module/Authorize.php
@@ -29,6 +29,7 @@ class Authorize extends \Zotlabs\Web\Controller {
 
 			return replace_macros(get_markup_template('oauth_authorize.tpl'), [
 				'$title'        => t('Authorize'),
+				'$security'		=> get_form_security_token('oauth_authorize'),
 				'$authorize'    => sprintf( t('Do you authorize the app %s to access your channel data?'), $link ),
 				'$app'          => $app,
 				'$yes'          => t('Allow'),
@@ -45,6 +46,10 @@ class Authorize extends \Zotlabs\Web\Controller {
 			return;
 		}
 
+		if (! check_form_security_token('oauth_authorize')) {
+			http_status_exit(401, t('You are not authorized to perform this action.'));
+		}
+
 		$storage = new OAuth2Storage(\DBA::$dba->db);
 		$s = new \Zotlabs\Identity\OAuth2Server($storage);
 
diff --git a/view/tpl/oauth_authorize.tpl b/view/tpl/oauth_authorize.tpl
index 650869f48..6bf03b39c 100644
--- a/view/tpl/oauth_authorize.tpl
+++ b/view/tpl/oauth_authorize.tpl
@@ -6,6 +6,7 @@
 	<p class="descriptive-paragraph">{{$authorize}}</p>
 	<form method="POST">
 	<div class="settings-submit-wrapper">
+		<input type="hidden" name="form_security_token" value="{{$security}}" />
 		<input type="hidden" name="client_id" value="{{$client_id|escape}}" />
 		<input type="hidden" name="redirect_uri" value="{{$redirect_uri|escape}}" />
 		<input type="hidden" name="state" value="{{$state|escape}}" />