diff --git a/api/account.go b/api/account.go
index 7e3160b..ddbadf6 100644
--- a/api/account.go
+++ b/api/account.go
@@ -41,6 +41,11 @@ func (s *Server) HandleAccountInfo(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if len(token) != 32 {
+		http.Error(w, "invalid token", http.StatusBadRequest)
+		return
+	}
+
 	username, err := db.GetUsernameFromToken(token)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)