diff --git a/dsc.cabal b/dsc.cabal
--- a/dsc.cabal
+++ b/dsc.cabal
@@ -3,7 +3,7 @@
 -- see: https://github.com/sol/hpack
 
 name:                dsc
-version:             0.1.2
+version:             0.1.3
 synopsis:            Helper functions for setting up Double Submit Cookie defense for forms
 description:         See README at <https://github.com/qoelet/dsc#readme>
 homepage:            https://github.com/qoelet/dsc#readme
diff --git a/src/Web/Csrf.hs b/src/Web/Csrf.hs
--- a/src/Web/Csrf.hs
+++ b/src/Web/Csrf.hs
@@ -9,7 +9,7 @@
 
 import           Codec.Crypto.SimpleAES
 import           Data.ByteString
-import           Data.ByteString.Base64
+import           Data.ByteString.Base64.URL
 import           Data.String.Conversions
 
 newtype Token = MkToken ByteString
@@ -24,9 +24,13 @@
 , validationResult :: Maybe CsrfCheckResult
 } deriving (Eq, Show)
 
-runCheck :: Key -> Csrf -> Csrf
-runCheck key csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }
+runCheck :: ByteString -> Csrf -> Csrf
+runCheck keyBS csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }
   where
+    key :: ByteString
+    key = decodeLenient keyBS
+
+    result :: CsrfCheckResult
     result = case (decode c, decode t) of
       (Right c', Right t') ->
         if decryptMsg ECB key (cs c') == decryptMsg ECB key (cs t')
@@ -34,15 +38,22 @@
           else Invalid
       _ -> Invalid
 
-getCsrf :: Key -> IO Csrf
+getCsrf :: ByteString -> IO Csrf
 getCsrf key = do
   secret <- randomKey
-  c <- encryptMsg ECB key (cs secret)
-  t <- encryptMsg ECB key (cs secret)
-  return $ Csrf (MkToken (encode . cs $ c)) (MkToken (encode . cs $ t)) Nothing
+  c <- encryptMsg ECB (decodeLenient key) (cs secret)
+  t <- encryptMsg ECB (decodeLenient key) (cs secret)
+  return $ Csrf
+    (MkToken (encode . cs $ c))
+    (MkToken (encode . cs $ t))
+    Nothing
 
-mkCsrf :: Key -> ByteString -> ByteString -> Csrf
-mkCsrf key c t = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)
+mkCsrf :: ByteString -> ByteString -> ByteString -> Csrf
+mkCsrf keyBS c t
+  = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)
+  where
+    key :: ByteString
+    key = decodeLenient keyBS
 
 unMkToken :: Token -> ByteString
 unMkToken (MkToken x) = x
diff --git a/test/CsrfSpec.hs b/test/CsrfSpec.hs
--- a/test/CsrfSpec.hs
+++ b/test/CsrfSpec.hs
@@ -3,7 +3,7 @@
 module CsrfSpec where
 
 import           Codec.Crypto.SimpleAES
-import           Data.ByteString.Base64
+import           Data.ByteString.Base64.URL
 import           Data.String.Conversions
 import           Test.Hspec
 import           Test.QuickCheck
@@ -23,8 +23,8 @@
 propGetCsrfShouldAlwaysBeValid :: Property
 propGetCsrfShouldAlwaysBeValid = Q.monadicIO $ do
   testKey <- Q.run randomKey
-  myCsrf <- Q.run (getCsrf testKey)
-  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Valid
+  myCsrf <- Q.run (getCsrf (encode testKey))
+  Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Valid
 
 propTokenMisMatchShouldBeInvalid :: Property
 propTokenMisMatchShouldBeInvalid = Q.monadicIO $ do
@@ -33,4 +33,4 @@
   cookieToken <- Q.run $ encryptMsg ECB testKey (cs secret)
   let badToken = "Foo"
       myCsrf = mkCsrf testKey (encode . cs $ cookieToken) badToken
-  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Invalid
+  Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Invalid
