diff --git a/lemonauth/tokens.py b/lemonauth/tokens.py
index 8645912..f69bb9c 100644
--- a/lemonauth/tokens.py
+++ b/lemonauth/tokens.py
@@ -13,25 +13,18 @@ def decode(token):
 
 
 def gen_auth_code(req):
-    post = req.POST
-    params = {'me': post['me']}
-    if 'state' in post:
-        params['state'] = post['state']
-
     code = {
-        'me': post['me'],
         'uid': req.user.id,
-        'cid': post['client_id'],
-        'uri': post['redirect_uri'],
-        'typ': post.get('response_type', 'id'),
+        'cid': req.POST['client_id'],
+        'uri': req.POST['redirect_uri'],
+        'typ': req.POST.get('response_type', 'id'),
         'iat': datetime.utcnow(),
         'exp': datetime.utcnow() + timedelta(seconds=30),
     }
-    if 'scope' in post:
-        code['sco'] = ' '.join(post.getlist('scope'))
+    if 'scope' in req.POST:
+        code['sco'] = ' '.join(req.POST.getlist('scope'))
 
-    params['code'] = encode(code)
-    return (post['redirect_uri'], params)
+    return encode(code)
 
 
 def verify_auth_code(c):
diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py
index 8dab3ce..2b34880 100644
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@@ -1,6 +1,7 @@
 import mf2py
 
 from annoying.decorators import render_to
+from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse
 from django.shortcuts import redirect
@@ -106,8 +107,10 @@ class IndieView(TemplateView):
         if code['uri'] != post.get('redirect_uri'):
             return utils.forbid('redirect uri did not match')
 
+        user = get_user_model().get(pk=code['uid'])
+        me = urljoin(utils.origin(request), user.url)
         # If we got here, it's valid! Yay!
-        return utils.choose_type(request, {'me': code['me']}, {
+        return utils.choose_type(request, {'me': me}, {
             'application/x-www-form-urlencoded': utils.form_encoded_response,
             'application/json': JsonResponse,
         })
@@ -116,6 +119,13 @@ class IndieView(TemplateView):
 @login_required
 @require_POST
 def approve(request):
-    uri, params = tokens.gen_auth_code(request)
+    params = {
+        'me': urljoin(utils.origin(request), request.user.url),
+        'code': tokens.gen_auth_code(request),
+    }
+    if 'state' in request.POST:
+        params['state'] = request.POST['state']
+
+    uri = request.POST['redirect_uri']
     sep = '&' if '?' in uri else '?'
     return redirect(uri + sep + urlencode(params))