diff --git a/crates/tinymist/src/tool/preview/auth.rs b/crates/tinymist/src/tool/preview/auth.rs
index baae8549e..949bb2ee5 100644
--- a/crates/tinymist/src/tool/preview/auth.rs
+++ b/crates/tinymist/src/tool/preview/auth.rs
@@ -80,10 +80,11 @@ pub async fn try_auth_websocket_client(
         .context("auth response 1 missing")??;
     let response: AuthMsgResponseClient = serde_json::from_str(response.to_text()?)?;
 
-    if sha512hex(format!("{}{}{}", secret, challenge, response.cnonce).as_str()) == response.hash {
+    if sha512hex(format!("{}:{}:{}", secret, challenge, response.cnonce).as_str()) == response.hash
+    {
         // ... then we authenticate to the client
         let snonce = generate_token();
-        let hash = sha512hex(format!("{}{}{}", secret, response.challenge, snonce).as_str());
+        let hash = sha512hex(format!("{}:{}:{}", secret, response.challenge, snonce).as_str());
         let json = serde_json::to_string(&AuthMsgResponseServer {
             snonce: &snonce,
             hash: &hash,
diff --git a/tools/typst-preview-frontend/src/ws/auth.ts b/tools/typst-preview-frontend/src/ws/auth.ts
index 9f4782405..53ddddc5f 100644
--- a/tools/typst-preview-frontend/src/ws/auth.ts
+++ b/tools/typst-preview-frontend/src/ws/auth.ts
@@ -89,7 +89,7 @@ export function getAuthenticatedSocket(url: string, secret: string, dec: TextDec
                 const cnonce = generateCryptoRandom(32);
                 prews.next(enc.encode(JSON.stringify({
                     'cnonce': cnonce,
-                    'hash': await digestHex(secret + message.challenge + cnonce),
+                    'hash': await digestHex(secret + ":" + message.challenge + ":" + cnonce),
                     'challenge': challengeForServer
                 })));
 
@@ -122,7 +122,7 @@ export function getAuthenticatedSocket(url: string, secret: string, dec: TextDec
                 // Server liked our 'hash'. Now we check if the server is malicious or not
                 if(message.snonce === undefined || message.hash === undefined)
                     throw new Error("Missing snonce or hash.");
-                if(message.hash !== await digestHex(secret + challengeForServer + message.snonce))
+                if(message.hash !== await digestHex(secret + ":" + challengeForServer + ":" + message.snonce))
                     throw new Error("Malicious server detected?!");
 
                 // Authentication succeeded!