diff --git a/lib/AccessCheck/App/Step3.pm b/lib/AccessCheck/App/Step3.pm
index 29be04261818fa635d68f383f3f503b68fd980e8..b97bf07d34abaaeeb09eaa37890a6ee87eb7b524 100644
--- a/lib/AccessCheck/App/Step3.pm
+++ b/lib/AccessCheck/App/Step3.pm
@@ -119,7 +119,7 @@ sub run {
         sp            => { entityid => $entityid, },
         to            => $email,
         token         => $token->secret(),
-        challenge_url => $self->url_for('step3')->query(entityid => $entityid, email => $email)->to_abs(),
+        challenge_url => $self->url_for('step3')->query(entityid => $entityid, email => $email, token => $self->csrf_token())->to_abs(),
         lh            => $l10n
     };
     my $text_content;