diff --git a/management/server/account.go b/management/server/account.go
index 135142b6b..f098dfc68 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1127,8 +1127,8 @@ func (am *DefaultAccountManager) GetAccountFromPAT(token string) (*Account, *Use
 	if prefix != PATPrefix {
 		return nil, nil, fmt.Errorf("token invalid")
 	}
-	secret := token[len(PATPrefix):len(PATPrefix)]
-	encodedChecksum := token[34:40]
+	secret := token[len(PATPrefix) : len(PATPrefix)+PATsecretLength]
+	encodedChecksum := token[len(PATPrefix)+PATsecretLength : len(PATPrefix)+PATsecretLength+PATChecksumLength]
 
 	verificationChecksum, err := base62.Decode(encodedChecksum)
 	if err != nil {
diff --git a/management/server/personal_access_token.go b/management/server/personal_access_token.go
index 307f0a27a..27456ec08 100644
--- a/management/server/personal_access_token.go
+++ b/management/server/personal_access_token.go
@@ -13,9 +13,10 @@ import (
 
 const (
 	// PATPrefix is the globally used, 4 char prefix for personal access tokens
-	PATPrefix    = "nbp_"
-	secretLength = 30
-	PATLength    = 40
+	PATPrefix         = "nbp_"
+	PATsecretLength   = 30
+	PATLength         = 40
+	PATChecksumLength = 6
 )
 
 // PersonalAccessToken holds all information about a PAT including a hashed version of it for verification
@@ -50,7 +51,7 @@ func CreateNewPAT(description string, expirationInDays int, createdBy string) (*
 }
 
 func generateNewToken() (string, string, error) {
-	secret, err := b.Random(secretLength)
+	secret, err := b.Random(PATsecretLength)
 	if err != nil {
 		return "", "", err
 	}