diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index ef94b251c8..a4a5ec776f 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -938,7 +938,7 @@ App::post('/v1/account/sessions/phone')
             'userId' => $user->getId(),
             'userInternalId' => $user->getInternalId(),
             'type' => Auth::TOKEN_TYPE_PHONE,
-            'secret' => $secret,
+            'secret' => Auth::hash($secret),
             'expire' => $expire,
             'userAgent' => $request->getUserAgent('UNKNOWN'),
             'ip' => $request->getIP(),
@@ -2266,7 +2266,7 @@ App::post('/v1/account/verification/phone')
             'userId' => $user->getId(),
             'userInternalId' => $user->getInternalId(),
             'type' => Auth::TOKEN_TYPE_PHONE,
-            'secret' => $secret,
+            'secret' => Auth::hash($secret),
             'expire' => $expire,
             'userAgent' => $request->getUserAgent('UNKNOWN'),
             'ip' => $request->getIP(),
diff --git a/src/Appwrite/Auth/Auth.php b/src/Appwrite/Auth/Auth.php
index f4cea0166e..dbe74af0d2 100644
--- a/src/Appwrite/Auth/Auth.php
+++ b/src/Appwrite/Auth/Auth.php
@@ -336,7 +336,7 @@ class Auth
                 $token->isSet('secret') &&
                 $token->isSet('expire') &&
                 $token->getAttribute('type') == Auth::TOKEN_TYPE_PHONE &&
-                $token->getAttribute('secret') === $secret &&
+                $token->getAttribute('secret') === self::hash($secret) &&
                 DateTime::formatTz($token->getAttribute('expire')) >= DateTime::formatTz(DateTime::now())
             ) {
                 return (string) $token->getId();