diff --git a/server/auth/orcid.js b/server/auth/orcid.js
index 471c7ebaf21cb639ffff3e1374b3c0165468f826..4ec9708ae01d61299e1bed785ff962bf137b4b6a 100644
--- a/server/auth/orcid.js
+++ b/server/auth/orcid.js
@@ -59,7 +59,7 @@ module.exports = app => {
     }),
     (req, res) => {
       const jwt = authentication.token.create(req.user)
-      res.redirect(`/login?token=${jwt}`)
+      res.redirect(`/login#${jwt}`)
     },
   )
 }
diff --git a/server/auth/orcid.test.js b/server/auth/orcid.test.js
index bac2f1f6a0d83ad6c0748895d537c3917dd1b190..a1cad8bd2bf3a2bf9967c50e7d165b57fc0c939f 100644
--- a/server/auth/orcid.test.js
+++ b/server/auth/orcid.test.js
@@ -13,7 +13,7 @@ const makeApp = () => {
 describe('ORCID auth', () => {
   beforeEach(() => createTables(true))
 
-  it('can log in', async () => {
+  it('exchanges code and returns JWT', async () => {
     // mock OAuth response
     nock('https://sandbox.orcid.org')
       .post('/oauth/token')
@@ -29,6 +29,6 @@ describe('ORCID auth', () => {
 
     const app = makeApp()
     const response = await app.get('/auth/orcid/callback?code=def')
-    expect(response.header.location).toMatch(/^\/login\?token/)
+    expect(response.header.location).toMatch(/^\/login#\w+/)
   })
 })