diff --git a/app/models.py b/app/models.py
index 7e2728bd6dabb0b30decab3c50d2bdb6e105816c..f65cf84f837ad862d70179327670837c11c5086c 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1,4 +1,4 @@
-from app import db, login, mail, socketio
+from app import db, hashids, login, mail, socketio
 from app.converters.vrt import normalize_vrt_file
 from app.email import create_message
 from datetime import datetime, timedelta
@@ -327,7 +327,7 @@ class User(HashidMixin, UserMixin, db.Model):
             return False
         if payload.get('purpose') != 'confirm_user':
             return False
-        if payload.get('sub') != self.id:
+        if payload.get('sub') != self.hashid:
             return False
         self.confirmed = True
         db.session.add(self)
@@ -344,7 +344,7 @@ class User(HashidMixin, UserMixin, db.Model):
             'iat': utc_now,
             'iss': current_app.config['SERVER_NAME'],
             'purpose': 'confirm_user',
-            'sub': self.id
+            'sub': self.hashid
         }
         return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
 
@@ -355,7 +355,7 @@ class User(HashidMixin, UserMixin, db.Model):
             'iat': utc_now,
             'iss': current_app.config['SERVER_NAME'],
             'purpose': 'reset_password',
-            'sub': self.id
+            'sub': self.hashid
         }
         return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
 
@@ -452,9 +452,10 @@ class User(HashidMixin, UserMixin, db.Model):
             return False
         if payload.get('purpose') != 'reset_password':
             return False
-        user_id = payload.get('sub')
-        if user_id is None:
+        user_hashid = payload.get('sub')
+        if user_hashid is None:
             return False
+        user_id = hashids.decode(user_hashid)
         user = User.query.get(user_id)
         if user is None:
             return False