diff --git a/auth.js b/auth.js
index 0fe1f61..bdc268f 100644
--- a/auth.js
+++ b/auth.js
@@ -2,7 +2,7 @@ import * as cookie from 'https://deno.land/std@0.188.0/http/cookie.ts'
 
 export class Auth {
   constructor({
-    baseUrl,
+    basePath,
     remoteBaseUrl,
     giteaAppBaseUrl,
     giteaApiBaseUrl,
@@ -10,7 +10,7 @@ export class Auth {
     giteaClientId,
     giteaClientSecret
   }) {
-    this.baseUrl = baseUrl
+    this.basePath = basePath
     this.remoteBaseUrl = remoteBaseUrl
     this.giteaAppBaseUrl = giteaAppBaseUrl
     this.giteaApiBaseUrl = giteaApiBaseUrl
@@ -50,8 +50,10 @@ export class Auth {
       Location: url
     })
     cookie.setCookie(headers, {
+      ...this.cookieSettings,
       name: 'oauth.gitea.state',
       value: state,
+      maxAge: 600,
     })
     event.respondWith(new Response('', {
       headers,
@@ -73,6 +75,12 @@ export class Auth {
     )
   }
 
+  get cookieSettings() {
+    return {
+      path: `${this.basePath}/api`,
+    }
+  }
+
   async getToken(code) {
     const resp = await fetch(this.tokenEndpoint, {
       method: 'POST',
@@ -93,14 +101,17 @@ export class Auth {
 
   saveTokens(headers, data) {
     cookie.setCookie(headers, {
+      ...this.cookieSettings,
       name: 'oauth.gitea.accessToken',
       value: data.access_token,
     })
     cookie.setCookie(headers, {
+      ...this.cookieSettings,
       name: 'oauth.gitea.refreshToken',
       value: data.refresh_token,
     })
     cookie.setCookie(headers, {
+      ...this.cookieSettings,
       name: 'oauth.gitea.expires',
       value: String(
         Math.floor(new Date().valueOf() / 1000) +
@@ -165,12 +176,12 @@ export class Auth {
 
   async serve(event) {
     const {pathname} = new URL(event.request.url)
-    const u = this.baseUrl
-    if (pathname === `${u}/api/auth`) {
+    const b = this.basePath
+    if (pathname === `${b}/api/auth`) {
       await this.redirect(event)
-    } else if (pathname === `${u}/api/auth/callback`) {
+    } else if (pathname === `${b}/api/auth/callback`) {
       await this.callback(event)
-    } else if (pathname === `${u}/api/auth/refresh`) {
+    } else if (pathname === `${b}/api/auth/refresh`) {
       await this.refresh(event)
     } else {
       event.respondWith(new Response(
diff --git a/server.js b/server.js
index 4b19675..17ec1f3 100644
--- a/server.js
+++ b/server.js
@@ -32,7 +32,7 @@ export class Server {
       'GITEA_CLIENT_SECRET',
     ])
     this.port = env.PORT ?? 3000
-    this.baseUrl = env.BASE_URL ?? '/macchiato'
+    this.basePath = env.BASE_PATH ?? '/macchiato'
     this.remoteBaseUrl = env.REMOTE_BASE_URL
     this.giteaAppBaseUrl = (
       env.GITEA_APP_BASE_URL ?? 'http://gitea:3000'
@@ -50,7 +50,7 @@ export class Server {
       await this.configure()
     }
     this.auth = new Auth({
-      baseUrl: this.baseUrl,
+      basePath: this.basePath,
       remoteBaseUrl: this.remoteBaseUrl,
       giteaAppBaseUrl: this.giteaAppBaseUrl,
       giteaApiBaseUrl: this.giteaApiBaseUrl,
@@ -127,14 +127,14 @@ export class Server {
 
   async serveRequest(event) {
     const {pathname: p} = new URL(event.request.url)
-    const base = this.baseUrl
+    const base = this.basePath
     if (p.startsWith(`${base}/api/auth`)) {
       await this.auth.serve(event)
     } else if (p.startsWith(`${base}/api/storage`)) {
       const {allow, headers} = (
         await this.auth.requireAuth(event)
       )
-      if (allowed) {
+      if (allow) {
         await this.storage.serve(event, headers)
       }
     } else {