diff --git a/app/models/passwordless/session.rb b/app/models/passwordless/session.rb
index 4b0b0b8..8779792 100644
--- a/app/models/passwordless/session.rb
+++ b/app/models/passwordless/session.rb
@@ -24,15 +24,20 @@ class Session < ApplicationRecord
 
     before_validation :set_defaults
 
-    # save the token in memory so we can put it in emails but only save the
-    # hashed version in the database
-    attr_accessor :token
-
     scope(
       :available,
       lambda { where("expires_at > ?", Time.current) }
     )
 
+    # save the token in memory so we can put it in emails but only save the
+    # hashed version in the database
+    attr_reader :token
+
+    def token=(plaintext)
+      self.token_digest = Passwordless.digest(plaintext)
+      @token = (plaintext)
+    end
+
     def expired?
       expires_at <= Time.current
     end
diff --git a/test/models/passwordless/session_test.rb b/test/models/passwordless/session_test.rb
index 1aada86..fe05071 100644
--- a/test/models/passwordless/session_test.rb
+++ b/test/models/passwordless/session_test.rb
@@ -68,6 +68,12 @@ def call(_session)
       Passwordless.token_generator = old_generator
     end
 
+    test("setting token manually") do
+      session = Session.new(token: "hi")
+      assert_equal "hi", session.token
+      assert_equal Passwordless.digest("hi"), session.token_digest
+    end
+
     test("with a custom expire at function") do
       custom_expire_at = Time.parse("01-01-2100").utc
       old_expires_at = Passwordless.expires_at