diff --git a/src/Yesod/Auth/OAuth2/Dispatch.hs b/src/Yesod/Auth/OAuth2/Dispatch.hs
index 49e37ec..499a632 100644
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@@ -117,14 +117,14 @@ withCallbackAndState name oauth2 csrf = do
 getParentUrlRender :: MonadHandler m => m (Route (SubHandlerSite m) -> Text)
 getParentUrlRender = (.) <$> getUrlRender <*> getRouteToParent
 
--- | Set a random, ~30-character value in the session
+-- | Set a random, ~64-byte value in the session
 --
 -- Some (but not all) providers decode a @+@ in the state token as a space when
 -- sending it back to us. We don't expect this and fail. And if we did code for
 -- it, we'd then fail on the providers that /don't/ do that.
 --
 -- Therefore, we just exclude @+@ in our tokens, which means this function may
--- return slightly less than 30 characters.
+-- return slightly fewer than 64 bytes.
 setSessionCSRF :: MonadHandler m => Text -> m Text
 setSessionCSRF sessionKey = do
   csrfToken <- liftIO randomToken
diff --git a/src/Yesod/Auth/OAuth2/Random.hs b/src/Yesod/Auth/OAuth2/Random.hs
index 8c63925..e8ff5d4 100644
--- a/src/Yesod/Auth/OAuth2/Random.hs
+++ b/src/Yesod/Auth/OAuth2/Random.hs
@@ -13,7 +13,7 @@ import Data.Text.Encoding (decodeUtf8)
 randomText
   :: MonadRandom m
   => Int
-  -- ^ Size in Bytes (note necessarily characters)
+  -- ^ Size in Bytes (not necessarily characters)
   -> m Text
 randomText size =
   decodeUtf8 . convertToBase @ByteString Base64 <$> getRandomBytes size