diff --git a/.changeset/huge-walls-raise.md b/.changeset/huge-walls-raise.md
new file mode 100644
index 000000000..61d560b4c
--- /dev/null
+++ b/.changeset/huge-walls-raise.md
@@ -0,0 +1,5 @@
+---
+'@faustwp/core': patch
+---
+
+#2181 - Sanitize URL in cookie key to make it RFC 6265 sec 4.1.1 compliant.
diff --git a/packages/faustwp-core/src/server/auth/token.ts b/packages/faustwp-core/src/server/auth/token.ts
index 9622edbaf..56c54f951 100644
--- a/packages/faustwp-core/src/server/auth/token.ts
+++ b/packages/faustwp-core/src/server/auth/token.ts
@@ -25,7 +25,10 @@ export class OAuth {
 
 	constructor(cookies: Cookies) {
 		this.cookies = cookies;
-		this.tokenKey = `${getWpUrl()}-rt`;
+		this.tokenKey = `${getWpUrl().replace(
+			/[^!#$%&'*+\-.^_`|~0-9A-Za-z]/g,
+			'',
+		)}-rt`; // Sanitize URL to make cookie key RFC 6265 sec 4.1.1 compliant.
 	}
 
 	public getRefreshToken(): string | undefined {