Because these values are used for OAuth2 codes, refresh tokens,
etc, they shouldn't be guessable. Increase the number of random
bytes from 64 to 128.