diff --git a/backend/app/Controllers/SallaController.php b/backend/app/Controllers/SallaController.php
index eaebcda..694ebc8 100644
--- a/backend/app/Controllers/SallaController.php
+++ b/backend/app/Controllers/SallaController.php
@@ -32,11 +32,15 @@ class SallaController extends BaseController
         $clientId = getenv('SALLA_CLIENT_ID') ?: '69ea789c-f611-4ea7-a3ee-7ead41420225';
         $redirectUri = getenv('APP_URL') . '/api/integrations/salla/callback';
 
+        // Build state: company_id + random token (min 8 chars required by Salla)
+        $randomToken = bin2hex(random_bytes(8)); // 16-char hex
+        $state = $companyId . '_' . $randomToken;
+
         $authUrl = "https://accounts.salla.sa/oauth2/auth?" . http_build_query([
             'client_id' => $clientId,
             'redirect_uri' => $redirectUri,
             'response_type' => 'code',
-            'state' => $companyId
+            'state' => $state
         ]);
 
         header("Location: " . $authUrl);
@@ -60,7 +64,11 @@ class SallaController extends BaseController
         }
 
         $code = $_GET['code'] ?? '';
-        $companyId = $_GET['state'] ?? '';
+        $rawState = $_GET['state'] ?? '';
+
+        // Extract company_id from state (format: "companyId_randomToken")
+        $stateParts = explode('_', $rawState, 2);
+        $companyId = $stateParts[0] ?? '';
 
         if (empty($code) || empty($companyId)) {
             $response->status(400)->html("<h3>Error: Missing authorization code or state (company_id).</h3>");