diff --git a/pkg/delegatedauth/state.go b/pkg/delegatedauth/state.go
index 0a45e10..8362eb9 100644
--- a/pkg/delegatedauth/state.go
+++ b/pkg/delegatedauth/state.go
@@ -12,7 +12,11 @@ type DelegatedState struct {
 
 func (s DelegatedState) EncodeAsUrlParam() string {
 	buf := bytes.NewBufferString("")
-	if err := json.NewEncoder(base64.NewEncoder(base64.URLEncoding, buf)).Encode(s); err != nil {
+	encoder := base64.NewEncoder(base64.URLEncoding, buf)
+	if err := json.NewEncoder(encoder).Encode(s); err != nil {
+		panic(err)
+	}
+	if err := encoder.Close(); err != nil {
 		panic(err)
 	}
 	return buf.String()
diff --git a/pkg/delegatedauth/state_fuzz_test.go b/pkg/delegatedauth/state_fuzz_test.go
new file mode 100644
index 0000000..29d5669
--- /dev/null
+++ b/pkg/delegatedauth/state_fuzz_test.go
@@ -0,0 +1,41 @@
+package delegatedauth
+
+import (
+	"testing"
+)
+
+func FuzzDecodeDelegatedState(f *testing.F) {
+	// Valid base64-encoded JSON seeds
+	valid := DelegatedState{AuthRequestID: "test-123"}
+	f.Add(valid.EncodeAsUrlParam())
+
+	empty := DelegatedState{AuthRequestID: ""}
+	f.Add(empty.EncodeAsUrlParam())
+
+	// Edge cases: raw strings that are not valid base64/JSON
+	f.Add("")
+	f.Add("not-base64")
+	f.Add("====")
+	f.Add("{}")
+	f.Add("e30=") // base64 of "{}"
+	f.Add("bnVsbA==") // base64 of "null"
+	f.Add(string([]byte{0, 1, 2, 3, 4, 5}))
+	f.Add("eyJhdXRoUmVxdWVzdElEIjoiIn0=") // base64 of {"authRequestID":""}
+
+	f.Fuzz(func(t *testing.T, input string) {
+		result, err := DecodeDelegatedState(input)
+		if err != nil {
+			return
+		}
+
+		// Round-trip: encode then decode should produce the same result
+		encoded := result.EncodeAsUrlParam()
+		result2, err := DecodeDelegatedState(encoded)
+		if err != nil {
+			t.Fatalf("round-trip decode failed: %v", err)
+		}
+		if result.AuthRequestID != result2.AuthRequestID {
+			t.Fatalf("round-trip mismatch: %q != %q", result.AuthRequestID, result2.AuthRequestID)
+		}
+	})
+}
diff --git a/pkg/delegatedauth/testdata/fuzz/FuzzDecodeDelegatedState/c71785f735fef5ee b/pkg/delegatedauth/testdata/fuzz/FuzzDecodeDelegatedState/c71785f735fef5ee
new file mode 100644
index 0000000..79e41ca
--- /dev/null
+++ b/pkg/delegatedauth/testdata/fuzz/FuzzDecodeDelegatedState/c71785f735fef5ee
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("eyJBdXRocmVxdWVzdElEIjoi08000800In00")