diff --git a/crypto_auth.js b/crypto_auth.js
index 90acae5..a279a29 100644
--- a/crypto_auth.js
+++ b/crypto_auth.js
@@ -8,6 +8,7 @@ const crypto_auth_KEYBYTES = 32
 
 function crypto_auth (out, input, k) {
   assert(out.byteLength === crypto_auth_BYTES, "out should be 'crypto_auth_BYTES' in length")
+  assert(k.byteLength === crypto_auth_KEYBYTES, "key should be 'crypto_auth_KEYBYTES' in length")
 
   const out0 = new Uint8Array(64)
   const hmac = Sha512.HMAC(k)
@@ -18,6 +19,9 @@ function crypto_auth (out, input, k) {
 }
 
 function crypto_auth_verify (h, input, k) {
+  assert(h.byteLength === crypto_auth_BYTES, "h should be 'crypto_auth_BYTES' in length")
+  assert(k.byteLength === crypto_auth_KEYBYTES, "key should be 'crypto_auth_KEYBYTES' in length")
+
   const correct = Sha512.HMAC(k).update(input).digest()
 
   return crypto_verify_32(h, 0, correct, 0)