diff --git a/src/store.rs b/src/store.rs
index 0bd917f..06acaab 100644
--- a/src/store.rs
+++ b/src/store.rs
@@ -113,7 +113,7 @@ pub struct IdCoopStoreTxn<'a, 'txn> {
     pub(crate) txn: &'a mut Transaction<'txn, Postgres>,
 }
 
-impl<'a, 'txn> IdCoopStoreTxn<'a, 'txn> {
+impl IdCoopStoreTxn<'_, '_> {
     /// Given the hash of an access token and a hash of a refresh token,
     /// invalidates both the access and refresh tokens.
     pub async fn invalidate_access_token_by_hash(
diff --git a/src/utils.rs b/src/utils.rs
index ab0a764..e2cd0f2 100644
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -1,10 +1,10 @@
 //! Miscellaneous utilities
 
 #[cfg(not(test))]
-pub use self::real_utils::{Clock, RandGen};
+pub(crate) use self::real_utils::{Clock, RandGen};
 
 #[cfg(test)]
-pub use self::test_utils::{Clock, RandGen};
+pub(crate) use self::test_utils::{Clock, RandGen};
 
 #[cfg(not(test))]
 mod real_utils {
@@ -77,7 +77,7 @@ mod test_utils {
     use rand_xoshiro::Xoshiro256StarStar;
 
     #[derive(Clone)]
-    pub struct RandGen(Arc<Mutex<Xoshiro256StarStar>>);
+    pub(crate) struct RandGen(Arc<Mutex<Xoshiro256StarStar>>);
 
     impl RandGen {
         #[allow(clippy::new_without_default)]
diff --git a/src/web/login.rs b/src/web/login.rs
index 9f25feb..57d5771 100644
--- a/src/web/login.rs
+++ b/src/web/login.rs
@@ -135,6 +135,7 @@ pub const LOGIN_SESSION_TOKEN_HASH_BYTES: usize = 32;
 ///      e.g. perhaps the persona should be a hash of the user's UUID?
 pub const LOGIN_SESSION_XSRF_SECRET_BYTES: usize = 32;
 
+/// Name of the cookie used to store the Login Session ID.
 pub const LOGIN_SESSION_COOKIE_NAME: &str = "__Host-LoginSession";
 
 /// Represents a login session, which is effectively just a 'web UI' session for a user.
@@ -301,7 +302,7 @@ pub struct LoginQuery {
 /// If logged in, redirects to `then` (if safe to do so) immediately.
 ///
 /// If not logged in, shows a login form.
-pub async fn get_login(
+pub(crate) async fn get_login(
     current_session: Result<LoginSession, (StatusCode, &'static str)>,
     Query(query): Query<LoginQuery>,
     cookies: Cookies,
@@ -351,7 +352,7 @@ fn dummy_password_hash(password: String, password_hash_config: &PasswordHashingC
 /// browser cookies and the user is redirected to what they were trying to access
 /// that needed the login in the first place.
 #[allow(clippy::too_many_arguments)]
-pub async fn post_login(
+pub(crate) async fn post_login(
     Query(query): Query<LoginQuery>,
     cookies: Cookies,
     Extension(store): Extension<Arc<IdCoopStore>>,
diff --git a/src/web/oauth_openid/authorisation.rs b/src/web/oauth_openid/authorisation.rs
index 12b8019..4e0c241 100644
--- a/src/web/oauth_openid/authorisation.rs
+++ b/src/web/oauth_openid/authorisation.rs
@@ -67,7 +67,8 @@ pub struct AuthorisationQuery {
 pub const MAX_NONCE_LENGTH: usize = 384;
 
 /// `GET /oidc/auth`
-pub async fn oidc_authorisation(
+#[allow(clippy::too_many_arguments)]
+pub(crate) async fn oidc_authorisation(
     query: Result<Query<AuthorisationQuery>, QueryRejection>,
     login_session: Option<LoginSession>,
     ambient: Ambient,
@@ -152,7 +153,7 @@ pub struct PostConsentForm {
 
 /// `POST /oidc/auth`
 #[allow(clippy::too_many_arguments)]
-pub async fn post_oidc_authorisation_consent(
+pub(crate) async fn post_oidc_authorisation_consent(
     Query(query): Query<AuthorisationQuery>,
     login_session: Option<LoginSession>,
     ambient: Ambient,
diff --git a/src/web/oauth_openid/ext_codes.rs b/src/web/oauth_openid/ext_codes.rs
index 99ef11e..6da494f 100644
--- a/src/web/oauth_openid/ext_codes.rs
+++ b/src/web/oauth_openid/ext_codes.rs
@@ -62,7 +62,7 @@ impl FromStr for AuthCode {
 
 impl AuthCode {
     /// Generate a new authorisation code using the thread's RNG
-    pub fn generate_new_random(randgen: &mut RandGen) -> Self {
+    pub(crate) fn generate_new_random(randgen: &mut RandGen) -> Self {
         Self(randgen.gen::<[u8; 24]>())
     }
 }
diff --git a/src/web/oauth_openid/token.rs b/src/web/oauth_openid/token.rs
index ffbf356..a9dcc40 100644
--- a/src/web/oauth_openid/token.rs
+++ b/src/web/oauth_openid/token.rs
@@ -52,7 +52,7 @@ pub struct TokenFormParams {
 ///
 /// TODO auth_header can be one alternative auth method
 #[allow(clippy::too_many_arguments)]
-pub async fn oidc_token(
+pub(crate) async fn oidc_token(
     basic_auth: Option<TypedHeader<Authorization<Basic>>>,
     Extension(config): Extension<Arc<Configuration>>,
     Extension(secrets): Extension<Arc<SecretConfig>>,
diff --git a/src/web/sessionless_xsrf.rs b/src/web/sessionless_xsrf.rs
index ab2fc09..e0c6a13 100644
--- a/src/web/sessionless_xsrf.rs
+++ b/src/web/sessionless_xsrf.rs
@@ -18,7 +18,7 @@ use crate::utils::RandGen;
 pub const COOKIE_NAME: &str = "__Host-SessionlessXsrf";
 
 /// Gets the Sessionless XSRF token to put into a form request
-pub fn get_token(cookies: &Cookies, randgen: &mut RandGen) -> String {
+pub(crate) fn get_token(cookies: &Cookies, randgen: &mut RandGen) -> String {
     if let Some(xsrf_cookie) = cookies.get(COOKIE_NAME) {
         xsrf_cookie.value().to_owned()
     } else {