diff --git a/src/service.test.ts b/src/service.test.ts
index b83b9ff69..d89e0654e 100644
--- a/src/service.test.ts
+++ b/src/service.test.ts
@@ -101,10 +101,13 @@ await test('find', async (t) => {
 
 await test('create', async () => {
   const post = { title: 'new post' }
-  const res = await service.create(POSTS, post)
+  let res = await service.create(POSTS, post)
   assert.equal(res?.['title'], post.title)
   assert.equal(typeof res?.['id'], 'string', 'id should be a string')
 
+  res = await service.create(POSTS, { ...post, id: 'foo' })
+  assert.notEqual(res?.['id'], 'foo', 'user should not be able to set id')
+
   assert.equal(await service.create(UNKNOWN_RESOURCE, post), undefined)
 })
 
diff --git a/src/service.ts b/src/service.ts
index 9b5edd224..ad06bfa8f 100644
--- a/src/service.ts
+++ b/src/service.ts
@@ -146,7 +146,7 @@ export class Service {
     const items = this.#get(name)
     if (items === undefined || !Array.isArray(items)) return
 
-    const item = { id: randomId(), ...data }
+    const item = { ...data, id: randomId() }
     items.push(item)
 
     await this.#db.write()