diff --git a/lib/relay.js b/lib/relay.js
index 449b3b2..0df9fc8 100644
--- a/lib/relay.js
+++ b/lib/relay.js
@@ -259,10 +259,12 @@ var Server = {
 
     // TODO don't fire the onAuth event on non-authz updates
     if (!grant.jwt && !(grant.domains||[]).length && !(grant.ports||[]).length) {
+      console.log("[onAuth] nothing to offer at all");
       return null;
     }
 
     console.log('[onAuth] check for upgrade token');
+    console.log(grant);
     if (grant.jwt) {
       if (newAuth !== grant.jwt) {
         console.log('[onAuth] new token to send back');
@@ -275,7 +277,7 @@ var Server = {
         , null
         , [ 3
           , 'access_token'
-          , { jwt: grant.jwt }
+          , { jwt: grant.jwt || grant.access_token }
           ]
         , 'control'
         );
@@ -426,33 +428,33 @@ var Server = {
       process.nextTick(function () { conn.resume(); });
     });
   }
-, addToken: function addToken(state, srv, newAuth) {
-    console.log("[addToken]", newAuth);
-    if (srv.grants[newAuth]) {
+, addToken: function addToken(state, srv, rawAuth) {
+    console.log("[addToken]", rawAuth);
+    if (srv.grants[rawAuth]) {
       console.log("addToken - duplicate");
       // return { message: "token sent multiple times", code: "E_TOKEN_REPEAT" };
       return state.Promise.resolve(null);
     }
 
-    return state.authenticate({ auth: newAuth }).then(function (authnToken) {
-      console.log('\n[relay.js] newAuth');
-      console.log(newAuth);
+    return state.authenticate({ auth: rawAuth }).then(function (validatedTokenData) {
+      console.log('\n[relay.js] rawAuth');
+      console.log(rawAuth);
 
       console.log('\n[relay.js] authnToken');
-      console.log(authnToken);
+      console.log(validatedTokenData);
 
       // For tracking state between token exchanges
       // and tacking on extra attributes (i.e. for extensions)
       // TODO close on delete
-      if (!state.srvs[authnToken.id]) {
-        state.srvs[authnToken.id] = {};
+      if (!state.srvs[validatedTokenData.id]) {
+        state.srvs[validatedTokenData.id] = {};
       }
-      if (!state.srvs[authnToken.id].updateAuth) {
-        state.srvs[authnToken.id].updateAuth = function (validToken) {
-          return Server.onAuth(state, srv, newAuth, validToken);
+      if (!state.srvs[validatedTokenData.id].updateAuth) {
+        state.srvs[validatedTokenData.id].updateAuth = function (validatedTokenData) {
+          return Server.onAuth(state, srv, rawAuth, validatedTokenData);
         };
       }
-      state.srvs[authnToken.id].updateAuth(authnToken);
+      state.srvs[validatedTokenData.id].updateAuth(validatedTokenData);
     });
   }
 , removeToken: function removeToken(state, srv, jwtoken) {