diff --git a/lib/extensions/index.js b/lib/extensions/index.js
index 3e6cf52..9e6dc36 100644
--- a/lib/extensions/index.js
+++ b/lib/extensions/index.js
@@ -167,11 +167,13 @@ module.exports.pairRequest = function (opts) {
     , pin: pin
     , dt: now
     , exp: now + (2 * 60 * 60 * 1000)
-    , authnData: authnData
-    , authn: jwt.sign(authnData, state.secret)
     , request: authReq
     };
+
+    // Setting extra authnData
+    auth.authn = jwt.sign(authnData, state.secret);
     authnData.jwt = auth.authn;
+    auth.authnData = authnData;
     Auths.set(auth, authReq.id, authReq.secret);
     return authnData;
   });
@@ -183,6 +185,7 @@ module.exports.pairPin = function (opts) {
     var secret = opts.secret;
     var auth = Auths.getBySecret(secret);
 
+    console.log('[pairPin] validating secret and pin');
     if (!auth) {
       throw new Error("Invalid magic link token '" + secret + "'");
     }
@@ -192,9 +195,11 @@ module.exports.pairPin = function (opts) {
     }
 
     if (auth._offered) {
+      console.log('[pairPin] already has offer to return');
       return auth._offered;
     }
 
+    console.log('[pairPin] generating offer');
     var hri = require('human-readable-ids').hri;
     var hrname = hri.random() + '.' + state.config.sharedDomain;
     // TODO check used / unused names and ports
@@ -208,9 +213,14 @@ module.exports.pairPin = function (opts) {
     };
     var pathname = path.join(__dirname, 'emails', auth.subject + '.' + hrname + '.data');
     auth.authz = jwt.sign(authzData, state.secret);
+    auth.authzData = authzData;
     authzData.jwt = auth.authz;
+    auth._offered = authzData;
     if (auth.resolve) {
+      console.log('[pairPin] resolving');
       auth.resolve(auth);
+    } else {
+      console.log('[pairPin] not resolvable');
     }
     fs.writeFile(pathname, JSON.stringify(authzData), function (err) {
       if (err) {
@@ -218,12 +228,24 @@ module.exports.pairPin = function (opts) {
         console.error(err);
       }
     });
-    auth._offered = authzData;
     return authzData;
   });
 };
 
 // From a WS connection
+module.exports.authHelper = function (meta) {
+  var state = meta.state;
+  return state.Promise.resolve().then(function () {
+    var auth = meta.session;
+    if ('string' !== typeof auth.authz || 'object' !== typeof auth.authzData) {
+      console.error("[SANITY FAIL] should not complete auth without authz data and access_token");
+      console.error(auth);
+      return;
+    }
+    return auth.authzData;
+  });
+};
+// opts = { state: state, auth: auth_request OR access_token }
 module.exports.authenticate = function (opts) {
   var jwt = require('jsonwebtoken');
   var state = opts.state;
@@ -245,7 +267,6 @@ module.exports.authenticate = function (opts) {
       // this will cause the websocket to disconnect
 
       auth.resolve = function (auth) {
-        opts.auth = auth.authz;
         auth.resolve = null;
         auth.reject = null;
         // NOTE XXX: This is premature in the sense that we can't be 100% sure
@@ -253,7 +274,12 @@ module.exports.authenticate = function (opts) {
         // sort of check that the client actually received the token
         // (i.e. when the grant event gets an ack)
         auth._claimed = true;
-        return state.defaults.authenticate(opts.auth).then(resolve);
+        // this is probably not necessary anymore
+        opts.auth = auth.authz;
+        return module.exports.authHelper({
+          state: state
+        , session: auth
+        }).then(resolve);
       };
       auth.reject = function (err) {
         auth.resolve = null;
@@ -312,7 +338,7 @@ module.exports.authenticate = function (opts) {
   }
 
   console.log("[wss.ext.authenticate] Using authz");
-  return state.defaults.authenticate(opts.auth);
+  return module.exports.authHelper({ state: state, session: auth });
 };
 
 //var loaded = false;