diff --git a/cmd/telebit-relay/telebit-relay.go b/cmd/telebit-relay/telebit-relay.go
index c9574b3..a2e2317 100644
--- a/cmd/telebit-relay/telebit-relay.go
+++ b/cmd/telebit-relay/telebit-relay.go
@@ -14,12 +14,13 @@ import (
 	"strings"
 
 	"git.coolaj86.com/coolaj86/go-telebitd/log"
+	"git.coolaj86.com/coolaj86/go-telebitd/mplexer/mgmt"
 	"git.coolaj86.com/coolaj86/go-telebitd/relay"
 	"git.coolaj86.com/coolaj86/go-telebitd/relay/api"
 	"git.coolaj86.com/coolaj86/go-telebitd/relay/mplexy"
 
 	"github.com/caddyserver/certmagic"
-	jwt "github.com/dgrijalva/jwt-go"
+	//jwt "github.com/dgrijalva/jwt-go"
 	"github.com/go-acme/lego/v3/providers/dns/duckdns"
 	lumberjack "gopkg.in/natefinch/lumberjack.v2"
 
@@ -57,6 +58,8 @@ var (
 	acmeAgree         bool
 	acmeStaging       bool
 	allclients        string
+	authURL           string
+	acmeRelay         string
 )
 
 func init() {
@@ -66,6 +69,8 @@ func init() {
 	flag.BoolVar(&acmeAgree, "acme-agree", false, "agree to the terms of the ACME service provider (required)")
 	flag.BoolVar(&acmeStaging, "staging", false, "get fake certificates for testing")
 	flag.StringVar(&adminHostName, "admin-hostname", "", "the management domain")
+	flag.StringVar(&authURL, "auth-url", "http://localhost:3010/api", "the auth server url")
+	flag.StringVar(&acmeRelay, "acme-relay", "", "the ACME DNS-01 relay, if any")
 	flag.StringVar(&wssHostName, "wss-hostname", "", "the wss domain for connecting devices, if different from admin")
 	flag.StringVar(&configPath, "config-path", configPath, "Configuration File Path")
 	flag.StringVar(&secretKey, "secret", "", "a >= 16-character random string for JWT key signing") // SECRET
@@ -220,9 +225,12 @@ func main() {
 			tokenString = r.URL.Query().Get("access_token")
 		}
 
-		tok, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			return []byte(secretKey), nil
-		})
+		grants, err := mgmt.Inspect(authURL, tokenString)
+		/*
+			tok, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+				return []byte(secretKey), nil
+			})
+		*/
 		if nil != err {
 			fmt.Println("return an error, do not go on")
 			return nil, err
@@ -230,9 +238,11 @@ func main() {
 		fmt.Printf("client claims:\n%+v\n", tok.Claims)
 
 		domains := []string{}
-		for _, name := range tok.Claims.(jwt.MapClaims)["domains"].([]interface{}) {
-			domains = append(domains, name.(string))
-		}
+		/*
+			for _, name := range tok.Claims.(jwt.MapClaims)["domains"].([]interface{}) {
+				domains = append(domains, name.(string))
+			}
+		*/
 		authz := &mplexy.Authz{
 			Domains: domains,
 		}
diff --git a/mplexer/cmd/telebit/telebit.go b/mplexer/cmd/telebit/telebit.go
index 40ef4ca..a669590 100644
--- a/mplexer/cmd/telebit/telebit.go
+++ b/mplexer/cmd/telebit/telebit.go
@@ -165,14 +165,14 @@ func main() {
 		}
 	}
 
-	grants, err := mgmt.Inspect(*authURL, *token)
+	grants, err := telebit.Inspect(*authURL, *token)
 	if nil != err {
 		_, err := mgmt.Register(*authURL, *secret, ppid)
 		if nil != err {
 			fmt.Fprintf(os.Stderr, "failed to register client: %s", err)
 			os.Exit(1)
 		}
-		grants, err = mgmt.Inspect(*authURL, *token)
+		grants, err = telebit.Inspect(*authURL, *token)
 		if nil != err {
 			fmt.Fprintf(os.Stderr, "failed to authenticate after registering client: %s", err)
 			os.Exit(1)
diff --git a/mplexer/mgmt-prereg.sh b/mplexer/mgmt-prereg.sh
new file mode 100644
index 0000000..5d946be
--- /dev/null
+++ b/mplexer/mgmt-prereg.sh
@@ -0,0 +1,10 @@
+TOKEN=$(go run cmd/signjwt/*.go)
+echo "TOKEN: $TOKEN"
+
+my_shared="k7nsLSwNKbOeBhDFpbhwGHv"
+my_domain="duckdns.org"
+my_client="rooted"
+curl -X POST http://roottest.duckdns.org:3010/api/devices \
+    -H "Authorization: Bearer ${TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d '{ "slug": "'$my_client'", "shared_key": "'$my_shared'" }'
diff --git a/mplexer/mgmt/auth.go b/mplexer/mgmt/auth.go
index 13e7144..7892835 100644
--- a/mplexer/mgmt/auth.go
+++ b/mplexer/mgmt/auth.go
@@ -10,10 +10,6 @@ import (
 	"git.coolaj86.com/coolaj86/go-telebitd/mplexer/mgmt/authstore"
 )
 
-type Grants struct {
-	Domains []string `json:"domains"`
-}
-
 type SuccessResponse struct {
 	Success bool `json:"success"`
 }
@@ -37,23 +33,6 @@ func Ping(authURL, token string) error {
 	return nil
 }
 
-func Inspect(authURL, token string) (*Grants, error) {
-	msg, err := telebit.Request("GET", authURL+"/inspect", token, nil)
-	if nil != err {
-		return nil, err
-	}
-	if nil == msg {
-		return nil, fmt.Errorf("invalid response")
-	}
-
-	grants := &Grants{}
-	err = json.NewDecoder(msg).Decode(grants)
-	if err != nil {
-		return nil, err
-	}
-	return grants, nil
-}
-
 func Register(authURL, secret, ppid string) (kid string, err error) {
 	pub := authstore.ToPublicKeyString(ppid)
 	jsonb := bytes.NewBuffer([]byte(
diff --git a/mplexer/telebit.go b/mplexer/telebit.go
index 7270967..b7ef0e9 100644
--- a/mplexer/telebit.go
+++ b/mplexer/telebit.go
@@ -3,6 +3,7 @@ package telebit
 import (
 	"bytes"
 	"crypto/tls"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -258,6 +259,27 @@ func newCertMagic(acme *ACME) (*certmagic.Config, error) {
 	return magic, nil
 }
 
+type Grants struct {
+	Domains []string `json:"domains"`
+}
+
+func Inspect(authURL, token string) (*Grants, error) {
+	msg, err := Request("GET", authURL+"/inspect", token, nil)
+	if nil != err {
+		return nil, err
+	}
+	if nil == msg {
+		return nil, fmt.Errorf("invalid response")
+	}
+
+	grants := &Grants{}
+	err = json.NewDecoder(msg).Decode(grants)
+	if err != nil {
+		return nil, err
+	}
+	return grants, nil
+}
+
 func Request(method, fullurl, token string, payload io.Reader) (io.Reader, error) {
 	HTTPClient := &http.Client{
 		Timeout: 15 * time.Second,