diff --git a/mplexer/cmd/mgmt/mgmt.go b/mplexer/cmd/mgmt/mgmt.go
index 4eda919..514280e 100644
--- a/mplexer/cmd/mgmt/mgmt.go
+++ b/mplexer/cmd/mgmt/mgmt.go
@@ -32,6 +32,11 @@ type MWKey string
 var store authstore.Store
 var provider challenge.Provider = nil // TODO is this concurrency-safe?
 var secret *string
+var primaryDomain string
+
+func help() {
+	fmt.Fprintf(os.Stderr, "Usage: mgmt --domain <example.com> --secret <128-bit secret>\n")
+}
 
 func main() {
 	var err error
@@ -44,8 +49,15 @@ func main() {
 		"database (postgres) connection url",
 	)
 	secret = flag.String("secret", "", "a >= 16-character random string for JWT key signing")
+	domain := flag.String("domain", "", "the base domain to use for all clients")
 	flag.Parse()
 
+	primaryDomain = *domain
+	if "" == primaryDomain {
+		help()
+		os.Exit(1)
+	}
+
 	if "" != os.Getenv("GODADDY_API_KEY") {
 		id := os.Getenv("GODADDY_API_KEY")
 		apiSecret := os.Getenv("GODADDY_API_SECRET")
@@ -64,7 +76,7 @@ func main() {
 		*secret = os.Getenv("SECRET")
 	}
 	if "" == *secret {
-		fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>")
+		help()
 		os.Exit(1)
 		return
 	}
diff --git a/mplexer/cmd/mgmt/route.go b/mplexer/cmd/mgmt/route.go
index 73deace..5c22af5 100644
--- a/mplexer/cmd/mgmt/route.go
+++ b/mplexer/cmd/mgmt/route.go
@@ -131,6 +131,19 @@ func routeAll() chi.Router {
 		handleDNSRoutes(r)
 		handleDeviceRoutes(r)
 
+		r.Post("/inspect", func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			claims, ok := ctx.Value(MWKey("claims")).(*MgmtClaims)
+			if !ok {
+				msg := `{"error":"failure to ping: 1"}`
+				fmt.Println("touch no claims", claims)
+				http.Error(w, msg+"\n", http.StatusBadRequest)
+				return
+			}
+
+			w.Write([]byte(fmt.Sprintf(`{ "domains": [ "%s.%s" ] }`+"\n", claims.Slug, primaryDomain)))
+		})
+
 		r.Route("/register-device", func(r chi.Router) {
 			// r.Use() // must NOT have slug '*'
 
diff --git a/mplexer/mgmt-ping.sh b/mplexer/mgmt-ping.sh
index 0dde3ca..128c343 100644
--- a/mplexer/mgmt-ping.sh
+++ b/mplexer/mgmt-ping.sh
@@ -20,3 +20,4 @@ echo "PPID: $my_ppid KeyID: $my_keyid"
 
 TOKEN=$(go run cmd/signjwt/*.go $my_ppid)
 curl -X POST http://localhost:3000/api/ping  -H "Authorization: Bearer ${TOKEN}"
+curl -X POST http://localhost:3000/api/inspect  -H "Authorization: Bearer ${TOKEN}"