diff --git a/README.md b/README.md
index 881a3d6..4f8ac1d 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,16 @@ Implementation Details
 -   https://cloud.google.com/service-usage/docs/getting-started#api
 -   https://github.com/google/oauth2l
 
+# Test This First!
+
+Edit the file `oauth2l-test-token.sh`
+
+Change the location of `service_account.json` to whatever it needs to be.
+
+Change the `project` to the name of your project.
+
+If that doesn't work, something is wrong with your credentials, nothing else will work.
+
 # Usage
 
 First you create an instance with your credentials:
diff --git a/lib/auth.js b/lib/auth.js
index 29df035..d8c4c83 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -28,7 +28,8 @@ module.exports.generateToken = function(serviceAccount) {
 				kid: sa.private_key_id
 			},
 			claims: {
-				aud: 'ndev.clouddns.readwrite',
+				//aud: 'ndev.clouddns.readwrite',
+				aud: 'https://www.googleapis.com/auth/ndev.clouddns.readwrite',
 				sub: sa.client_email
 			}
 		});
diff --git a/oauth2l-test-token.sh b/oauth2l-test-token.sh
new file mode 100644
index 0000000..129b916
--- /dev/null
+++ b/oauth2l-test-token.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# If your service_account.json is correct you should definitely be able to get a token
+# using Google's official tool. If this fails, it will definitely fail with our own.
+
+set -e
+
+export GOOGLE_APPLICATION_CREDENTIALS=$HOME/Downloads/service_account.json
+project=example-change-me
+
+token=$(oauth2l fetch ndev.clouddns.readwrite)
+echo $token
+curl -fL "https://www.googleapis.com/dns/v1/projects/$project/managedZones" -H "Authorization: Bearer $token"
+
+token=$(oauth2l fetch --jwt https://www.googleapis.com/auth/ndev.clouddns.readwrite)
+echo $token
+curl -fL "https://www.googleapis.com/dns/v1/projects/$project/managedZones" -H "Authorization: Bearer $token"