diff --git a/mockid/mockid_test.go b/mockid/mockid_test.go
index 480e344..80a0ebd 100644
--- a/mockid/mockid_test.go
+++ b/mockid/mockid_test.go
@@ -67,7 +67,7 @@ func TestMain(m *testing.M) {
 func TestVerifyExpired(t *testing.T) {
 	jwt := "eyJfc2VlZCI6LTEzMDY3NDU1MDQxNDQsImFsZyI6IlJTMjU2IiwiandrIjp7ImUiOiJBUUFCIiwia2lkIjoiSEZ4ZTlGV1dVc2N3bjltaVozSXNJeWMwMjMtbEJ1UmtvOEJpVV9IRG9KOCIsImt0eSI6IlJTQSIsIm4iOiJ2NUZkSTdYaC0wekxWVEVQZl94ekdIUVpDcEZ2MWR2N2h3eHhrVjctYmxpYmt6LXIxUG9lZ3lQYzFXMjZlWFBvd0xQQXQ3a3dHQnVOdjdMVjh5MEtvMkxOZklaXzRILW54SkJPaWIybXlHOVVfQ29WRDBiM3NBWTdmcDd2QlV1bTBXYVM4R3hZOGtYU0ZOS0VTY0NDNVBpSmFyblNISk1PcUdIVm51YmpsSjl5c1NyNmNsaGpxc0R4dU9qOHpxamF2MUFxek1STWVpRl9CREJsOUFoUGNZSHpHN0JtaXB5UEo2XzBwdWNLTi0tUDZDRk92d05SVGx2ek41RmlRM3VHcy1fMHcwQzVMZWJ6N21BNmJNTFdXc0tRRFBvb3cxallCWHJKdVF1WkZoSmxLMmdidm9ZcV85dWhfLUM1Z3pPZnR4UHBCNnhtY3RfelVaeUdwUUxnQlEiLCJ1c2UiOiJzaWcifSwidHlwIjoiSldUIn0.eyJleHAiOjE1OTY2MTQ3NTYsInN1YiI6ImJhbmFuYXMifQ.qHpzlglOfZMzE3CTNAUXld_wC62JTAJuoQfMaNeFa-XPtYB2Maj8_w3YmRZg_q5S6y9ToCmZ8nWd1kuMheA5qBKOUQeQH47Jts5zWLd0UBckIHo5lK4mk0bUWuiNgr7c9DY6k1DIdFaavyWCXbhFwG0X83qlMhQlPh02dDpCuU78Nn2hF3mZETQKpBIVESYtfeU1Xy3OU_am0kwcN2klLcdweOcrLx_ONfcvAGY3KiIdFiz0ViySAsQ39BiSSvoDYqOOOi41Hky67bnyZQOdalQC_95McTeXApzmGXRUE74Gj-S8c9e5it5d4QZLPaQ1JHzUKz1s7TPvThIn58NA-g"
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/verify")
+	urlstr, _ := url.Parse(srv.URL + "/debug/verify")
 
 	req := &http.Request{
 		Method: "POST",
@@ -95,7 +95,7 @@ func TestVerifyExpired(t *testing.T) {
 func TestVerifySelfSignedJWT(t *testing.T) {
 	jwt := "eyJfc2VlZCI6LTEzMDY3NDU1MDQxNDQsImFsZyI6IlJTMjU2IiwiandrIjp7ImUiOiJBUUFCIiwia2lkIjoiSEZ4ZTlGV1dVc2N3bjltaVozSXNJeWMwMjMtbEJ1UmtvOEJpVV9IRG9KOCIsImt0eSI6IlJTQSIsIm4iOiJ2NUZkSTdYaC0wekxWVEVQZl94ekdIUVpDcEZ2MWR2N2h3eHhrVjctYmxpYmt6LXIxUG9lZ3lQYzFXMjZlWFBvd0xQQXQ3a3dHQnVOdjdMVjh5MEtvMkxOZklaXzRILW54SkJPaWIybXlHOVVfQ29WRDBiM3NBWTdmcDd2QlV1bTBXYVM4R3hZOGtYU0ZOS0VTY0NDNVBpSmFyblNISk1PcUdIVm51YmpsSjl5c1NyNmNsaGpxc0R4dU9qOHpxamF2MUFxek1STWVpRl9CREJsOUFoUGNZSHpHN0JtaXB5UEo2XzBwdWNLTi0tUDZDRk92d05SVGx2ek41RmlRM3VHcy1fMHcwQzVMZWJ6N21BNmJNTFdXc0tRRFBvb3cxallCWHJKdVF1WkZoSmxLMmdidm9ZcV85dWhfLUM1Z3pPZnR4UHBCNnhtY3RfelVaeUdwUUxnQlEiLCJ1c2UiOiJzaWcifSwidHlwIjoiSldUIn0.eyJleHAiOjE1OTY2MTQ3NTYsInN1YiI6ImJhbmFuYXMifQ.qHpzlglOfZMzE3CTNAUXld_wC62JTAJuoQfMaNeFa-XPtYB2Maj8_w3YmRZg_q5S6y9ToCmZ8nWd1kuMheA5qBKOUQeQH47Jts5zWLd0UBckIHo5lK4mk0bUWuiNgr7c9DY6k1DIdFaavyWCXbhFwG0X83qlMhQlPh02dDpCuU78Nn2hF3mZETQKpBIVESYtfeU1Xy3OU_am0kwcN2klLcdweOcrLx_ONfcvAGY3KiIdFiz0ViySAsQ39BiSSvoDYqOOOi41Hky67bnyZQOdalQC_95McTeXApzmGXRUE74Gj-S8c9e5it5d4QZLPaQ1JHzUKz1s7TPvThIn58NA-g"
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/verify?exp=false")
+	urlstr, _ := url.Parse(srv.URL + "/debug/verify?exp=false")
 
 	req := &http.Request{
 		Method: "POST",
@@ -127,8 +127,8 @@ func TestVerifySelfSignedJWT(t *testing.T) {
 
 func TestSelfSign(t *testing.T) {
 	client := srv.Client()
-	//urlstr, _ := url.Parse(srv.URL + "/jose.jws.json")
-	urlstr, _ := url.Parse(srv.URL + "/jose.jws.jwt")
+	//urlstr, _ := url.Parse(srv.URL + "/debug/jose.jws.json")
+	urlstr, _ := url.Parse(srv.URL + "/debug/jose.jws.jwt")
 
 	//fmt.Println("URL:", srv.URL, urlstr)
 	tokenRequest := []byte(`{"seed":"test","header":{"_jwk":true},"claims":{"sub":"bananas","exp":"10m"}}`)
@@ -158,7 +158,7 @@ func TestSelfSign(t *testing.T) {
 
 func TestGenerateJWK(t *testing.T) {
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/private.jwk.json")
+	urlstr, _ := url.Parse(srv.URL + "/debug/private.jwk.json")
 	//fmt.Println("URL:", srv.URL, urlstr)
 	res, err := client.Do(&http.Request{
 		Method: "POST",
@@ -216,7 +216,7 @@ func TestGenerateJWK(t *testing.T) {
 func TestGenWithSeed(t *testing.T) {
 	// Key A
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/private.jwk.json")
+	urlstr, _ := url.Parse(srv.URL + "/debug/private.jwk.json")
 	res, err := client.Do(&http.Request{
 		Method: "POST",
 		URL:    urlstr,
@@ -243,7 +243,7 @@ func TestGenWithSeed(t *testing.T) {
 	for i := 0; i < 8; i++ {
 		// Key B
 		client = srv.Client()
-		urlstr, _ = url.Parse(srv.URL + "/private.jwk.json")
+		urlstr, _ = url.Parse(srv.URL + "/debug/private.jwk.json")
 		res, err = client.Do(&http.Request{
 			Method: "POST",
 			URL:    urlstr,
@@ -278,7 +278,7 @@ func TestGenWithSeed(t *testing.T) {
 func TestGenWithRand(t *testing.T) {
 	// Key A
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/private.jwk.json")
+	urlstr, _ := url.Parse(srv.URL + "/debug/private.jwk.json")
 	res, err := client.Do(&http.Request{
 		Method: "POST",
 		URL:    urlstr,
@@ -303,7 +303,7 @@ func TestGenWithRand(t *testing.T) {
 
 	// Key B
 	client = srv.Client()
-	urlstr, _ = url.Parse(srv.URL + "/private.jwk.json")
+	urlstr, _ = url.Parse(srv.URL + "/debug/private.jwk.json")
 	res, err = client.Do(&http.Request{
 		Method: "POST",
 		URL:    urlstr,
@@ -334,7 +334,7 @@ func TestGenWithRand(t *testing.T) {
 
 func TestGeneratePEM(t *testing.T) {
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/priv.pem")
+	urlstr, _ := url.Parse(srv.URL + "/debug/priv.pem")
 	//fmt.Println("URL:", srv.URL, urlstr)
 	res, err := client.Do(&http.Request{
 		Method: "POST",
@@ -377,7 +377,7 @@ func TestGeneratePEM(t *testing.T) {
 
 func TestPublicJWKWithKey(t *testing.T) {
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/public.jwk.json")
+	urlstr, _ := url.Parse(srv.URL + "/debug/public.jwk.json")
 	//fmt.Println("URL:", srv.URL, urlstr)
 	res, err := client.Do(&http.Request{
 		Method: "POST",
@@ -434,7 +434,7 @@ func TestPublicJWKWithKey(t *testing.T) {
 
 func TestPublicPEMWithSeed(t *testing.T) {
 	client := srv.Client()
-	urlstr, _ := url.Parse(srv.URL + "/pub.pem")
+	urlstr, _ := url.Parse(srv.URL + "/debug/pub.pem")
 	//fmt.Println("URL:", srv.URL, urlstr)
 	res, err := client.Do(&http.Request{
 		Method: "POST",
diff --git a/mockid/route.go b/mockid/route.go
index 437393a..63913e5 100644
--- a/mockid/route.go
+++ b/mockid/route.go
@@ -182,17 +182,17 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
 	})
 
 	// TODO add /debug prefix
-	http.HandleFunc("/private.jwk.json", api.GeneratePrivateJWK)
-	http.HandleFunc("/priv.der", api.GeneratePrivateDER)
-	http.HandleFunc("/priv.pem", api.GeneratePrivatePEM)
+	http.HandleFunc("/debug/private.jwk.json", api.GeneratePrivateJWK)
+	http.HandleFunc("/debug/priv.der", api.GeneratePrivateDER)
+	http.HandleFunc("/debug/priv.pem", api.GeneratePrivatePEM)
 
-	http.HandleFunc("/public.jwk.json", api.GeneratePublicJWK)
-	http.HandleFunc("/pub.der", api.GeneratePublicDER)
-	http.HandleFunc("/pub.pem", api.GeneratePublicPEM)
+	http.HandleFunc("/debug/public.jwk.json", api.GeneratePublicJWK)
+	http.HandleFunc("/debug/pub.der", api.GeneratePublicDER)
+	http.HandleFunc("/debug/pub.pem", api.GeneratePublicPEM)
 
-	http.HandleFunc("/jose.jws.json", api.SignJWS)
-	http.HandleFunc("/jose.jws.jwt", api.SignJWT)
-	http.HandleFunc("/verify", api.Verify)
+	http.HandleFunc("/debug/jose.jws.json", api.SignJWS)
+	http.HandleFunc("/debug/jose.jws.jwt", api.SignJWT)
+	http.HandleFunc("/debug/verify", api.Verify)
 
 	http.HandleFunc("/inspect_token", func(w http.ResponseWriter, r *http.Request) {
 		token := r.Header.Get("Authorization")