diff --git a/packages/apis/com.daplie.goldilocks/index.js b/packages/apis/com.daplie.goldilocks/index.js
index 50281c8..9cf7880 100644
--- a/packages/apis/com.daplie.goldilocks/index.js
+++ b/packages/apis/com.daplie.goldilocks/index.js
@@ -43,6 +43,7 @@ module.exports.create = function (deps, conf) {
   function isAuthorized(req, res, fn) {
     var auth = jwt.decode((req.headers.authorization||'').replace(/^bearer\s+/i, ''));
     if (!auth) {
+      res.statusCode = 401;
       res.setHeader('Content-Type', 'application/json;');
       res.end(JSON.stringify({ error: { message: "no token", code: 'E_NO_TOKEN', uri: undefined } }));
       return;
@@ -51,6 +52,7 @@ module.exports.create = function (deps, conf) {
     var id = crypto.createHash('sha256').update(auth.sub).digest('hex');
     return deps.storage.owners.exists(id).then(function (exists) {
       if (!exists) {
+        res.statusCode = 401;
         res.setHeader('Content-Type', 'application/json;');
         res.end(JSON.stringify({ error: { message: "not authorized", code: 'E_NO_AUTHZ', uri: undefined } }));
         return;
@@ -113,6 +115,7 @@ module.exports.create = function (deps, conf) {
               err = new Error(
                 "When creating an owner the Authorization Bearer and Token and Refresh must all match"
               );
+              err.statusCode = 400;
               return deps.PromiseA.reject(err);
             }
             console.log('no owner, creating');
@@ -125,6 +128,7 @@ module.exports.create = function (deps, conf) {
             return scmp(id, token.id);
           })) {
             err = new Error("Authorization token does not belong to an existing owner.");
+            err.statusCode = 401;
             return deps.PromiseA.reject(err);
           }
           console.log('has correct owner');
@@ -143,6 +147,7 @@ module.exports.create = function (deps, conf) {
       })
       .catch(function (err) {
         res.setHeader('Content-Type', 'application/json;');
+        res.statusCode = err.statusCode || 500;
         res.end(JSON.stringify({ error: { message: err.message, code: err.code, uri: err.uri } }));
       });
 
@@ -158,22 +163,19 @@ module.exports.create = function (deps, conf) {
           return deps.tunneler.get(req.userId).then(function (result) {
             res.end(JSON.stringify(result));
           }, function (err) {
+            res.statusCode = 500;
             res.end(JSON.stringify({ error: { message: err.message, code: err.code, uri: err.uri } }));
           });
         }
 
-        jsonParser(req, res, function () {
-
-          console.log('req.body', req.body);
-
-          return deps.storage.owners.get(req.userId).then(function (session) {
-            return api.tunnel(deps, session).then(function () {
-              res.setHeader('Content-Type', 'application/json;');
-              res.end(JSON.stringify({ success: true }));
-            }, function (err) {
-              res.setHeader('Content-Type', 'application/json;');
-              res.end(JSON.stringify({ error: { message: err.message, code: err.code, uri: err.uri } }));
-            });
+        return deps.storage.owners.get(req.userId).then(function (session) {
+          return api.tunnel(deps, session).then(function () {
+            res.setHeader('Content-Type', 'application/json;');
+            res.end(JSON.stringify({ success: true }));
+          }, function (err) {
+            res.setHeader('Content-Type', 'application/json;');
+            res.statusCode = 500;
+            res.end(JSON.stringify({ error: { message: err.message, code: err.code, uri: err.uri } }));
           });
         });
       });