diff --git a/etc/goldilocks/goldilocks.example.yml b/etc/goldilocks/goldilocks.example.yml
index c593118..fa0ff12 100644
--- a/etc/goldilocks/goldilocks.example.yml
+++ b/etc/goldilocks/goldilocks.example.yml
@@ -69,7 +69,7 @@ http:
     - name: proxy
       domains:
         - localhost.daplie.me
-      host: locahost
+      host: localhost
       port: 4000
     - name: static
       domains:
diff --git a/lib/tunnel-manager.js b/lib/tunnel-manager.js
index d0a3e58..077c4d7 100644
--- a/lib/tunnel-manager.js
+++ b/lib/tunnel-manager.js
@@ -8,28 +8,34 @@ module.exports.create = function (deps, config) {
 
   var tokensPath = require('path').join(__dirname, '..', 'var', 'tokens.json');
   var storage = {
-    all: function () {
+    _read: function () {
       var tokens;
       try {
         tokens = require(tokensPath);
       } catch (err) {
         tokens = {};
       }
+      return tokens;
+    }
+  , _write: function (tokens) {
+      return fs.writeFileAsync(tokensPath, JSON.stringify(tokens), 'utf8');
+    }
 
+  , all: function () {
+      var tokens = storage._read();
       return PromiseA.resolve(Object.keys(tokens).map(function (key) {
         return tokens[key];
       }));
     }
   , save: function (result) {
-      var tokens;
-      try {
-        tokens = require(tokensPath);
-      } catch (err) {
-        tokens = {};
-      }
-
+      var tokens = storage._read();
       tokens[result.jwt] = result;
-      return fs.writeFileAsync(tokensPath, JSON.stringify(tokens), 'utf8');
+      storage._write(tokens);
+    }
+  , del: function (id) {
+      var tokens = storage._read();
+      delete tokens[id];
+      storage._write(tokens);
     }
   };
 
@@ -75,6 +81,33 @@ module.exports.create = function (deps, config) {
     return activeTunnels[data.tunnelUrl].append(data.jwt);
   }
 
+  function removeToken(data) {
+    if (!data.tunnelUrl) {
+      var decoded;
+      try {
+        decoded = JSON.parse(new Buffer(data.jwt.split('.')[1], 'base64').toString('ascii'));
+      } catch (err) {
+        console.warn('invalid web token given to tunnel manager', err);
+        return PromiseA.reject(err);
+      }
+      if (!decoded.aud) {
+        console.warn('tunnel manager given token with no tunnelUrl or audience');
+        var err = new Error('missing tunnelUrl and audience');
+        return PromiseA.reject(err);
+      }
+      data.tunnelUrl = 'wss://' + decoded.aud + '/';
+    }
+
+    // Not sure if we actually want to return an error that the token didn't even belong to a
+    // server that existed, but since it never existed we can consider it as "removed".
+    if (!activeTunnels[data.tunnelUrl]) {
+      return PromiseA.resolve();
+    }
+
+    console.log('removing token from tunnel at', data.tunnelUrl);
+    return activeTunnels[data.tunnelUrl].clear(data.jwt);
+  }
+
   if (typeof config.tunnel === 'string') {
     config.tunnel.split(',').forEach(function (jwt) {
       addToken({ jwt: jwt, owner: 'config' });
@@ -92,5 +125,10 @@ module.exports.create = function (deps, config) {
         return storage.save(data);
       });
     }
+  , remove: function (data) {
+      return storage.del(data.jwt).then(function () {
+        return removeToken(data);
+      });
+    }
   };
 };