diff --git a/index.html b/index.html
index 79bf66b..1a86e30 100644
--- a/index.html
+++ b/index.html
@@ -426,7 +426,7 @@
                 <textarea class="form-control" ng-model="vm.accessToken" ng-change="vm.api.jwt.decode()"></textarea>
                 <textarea ng-if="vm.refreshToken" class="form-control" ng-model="vm.refreshToken" ng-change="vm.api.jwt.decodeRefresh()"></textarea>
 
-                <pre ng-if="vm.ropSession"><code ng-bind="vm.ropSession | json"></code></pre>
+                <pre ng-if="vm.ropToken"><code ng-bind="vm.ropToken | json"></code></pre>
               </div>
             </div>
 
@@ -467,22 +467,25 @@
               <br>
               <br>
               <div class="col-md-3">
-                <strong>Approved Devices</strong>
+                <strong>Approved Apps</strong>
                 <br>
                 (these are the public keys generated on remember-me devices and the opaque tokens issued to remember-me-not devices)
               </div>
               <div class="col-md-9">
-                <button class="btn btn-default" ng-click="vm.api.authn.verify()" ng-disabled="!vm.form.accessToken">List Devices</button>
+                <button class="btn btn-default" ng-click="vm.api.authz.grants()" ng-disabled="!vm.form.accessToken">List App Grants</button>
                 <br>
 
-                <div ng-if="vm.urls.publicKeys">
-                  <pre><code><span ng-bind="vm.urls.publicKeys.method"></span> <span ng-bind="vm.urls.publicKeys.url"></span>
-<span ng-if="vm.urls.publicKeys.headers" ng-bind="vm.urls.publicKeys.headers | json"></span>
-<span ng-bind="vm.urls.publicKeys.data | json"></span>
+                <pre><code>OAUTH3.urls.grants(directives, opts);</code></pre>
+                <pre><code>OAUTH3.authz.grants(directives, <span ng-bind="vm.api.authz._grantsOpts_"></span>);</code></pre>
+
+                <div ng-if="vm.urls.grants">
+                  <pre><code><span ng-bind="vm.urls.grants.method"></span> <span ng-bind="vm.urls.grants.url"></span>
+<span ng-if="vm.urls.grants.headers" ng-bind="vm.urls.grants.headers | json"></span>
+<span ng-bind="vm.urls.grants.data | json"></span>
 </code></pre>
-                  <pre ng-if="vm.responses.publicKeys"><code><span ng-bind="vm.responses.publicKeys.status"></span>
-<span ng-if="vm.responses.publicKeys.headers" ng-bind="vm.responses.publicKeys.headers | json"></span>
-<span ng-bind="vm.responses.publicKeys.data | json"></span>
+                  <pre ng-if="vm.responses.grants"><code><span ng-bind="vm.responses.grants.status"></span>
+<span ng-if="vm.responses.grants.headers" ng-bind="vm.responses.grants.headers | json"></span>
+<span ng-bind="vm.responses.grants.data | json"></span>
 </code></pre>
                 </div>
                 ...
diff --git a/js/playground.js b/js/playground.js
index 9577dc6..4e4320c 100644
--- a/js/playground.js
+++ b/js/playground.js
@@ -56,6 +56,12 @@
     // Convenience for our app
     //
     vm.fn = {};
+    vm.fn.updateUrls = function () {
+      Object.keys(vm.api.urls).forEach(function (key) {
+        var fn = vm.api.urls[key];
+        fn();
+      });
+    };
     vm.fn._debounce = {};
     vm.fn.debounceUi = function () {
       if (vm.debouncing.user || vm.debouncing.provider) {
@@ -162,7 +168,7 @@
         return key;
       }).join(',');
 
-      vm.api.urls.implicitGrant();
+      vm.fn.updateUrls(); // vm.api.urls.implicitGrant();
     };
 
     vm.fn.lock = function () {
@@ -189,13 +195,15 @@
     vm.api.authn = {};
     vm.api.jwt = {};
     vm.api.urls.credentialMeta = function () {
+      if (!vm.directives ||!vm.directives.credential_meta || !vm.form.id) { return; }
       vm.urls.credentialMeta = OAUTH3.urls.credentialMeta(vm.directives, { email: vm.form.id });
     };
     vm.api.urls.otp = function () {
+      if (!vm.directives || !vm.form.id) { return; }
       vm.urls.otp = OAUTH3.urls.otp(vm.directives, { email: vm.form.id });
     };
     vm.api.authn.otp = function () {
-      vm.api.urls.otp();
+      vm.fn.updateUrls(); // vm.api.urls.otp();
       OAUTH3.authn.otp(vm.directives, { email: vm.form.id }).then(function (resp) {
         vm.responses.otp = resp;
         vm.form.otpUuid = resp.data.code_id;
@@ -205,12 +213,14 @@
         console.log('vm.form.otpUuid:');
         console.log(vm.form.otpUuid);
 
-        vm.api.urls.resourceOwnerPassword();
+        vm.fn.updateUrls(); // vm.api.urls.resourceOwnerPassword();
       });
     };
     vm.api.authn.credentialMeta = function () {
-      vm.api.urls.credentialMeta();
-      OAUTH3.authn.loginMeta(vm.directives, { email: vm.form.id });
+      vm.fn.updateUrls(); // vm.api.urls.credentialMeta();
+      OAUTH3.authn.loginMeta(vm.directives, { email: vm.form.id }).then(function () {
+        vm.fn.updateUrls(); // vm.api.urls.credentialMeta();
+      });
     };
 
 
@@ -237,24 +247,28 @@
       };
     };
     vm.api.urls.resourceOwnerPassword = function () {
+      if (!vm.directives || !vm.form.otpUuid) { return; }
       vm.urls.resourceOwnerPassword = OAUTH3.urls.resourceOwnerPassword(vm.directives, vm.api.authn._ropOpts());
     };
     vm.api.authn.resourceOwnerPassword = function () {
-      vm.api.urls.resourceOwnerPassword();
+      vm.fn.updateUrls(); // vm.api.urls.resourceOwnerPassword();
       OAUTH3.authn.resourceOwnerPassword(vm.directives, vm.api.authn._ropOpts()).then(function (resp) {
         vm.responses.resourceOwnerPassword = { status: 0, data: resp };
         vm.form.accessToken = vm.accessToken = resp.access_token;
         vm.form.refreshToken = vm.refreshToken = resp.refresh_token;
-        vm.ropSession = resp.token;
+        vm.ropSession = resp;
+        vm.ropToken = resp.token;
+
+        vm.fn.updateUrls(); // vm.api.urls.resourceOwnerPassword(); also grants
       });
     };
 
 
     vm.api.jwt.decode = function () {
-      vm.ropSession = OAUTH3.jwt.decode(vm.form.accessToken || vm.accessToken);
+      vm.ropToken = OAUTH3.jwt.decode(vm.form.accessToken || vm.accessToken);
     };
     vm.api.jwt.decodeRefresh = function () {
-      vm.ropSession = OAUTH3.jwt.decode(vm.form.refreshToken || vm.refreshToken);
+      vm.ropToken = OAUTH3.jwt.decode(vm.form.refreshToken || vm.refreshToken);
     };
 
     vm.api.providerUri = function () {
@@ -406,6 +420,32 @@
         vm.session = session;
       });
     };
+    vm.api.authz = {};
+    vm.api.authz._grantsOpts = function () {
+      return vm.api.authz._grantsOpts_ = {
+        method: 'GET'
+      , client_id: vm.conf.client_id
+      , client_uri: vm.conf.client_uri
+      , session: vm.ropSession
+      , debug: vm.conf.debug
+      , all: true
+      };
+    };
+    vm.api.urls.grants = function () {
+      if (!vm.directives || !vm.ropSession || !vm.form.id) { return; }
+      vm.urls.grants = OAUTH3.urls.grants(vm.directives, vm.api.authz._grantsOpts());
+    };
+    vm.api.authz.grants = function () {
+      vm.fn.updateUrls(); // vm.api.urls.grants();
+      return OAUTH3.authz.grants(vm.form.provider, vm.api.authz._grantsOpts()).then(function (resp) {
+        vm.responses.grants = { status: 0, data: resp };
+        vm.fn.updateUrls(); // vm.api.urls.grants();
+      }, function (err) {
+        console.error('[error] authz.grants:');
+        console.error(err);
+        vm.error = err;
+      });
+    };
 
     vm.form.provider = vm.defaults.provider;
     vm.validated.provider = vm.defaults.provider;