diff --git a/accounts.js b/accounts.js
index 232e482..6429c03 100644
--- a/accounts.js
+++ b/accounts.js
@@ -177,8 +177,8 @@ function create(app) {
       return createOtp(store, params).then(function (code) {
         var emailParams = {
           to:      params.username,
-          from:    'login@daplie.com',
-          replyTo: 'hello@daplie.com',
+          from:    'login@mg.hellabit.com',
+          replyTo: 'hello@mg.hellabit.com',
           subject: "Use " + code.code + " as your Login Code",
           text: "Your login code is:\n\n"
                 + code.code
@@ -202,6 +202,23 @@ function create(app) {
     app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
   };
 
+  restful.exchangeToken = function (req, res) {
+    var OAUTH3 = require('./oauth3.js');
+    console.log('[exchangeToken] req.oauth3:');
+    console.log(req.oauth3); // req.oauth3.encodedToken
+
+    console.log('[exchangeToken] OAUTH3.jwk:');
+    console.log(OAUTH3.jwk);
+
+    var promise = OAUTH3.jwk.verifyToken(req.oauth3.encodedToken).then(function (result) {
+      console.log('[exchangeToken] verifyToken result:');
+      console.log(result);
+      return { error: { code: "E_NO_IMPL", message: "not implemented [183]" } };
+    });
+
+    app.handlePromise(req, res, promise, '[issuer@oauth3.org] exchangeToken');
+  };
+
   restful.createToken = function (req, res) {
     var store;
     var promise = req.getSiteStore().then(function (_store) {
diff --git a/models.js b/models.js
index 8e1e017..d9298ef 100644
--- a/models.js
+++ b/models.js
@@ -1,7 +1,7 @@
 'use strict';
 
 var apiname = 'issuer_oauth3_org';
-var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt' ];
+var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt', 'revokedAt', 'insertedAt' ];
 
 module.exports = [
   {
@@ -15,6 +15,18 @@ module.exports = [
     indices: baseFields.concat([ 'code', 'expires' ]),
   },
   {
+    tablename: apiname + '_credentials',
+    idname: 'id',
+    // credentialId = ppid@iss
+    indices: baseFields.concat([ 'credentialId', 'sub', 'iss', 'typ' ]), // comment, recoveryCredential
+  },
+  {
+    tablename: apiname + '_credentials_profiles',
+    idname: 'id',
+    // credentialId = ppid@iss
+    indices: baseFields.concat([ 'credentialId', 'profileId' ]),
+  },
+  { // TODO rename to profiles
     tablename: apiname + '_accounts',
     idname: 'username',
     indices: baseFields.concat([ 'accountId' ]),
@@ -33,5 +45,5 @@ module.exports = [
     tablename: apiname + '_grants',
     idname: 'id',
     indices: baseFields.concat([ 'sub', 'azp', 'azpSub', 'scope' ]),
-  },
+  }
 ];
diff --git a/rest.js b/rest.js
index f10532f..056241a 100644
--- a/rest.js
+++ b/rest.js
@@ -48,6 +48,8 @@ module.exports.create = function (bigconf, deps, app) {
   app.post(  '/access_token/:sub/:aud/:azp',    Accounts.restful.createToken);
   app.post(  '/access_token',                   Accounts.restful.createToken);
 
+  app.post(  '/exchange_token',                 Accounts.restful.exchangeToken);
+
   app.use(   '/acl/profile',                    attachSiteModels);
   app.get(   '/acl/profile',                    Accounts.restful.getProfile);
   app.post(  '/acl/profile',                    Accounts.restful.setProfile);