diff --git a/oauth3.js b/oauth3.js
index 9208a47..ed5e4ea 100644
--- a/oauth3.js
+++ b/oauth3.js
@@ -108,6 +108,8 @@
 
       console.info('[oauth3.hooks.refreshSession] oldSession', JSON.parse(JSON.stringify(oldSession)));
       console.info('[oauth3.hooks.refreshSession] newSession', newSession);
+      // shim for account create which does not return new refresh_token
+      newSession.refresh_token = newSession.refresh_token || oldSession.refresh_token;
       Object.keys(oldSession).forEach(function (key) {
         oldSession[key] = undefined;
       });
@@ -122,13 +124,24 @@
       // info about the newly-discovered token
       oldSession.token = oldSession.meta = core.jwt.decode(oldSession.access_token).payload;
 
-      oldSession.token.sub = oldSession.token.sub || oldSession.token.acx.id;
+      oldSession.token.sub = oldSession.token.sub
+        || (oldSession.token.acx && oldSession.token.acx.id)
+        || (oldSession.token.axs && oldSession.token.axs.length && oldSession.token.axs[0].appScopedId)
+        ;
       oldSession.token.client_uri = clientUri;
       oldSession.token.provider_uri = providerUri;
 
-      if (oldSession.refresh_token || oldSession.refreshToken) {
-        oldSession.refresh = core.jwt.decode(oldSession.refresh_token || oldSession.refreshToken).payload;
-        oldSession.refresh.sub = oldSession.refresh.sub || oldSession.refresh.acx.id;
+      if (!oldSession.token.sub) {
+        // TODO this is broken hard
+        console.warn('TODO implementation for OAUTH3.hooks.accounts.create (GUI, CLI, or API)');
+      }
+
+      if (oldSession.refresh_token) {
+        oldSession.refresh = core.jwt.decode(oldSession.refresh_token).payload;
+        oldSession.refresh.sub = oldSession.refresh.sub
+          || (oldSession.refresh.acx && oldSession.refresh.acx.id)
+          || (oldSession.refresh.axs && oldSession.refresh.axs.length && oldSession.refresh.axs[0].appScopedId)
+          ;
         oldSession.refresh.provider_uri = providerUri;
       }
 
@@ -205,7 +218,7 @@
           // TODO check session.token.aud against preq.url to make sure they match
           console.warn("[security] session audience checking has not been implemented yet (it's up to you to check)");
           preq.headers = preq.headers || {};
-          preq.headers.Authorization = 'Bearer ' + (preq.session.access_token || preq.session.accessToken);
+          preq.headers.Authorization = 'Bearer ' + preq.session.access_token;
         }
 
         if (!oauth3._lintRequest) {