diff --git a/oauth3.core.js b/oauth3.core.js
index 812f14d..3012630 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -5,6 +5,11 @@
 
   var core = {};
 
+  function getDefaultAppApiBase() {
+    console.warn('[deprecated] using window.location.host when opts.appApiBase should be used');
+    return 'https://' + window.location.host;
+  }
+
   core.stringifyscope = function (scope) {
     if (Array.isArray(scope)) {
       scope = scope.join(' ');
@@ -64,6 +69,26 @@
     return argsParsed;
   };
 
+  core.discover = function (providerUri, opts) {
+    if (!providerUri) {
+      throw new Error("cannot discover without providerUri");
+    }
+    if (!opts.state) {
+      throw new Error("cannot discover without opts.state");
+    }
+    if (!opts.appUrl) {
+      throw new Error("cannot discover without opts.appUrl");
+    }
+
+    var params = {
+      action: 'directives'
+    , state: opts.state
+    , redirect_uri: opts.appUrl + (opts.appCallbackPath || '/.well-known/oauth3/callback.html')
+    };
+
+    return providerUri + '/.well-known/oauth3/directives.html#' + core.querystringify(params);
+  };
+
   core.authorizationCode = function (/*directive, scope, redirectUri, clientId*/) {
     //
     // Example Authorization Code Request
@@ -126,7 +151,7 @@
     // as an automatic mechanism when it isn't necessary to specify
     if ('string' !== typeof authorizationRedirect) {
       // TODO oauth3.json for self?
-      authorizationRedirect = 'https://' + window.location.host
+      authorizationRedirect = (opts.appApiBase || getDefaultAppApiBase())
         + '/api/org.oauth3.consumer/authorization_redirect/:provider_uri';
     }
     authorizationRedirect = authorizationRedirect
diff --git a/oauth3.js b/oauth3.js
index dfb304a..b37dc44 100644
--- a/oauth3.js
+++ b/oauth3.js
@@ -7,6 +7,14 @@
 
   var core = exports.OAUTH3_CORE || require('./oauth3.core.js');
 
+  function getDefaultAppUrl() {
+    console.warn('[deprecated] using window.location.{protocol, host, pathname} when opts.appUrl should be used');
+    return window.location.protocol
+      + '//' + window.location.host
+      + (window.location.pathname).replace(/\/?$/, '/')
+      ;
+  }
+
   oauth3.requests = logins;
 
   if ('undefined' !== typeof Promise) {
@@ -442,6 +450,24 @@
   };
 
   oauth3._discoverHelper = function (providerUri, opts) {
+    return oauth3._discoverHelperNew(providerUri, opts).then(function () {
+    }, function () {
+      console.warn('[directives] fallback to old /oauth3.html');
+      return oauth3._discoverHelperOld(providerUri, opts);
+    });
+  };
+  oauth3._discoverHelperNew = function (providerUri, opts) {
+    opts = opts || {};
+    var state = oauth3.createState();
+    var url = oauth3.core.discover(providerUri, { state: state, appUrl: (opts.appUrl || getDefaultAppUrl()) });
+
+    return oauth3.insertIframe(url, state, opts).then(function (directives) {
+      return directives;
+    }, function (err) {
+      return oauth3.PromiseA.reject(err);
+    });
+  };
+  oauth3._discoverHelperOld = function (providerUri, opts) {
     opts = opts || {};
     var state = oauth3.createState();
     var params;
@@ -452,7 +478,7 @@
     , state: state
       // TODO this should be configurable (i.e. I want a dev vs production oauth3.html)
     , redirect_uri: window.location.protocol + '//' + window.location.host
-        + window.location.pathname + 'oauth3.html'
+        + (window.location.pathname + '/oauth3.html').replace(/\/\//, '/')
     };
 
     url = providerUri + '/oauth3.html#' + core.querystringify(params);