diff --git a/lib/oauth3.js b/lib/oauth3.js
index 3dd1b16..27d7220 100644
--- a/lib/oauth3.js
+++ b/lib/oauth3.js
@@ -50,6 +50,15 @@ function extractAccessToken(req) {
 function verifyToken(token) {
   var jwt = require('jsonwebtoken');
   var decoded;
+
+  if (!token) {
+    return PromiseA.reject({
+      message: 'no token provided'
+    , code: 'E_NO_TOKEN'
+    , url: 'https://oauth3.org/docs/errors#E_NO_TOKEN'
+    });
+  }
+
   try {
     decoded = jwt.decode(token, {complete: true});
   } catch (e) {}
@@ -160,6 +169,10 @@ function attachOauth3(req, res, next) {
   req.oauth3 = {};
 
   extractAccessToken(req).then(function (token) {
+    req.oauth3.verifyAsync = function (jwt) {
+      return verifyToken(jwt || token);
+    };
+
     if (!token) {
       return null;
     }
@@ -181,14 +194,10 @@ function attachOauth3(req, res, next) {
     req.oauth3.token = decoded;
     req.oauth3.ppid = ppid;
 
-    req.oauth3.verifyAsync = function () {
-      return verifyToken(token);
-    };
-
-    req.oauth3.rescope = function () {
+    req.oauth3.rescope = function (sub) {
       // TODO: this function is supposed to convert PPIDs of different parties to some account
       // ID that allows application to keep track of permisions and what-not.
-      return PromiseA.resolve(ppid);
+      return PromiseA.resolve(sub || ppid);
     };
   }).then(function () {
     next();