diff --git a/boot/master.js b/boot/master.js
index 92b2598..2c40ae0 100644
--- a/boot/master.js
+++ b/boot/master.js
@@ -82,6 +82,9 @@ cluster.on('online', function (worker) {
       var config = require('../config');
       info.conf.primaryNameserver = config.primaryNameserver;
       info.conf.nameservers = config.nameservers;
+      // TODO get this from db config instead
+      info.conf.privkey = config.privkey;
+      info.conf.pubkey = config.pubkey;
       worker.send(info);
     });
   }
diff --git a/lib/api-server.js b/lib/api-server.js
index 3ab23c0..60966ea 100644
--- a/lib/api-server.js
+++ b/lib/api-server.js
@@ -19,6 +19,7 @@ module.exports.create = function (conf, deps/*, Services*/) {
 
     return new PromiseA(function (resolve, reject) {
       var myApp;
+      var ursa;
 
       try {
         // TODO dynamic requires are a no-no
@@ -26,9 +27,22 @@ module.exports.create = function (conf, deps/*, Services*/) {
         // module.exports = { {{pkgpath}}: function () { return require({{pkgpath}}) } }
         // requirer[pkgpath]()
         myApp = express();
+        myApp.disable('x-powered-by');
         if (app.get('trust proxy')) {
           myApp.set('trust proxy', app.get('trust proxy'));
         }
+        if (!conf.pubkey) {
+          /*
+            return ursa.createPrivateKey(pem, password, encoding);
+            var pem = myKey.toPrivatePem();
+            return jwt.verifyAsync(token, myKey.toPublicPem(), { ignoreExpiration: false && true }).then(function (decoded) {
+            });
+          */
+          ursa = require('ursa');
+          conf.keypair = ursa.createPrivateKey(conf.privkey, 'ascii');
+          conf.pubkey = ursa.createPublicKey(conf.pubkey, 'ascii'); //conf.keypair.toPublicKey();
+        }
+        // TODO give pub/priv pair for app and all public keys
         route.route = require(pkgpath).create(conf, deps, myApp);
       } catch(e) {
         reject(e);
@@ -114,6 +128,7 @@ module.exports.create = function (conf, deps/*, Services*/) {
       }
 
       if (!route.api) {
+        console.error('missing route:', req.url);
         nextify(new Error("no api available for this route"));
         return;
       }
diff --git a/lib/worker.js b/lib/worker.js
index a282d64..587f224 100644
--- a/lib/worker.js
+++ b/lib/worker.js
@@ -38,6 +38,7 @@ module.exports.create = function (webserver, info, state) {
   });
   var cstore = require('cluster-store');
 
+  app.disable('x-powered-by');
   if (info.conf.trustProxy) {
     console.info('[Trust Proxy]');
     app.set('trust proxy', ['loopback']);
@@ -161,6 +162,8 @@ module.exports.create = function (webserver, info, state) {
         , externalPort: info.conf.externalPort
         , primaryNameserver: info.conf.primaryNameserver
         , nameservers: info.conf.nameservers
+        , privkey: info.conf.privkey
+        , pubkey: info.conf.pubkey
         , apiPrefix: '/api'
         };
 
@@ -252,6 +255,12 @@ module.exports.create = function (webserver, info, state) {
           } else {
             res.send('<html><head><title>ERROR</title></head><body>Error</body></html>');
           }
+
+          // sadly express uses arity checking
+          // so the fourth parameter must exist
+          if (false) {
+            next();
+          }
         });
 
         return app;
diff --git a/package.json b/package.json
index c6cb246..b477692 100644
--- a/package.json
+++ b/package.json
@@ -68,6 +68,7 @@
     "escape-string-regexp": "1.x",
     "etag": "^1.5.1",
     "express": "4.x",
+    "express-jwt": "^3.3.0",
     "express-lazy": "^1.1.1",
     "express-session": "^1.11.3",
     "finalhandler": "^0.3.4",