diff --git a/lib/oauth3.js b/lib/oauth3.js
index 28ee6a9..39440ab 100644
--- a/lib/oauth3.js
+++ b/lib/oauth3.js
@@ -3,7 +3,7 @@
 var PromiseA = require('bluebird');
 
 function extractAccessToken(req) {
-  var token;
+  var token = null;
   var parts;
   var scheme;
   var credentials;
@@ -133,6 +133,13 @@ function verifyToken(token) {
       url: OAUTH3.url.resolve(directives.api, url)
     , method: args.method
     , data: body
+    }).catch(function (err) {
+      return PromiseA.reject({
+        message: 'failed to retrieve public key from token issuer'
+      , code: 'E_NO_PUB_KEY'
+      , url: 'https://oauth3.org/docs/errors#E_NO_PUB_KEY'
+      , subErr: err.toString()
+      });
     });
   }, function (err) {
     return PromiseA.reject({
@@ -178,6 +185,7 @@ function attachOauth3(req, res, next) {
   req.oauth3 = {};
 
   extractAccessToken(req).then(function (token) {
+    req.oauth3.encodedToken = token;
     req.oauth3.verifyAsync = function (jwt) {
       return verifyToken(jwt || token);
     };
@@ -185,38 +193,25 @@ function attachOauth3(req, res, next) {
     if (!token) {
       return null;
     }
-
-    var decoded;
-    try {
-      decoded = require('jsonwebtoken').decode(token);
-    } catch (e) {}
-    if (!decoded) {
-      return PromiseA.reject({
-        message: 'provided token not a JSON Web Token'
-      , code: 'E_NOT_JWT'
-      , url: 'https://oauth3.org/docs/errors#E_NOT_JWT'
-      });
-    }
-    if (!decoded.iss) {
-      return PromiseA.reject({
-        message: 'token missing iss'
-      , code: 'E_MISSING_ISS'
-      , url: 'https://oauth3.org/docs/errors#E_MISSING_ISS'
-      });
-    }
-    var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
-
-    req.oauth3.encodedToken = token;
+    return verifyToken(token);
+  }).then(function  (decoded) {
     req.oauth3.token = decoded;
+    if (!decoded) {
+      return null;
+    }
+
+    var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
     req.oauth3.ppid = ppid;
-    req.oauth3.accountIdx  = ppid+'@'+token.iss;
-    req.oauth3.accountHash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
-    req.oauth3.accountHash = req.oauth3.accountHash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, '');
+    req.oauth3.accountIdx = ppid+'@'+decoded.iss;
+
+    var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
+    hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, '');
+    req.oauth3.accountHash = hash;
 
     req.oauth3.rescope = function (sub) {
       // TODO: this function is supposed to convert PPIDs of different parties to some account
       // ID that allows application to keep track of permisions and what-not.
-      return PromiseA.resolve(sub || ppid);
+      return PromiseA.resolve(sub || hash);
     };
   }).then(function () {
     deepFreeze(req.oauth3);