diff --git a/assets/oauth3.org b/assets/oauth3.org
index 5f68ea1..effee98 160000
--- a/assets/oauth3.org
+++ b/assets/oauth3.org
@@ -1 +1 @@
-Subproject commit 5f68ea19e22d05bebc6a289da0a89a714442e6d2
+Subproject commit effee987beca6f0522a93533d65de1e7ed246987
diff --git a/js/controllers/website-controller.js b/js/controllers/website-controller.js
index b3498f9..ed57432 100644
--- a/js/controllers/website-controller.js
+++ b/js/controllers/website-controller.js
@@ -123,18 +123,19 @@ app.controller('websiteCtrl', [
   };
 
   vm._isSubDomain = function (sub, domain) {
-    return -1 === ('.' + sub).indexOf(('.' + domain));
+    return -1 !== ('.' + sub).indexOf(('.' + domain));
   };
 
   vm.createWebsite = function () {
+    console.log('##### Auth.oauth3');
+    console.log(Auth.oauth3);
+
     var pkg = Auth.oauth3.pkg('www@daplie.com');
     var parts;
     var sub;
     var sld;
     var tld;
 
-    console.log('Auth.oauth3', Auth.oauth3);
-
     //vm.unlock('webpreneur');
     if (!vm.currentFiles || !vm.currentFiles.length) {
       window.alert('No files chosen.');
@@ -172,25 +173,36 @@ app.controller('websiteCtrl', [
     // (because two users could both claim a single domain)
     // We're claiming it at the top level (i.e. example.com)
     // but we could also claim it at the subdomain level (needs UI update)
-    return pkg.request({ sld: sld, tld: tld, sub: undefined }).then(function (result) {
+    var domainReq = { sld: sld, tld: tld, sub: undefined };
+    return pkg.request(domainReq).then(function (result) {
       var sess;
       var prom;
       var def;
       console.log('[pkg www] request domain');
-      console.log(result);
+      console.log(result.data);
+
+      console.log('[pkg www] vm.domain.session:');
+      console.log(vm.domain.session);
+
+      console.log(vm.currentHost, vm.domain.domain);
+      console.log(vm._isSubDomain(vm.currentHost, vm.domain.domain));
 
       // can validate automatically
       if (vm.domain.session && vm._isSubDomain(vm.currentHost, vm.domain.domain)) {
         // this should always succeed
         Auth.sessions.some(function (session) {
+          console.log('#', session.token.sub + '@' + session.token.iss);
           if (vm.domain.session === (session.token.sub + '@' + session.token.iss)) {
+            console.log('=', session.token.sub + '@' + session.token.iss);
             sess = session;
             return session;
           }
         });
 
         if (sess) {
+          console.log('[pkg www] session selected', sess);
           prom = Auth.select(sess).then(function (oauth3) {
+            console.log('[pkg www] instance selected', oauth3);
             return oauth3.api('dns.set', { sld: sld, tld: tld, sub: ('' + result.data.prefix), type: 'TXT', ttl: 300, value: result.data.challenge });
           });
         }
@@ -209,7 +221,12 @@ app.controller('websiteCtrl', [
       }
 
       return prom.then(function () {
-        vm._createWebsite(pkg);
+        console.log('[pkg www] after pkg');
+        console.log(pkg);
+        return pkg.claim(domainReq).then(function (result) {
+          console.log('[pkg www] claim', result);
+          return vm._createWebsite(pkg);
+        });
       });
 
     });
@@ -227,17 +244,17 @@ app.controller('websiteCtrl', [
         console.log('[www] post pkg', oauth3._resourceProviderDirectives);
 
         return pkg.list().then(function (result) {
-          var sites = result.data;
+          var _sites = result.data;
 
-          if (Array.isArray(sites)) {
-            sites = sites.concat(sites);
+          if (Array.isArray(_sites)) {
+            sites = _sites.concat(sites);
             return;
           }
 
-          console.error('sites is not an array');
-          console.error(sites);
+          console.error('_sites is not an array');
+          console.error(_sites);
         }, function (err) {
-          console.error('sites had an error');
+          console.error('_sites had an error');
           console.error(err);
         });
       });
diff --git a/js/www@daplie.com.js b/js/www@daplie.com.js
index 472226b..c72db44 100644
--- a/js/www@daplie.com.js
+++ b/js/www@daplie.com.js
@@ -12,6 +12,7 @@ OAUTH3._pkgs['www@daplie.com'] = {
       method: 'POST'
     , url: OAUTH3.url.normalize(providerUri)
         + '/api/www@daplie.com/acl/add/' + opts.hostname
+        + '?' + OAUTH3.utils.query.stringify({ tld: opts.tld, sld: opts.sld/*, sub: opts.sub*/ })
     , session: session
     , multipart: opts.multipart // special property to be figured out by browser request code
     }).then(function (result) {
@@ -48,6 +49,24 @@ OAUTH3._pkgs['www@daplie.com'] = {
     }).then(function (result) {
       // result.data
 
+      return result;
+    });
+  }
+, claim: function (opts) {
+    var providerUri = opts.audience;
+    var session = opts.session;
+
+    return OAUTH3.request({
+      method: 'POST'
+    , url: OAUTH3.url.normalize(providerUri)
+        + '/api/www@daplie.com/acl/claim/:tld/:sld/:sub'
+            .replace(/(:tld)/, opts.tld)
+            .replace(/(:sld)/, opts.sld)
+            .replace(/(:sub)/, opts.sub || '')
+    , session: session
+    }).then(function (result) {
+      // result.data
+
       return result;
     });
   }