diff --git a/js/app.js b/js/app.js
index 9d680ca..9596546 100644
--- a/js/app.js
+++ b/js/app.js
@@ -1,7 +1,7 @@
 var app = angular.module('launchpad', ['oauth3.org', 'ui.router', 'LocalStorageModule']);
 
 app.config(['$stateProvider', '$urlRouterProvider', 'localStorageServiceProvider',
-  function($stateProvider, $urlRouterProvider, localStorageServiceProvider){
+  function ($stateProvider, $urlRouterProvider, localStorageServiceProvider) {
 
   localStorageServiceProvider.setPrefix('launchpad').setStorageType('sessionStorage');
 
diff --git a/js/controllers/login-controller.js b/js/controllers/login-controller.js
index af32c6d..b037951 100644
--- a/js/controllers/login-controller.js
+++ b/js/controllers/login-controller.js
@@ -104,6 +104,7 @@ app.controller('loginCtrl', [
       subject: subject
     , scope: [ 'domains@oauth3.org', 'domains', 'dns@oauth3.org', 'dns', 'www@daplie.com' ]
     }).then(function (session) {
+      console.log('vm.auth session.issuer', session.issuer);
       session.subject = subject;
       session.issuer = issuer;
       Auth.add(session);
diff --git a/js/controllers/website-controller.js b/js/controllers/website-controller.js
index 0d8a097..9edecb4 100644
--- a/js/controllers/website-controller.js
+++ b/js/controllers/website-controller.js
@@ -1,36 +1,74 @@
+//
+// Angular file upload hack
+//
+// TODO modularize for reuse
+function handleFiles(ev) {
+  var selector = 'js-file-upload';
+  var $scope;
+  var vm;
+
+  if ('INPUT' !== ev.target.tagName || 'file' !== ev.target.type || -1 === ev.target.className.indexOf(selector)) {
+    return;
+  }
+
+  $scope  = angular.element(ev.target).scope();
+  // 'vm' is the Controller As name.
+  vm = $scope.vm;
+  vm.currentFiles = ev.target.files;
+  console.log(vm.currentFiles);
+}
+window.document.body.addEventListener('change', handleFiles);
+
 app.controller('websiteCtrl', [
-  '$scope', 'Auth', 'azp@oauth3.org'
-, function ($scope, Auth, Oauth3) {
+  '$scope', '$q', 'Auth', 'azp@oauth3.org'
+, function ($scope, $q, Auth, Oauth3) {
 
   var vm = this;
   vm.oauth3 = Auth.oauth3;
   vm.domains = [];
 
-  Auth.sessions.forEach(function (session) {
-    return Auth.select(session).then(function (oauth3) {
-      return oauth3.api('domains.list', {}).then(function (domains) {
-        if (domains.error) {
-          // not all tokens support all apis
-          return;
-        }
-        if (!Array.isArray(domains)) {
-          console.error('domains are not domains');
-          console.error(domains);
-          return;
-        }
+  Auth.api = function (apiname, opts) {
+    var els = [];
+
+    return $q.all(Auth.sessions.map(function (session) {
+      console.log('################ Auth.api session:', session.issuer, session.subject);
+
+      return Auth.select(session).then(function (oauth3) {
+        console.log('$$$$$$$$$$$$$$$ Auth.api session:', session.issuer, session.subject);
+
+        return oauth3.api(apiname, {}).then(function (collection) {
+
+          if (collection.error) {
+            // not all tokens support all apis
+            return;
+          }
+
+          if (!Array.isArray(collection)) {
+            console.error('collection is not an array');
+            console.error(collection);
+            return;
+          }
+
+          collection.forEach(function (el) {
+            els.push(el);
+            el.session = session.token.sub + '@' + session.token.iss;
+          });
 
-        console.log('domains');
-        console.log(domains);
-        domains.forEach(function (domain) {
-          domain.session = session.token.sub + '@' + session.token.iss;
-          vm.domains.push(domain);
         });
       });
+    })).then(function (results) {
+      console.log('################ Auth.api session END');
+      return els;
     });
+  };
+
+  Auth.api('domains.list', {}).then(function (els) {
+    console.log('domains.list els', els);
+    vm.domains = els;
   });
 
   vm.getDomains = function () {
-    vm.oauth3.api('domains.list', {}).then(function (result) {
+    return vm.oauth3.api('domains.list', {}).then(function (result) {
       vm.domains = result.registrations || result;
     });
   };
@@ -56,32 +94,47 @@ app.controller('websiteCtrl', [
   vm.selectDomain = function (domain) {
     vm.domain = domain;
     vm.newDomain = domain.domain;
-    /*
-    return vm.oauth3.api('dns.list', { }).then(function (records) {
+
+    return Auth.api('dns.list', { }).then(function (records) {
       records = records.filter(function (r) {
         return /^A(AAA)?$/i.test(r.type) && ((r.sld + '.' + r.tld) === domain || r.zone === domain.domain);
       });
       vm.records = records;
+      records.forEach(function (record) {
+        if (!record.sub) {
+          record.sub = record.host.replace('.' + record.zone, '');
+          if (record.host === record.zone) {
+            record.sub = '@';
+          }
+        }
+      });
       console.log('records');
       console.log(records);
     });
-    */
   };
 
   vm.selectRecord = function (record) {
     vm.record = record;
+    vm.newRecord = record.sub;
     vm.currentHost = record.host; // .replace(new RegExp('\\.' + vm.domain.domain.replace(/\./g, '\\.') + '$', ''));
   };
 
-  vm.setFiles = function (files) {
-    console.log('setFiles');
-    console.log(files);
-    console.log(vm.newFiles);
-  };
-
   vm.createWebsite = function () {
     var fd = new window.FormData();
     var pkg = vm.oauth3.pkg('www@daplie.com');
+    //vm.unlock('webpreneur');
+    if (!vm.currentFiles || !vm.currentFiles.length) {
+      window.alert('No files chosen.');
+      return;
+    }
+    if (1 !== vm.currentFiles.length) {
+      window.alert('Too many files chosen.');
+      return;
+    }
+    if (!vm.currentHost) {
+      window.alert('No hostname chosen.');
+      return;
+    }
 
     return pkg.add({ hostname: vm.currentHost, multipart: { site: vm.currentFiles[0] } });
   };
diff --git a/js/services/auth-service.js b/js/services/auth-service.js
index 8b32517..3888949 100644
--- a/js/services/auth-service.js
+++ b/js/services/auth-service.js
@@ -51,6 +51,10 @@ app.factory('Auth', [
         if (session) {
           session.email = session.subject;
         }
+        if (!session.issuer) {
+          console.error(session);
+          throw new Error('restored session without audience');
+        }
 
         if (dapName === name) {
           Auth.session = session;
@@ -62,6 +66,10 @@ app.factory('Auth', [
       return Auth.session;
     }
   , select: function (session) {
+      if (!session.issuer) {
+        throw new Error("session doesn't have an issuer");;
+      }
+
       var name = session.token.sub + '@' + session.token.iss;
       var promise;
 
@@ -81,6 +89,10 @@ app.factory('Auth', [
         promise = Oauth3.PromiseA.resolve(Auth._oauth3s[name]);
       }
 
+      console.log('session.issuer:', session.issuer);
+      console.log('session.subject:', session.subject);
+      console.log('session:', session);
+
       return promise;
     }
   , signOut: function () {
diff --git a/templates/website.html b/templates/website.html
index 0aaa7f8..13f013d 100644
--- a/templates/website.html
+++ b/templates/website.html
@@ -11,10 +11,20 @@
     <h1>Create a new Website</h1>
     <h3>Select a Domain</h3>
     <div class="input-group">
-      <input type="text" class="form-control" placeholder="www" />
+      <input type="text" class="form-control" placeholder="www" ng-model="vm.newRecord" ng-change="vm.setRecord()" />
+      <div class="input-group-btn">
+        <!-- Single button -->
+        <div class="btn-group">
+          <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"><span class="caret"></span>
+          </button>
+          <ul class="dropdown-menu">
+            <li ng-repeat="record in vm.records"><button class="btn btn-link" ng-bind="record.sub" ng-click="vm.selectRecord(record)">www</button></li>
+          </ul>
+        </div>
+      </div>
       <span class="input-group-addon">.</span>
 
-      <input type="text" class="form-control" placeholder="Select a domain" aria-label="Domain Name" ng-model="vm.newDomain" ng-change="vm.setDomain()">
+      <input type="text" class="form-control" placeholder="Select a domain" aria-label="Domain Name" ng-model="vm.newDomain" ng-change="vm.setDomain()" />
       <div class="input-group-btn">
         <!-- Single button -->
         <div class="btn-group">
@@ -24,22 +34,30 @@
             <li ng-repeat="domain in vm.domains"><button class="btn btn-link" ng-bind="domain.domain" ng-click="vm.selectDomain(domain)">example.com</button></li>
           </ul>
         </div>
+      </div>
 
-        </div>
     </div>
     <div class="panel panel-default">
       <div class="panel-body">
+        <!--
         Choose or create a public shared folder  <button class="btn btn-default">Select Daplie Folder</button>
+        <br>
+        -->
+        <div class="input-group">
+          <label>Select .zip upload</label> <input type="file" class="js-file-upload this-has-a-special-non-angular-event-handler" />
+        </div>
       </div>
     </div>
+    <!--
     <div class="panel panel-default">
       <div class="panel-body">
         Who can edit and upload to this site?  <input placeholder="Type contact name or email address" type="text" class="form-control">
       </div>
     </div>
+    -->
     <!-- <div class="form-group">
       <div class="pull-right"> -->
-            <button ng-click="vm.unlock('webpreneur')" type="button" name="button" class="btn btn-default">Create Website</button>
+            <button ng-click="vm.createWebsite()" type="button" name="button" class="btn btn-default">Create Website</button>
         <!-- </div>
     </div> -->
   </div>