diff --git a/arvo/eyre.hoon b/arvo/eyre.hoon
index cf91f7c4f..58383fe74 100644
--- a/arvo/eyre.hoon
+++ b/arvo/eyre.hoon
@@ -1716,7 +1716,7 @@
         ?>((~(nest ut p:!>(*sec-move)) %& p.b) ~)
       =+  opt=|.((sa (turn a head)))
       |-
-      ?~  a  ~|(allowed=*opt !!)
+      ?~  a  ~|(allowed=(opt) !!)
       ?:  =(p.i.a -.q.b)
         (q.i.a (spec b))
       $(a t.a)
@@ -1737,6 +1737,7 @@
       %+  on-error  dead-this  |.
       %-  allow  :~
         give/do-give
+        send/(do-send %in)
         redo/,_pump(..vi (give-html 200 ~ exit:xml))
       ==
     ::
diff --git a/lib/oauth2.hoon b/lib/oauth2.hoon
index 2b6350495..196ad3101 100644
--- a/lib/oauth2.hoon
+++ b/lib/oauth2.hoon
@@ -37,7 +37,7 @@
 ::::
   ::
 |=  [dialog=[p=host q=path r=quay] code-exchange=path]
-=+  state-usr=&
+=+  state-usr=|
 |_  [(bale keys) scope=(list cord)]
 ++  client-id      cid:(decode-keys key)
 ++  client-secret  cis:(decode-keys key)
@@ -67,7 +67,7 @@
   ?~  refresh  (otherwise a)
   ?:  (lth expires (add now ~m1))
     (otherwise a)
-  [%send toke-url (toke-req 'refresh_token' refresh-token/refresh ~)]
+  (toke-req 'refresh_token' refresh-token/refresh ~)
 ::  
 ++  out-filtered
   |=  [tok=token aut=$+(hiss hiss)]
@@ -86,7 +86,8 @@
   |=(a=hiss %_(a q.q (~(add ja q.q.a) hed)))
 ::
 ++  toke-req
-  |=  [grant-type=cord quy=quay]  ^-  moth 
+  |=  [grant-type=cord quy=quay]  ^-  [%send hiss]
+  :+  %send  toke-url
   :+  %post  (mo ~[content-type/~['application/x-www-form-urlencoded']])
   =-  `(tact +:(tail:earn -))
   %-  fass
@@ -100,7 +101,7 @@
 ++  in-code
   |=  a=quay  ^-  sec-move
   =+  code=~|(%no-code (~(got by (mo a)) %code))
-  [%send toke-url (toke-req 'authorization_code' code/code ~)]
+  (toke-req 'authorization_code' code/code ~)
 ::
 ++  token-type  'token_type'^(cu cass sa):jo
 ++  expires-in  'expires_in'^ni:jo
diff --git a/sec/com/facebook/graph.hoon b/sec/com/facebook/graph.hoon
index 32b6764fa..8a2b08786 100644
--- a/sec/com/facebook/graph.hoon
+++ b/sec/com/facebook/graph.hoon
@@ -9,9 +9,13 @@
 ++  out  (out-quay:auth 'access_token'^access-token)
 ++  in   in-code:auth
 ++  bak
-  %-  (bak-parse-access:auth . expires-in.aut ~)
-  |=  [access-token=token.aut expires-in=@u]
-  =+  token-expires=`@da`(add now.bal (mul ~s1 expires-in))
-  ~&  authenticated-until/token-expires   :: XX handle timeout
-  +>.$(access-token access-token)
+  |=  res=httr
+  =+  a=auth
+  ?:  (bad-response.a p.res)  [%redo ~]
+  =+  ^-  [access-token=@t expires-in=@u]
+      (grab-json.a res (ot:jo access-token expires-in ~):a)
+  ?:  (lth expires-in ^~((div ~d7 ~s1)))  ::  short-lived token
+    (toke-req:a 'fb_exchange_token' fb-exchange-token/access-token ~)
+  [[%redo ~] ..bak(access-token access-token)]
+::++  wipe  !!
 --
diff --git a/sec/com/slack.hoon b/sec/com/slack.hoon
index e05a8c92f..f0cc93e08 100644
--- a/sec/com/slack.hoon
+++ b/sec/com/slack.hoon
@@ -4,7 +4,7 @@
   ::
 =+  aut=(oauth2 [`/com/slack /oauth/authorize ~] /api/'oauth.access')
 |_  [(bale keys:oauth2) tok=token.aut]
-++  aut  ~(. ^aut(state-usr |) +<- /client/admin)
+++  aut  ~(. ^aut +<- /client/admin)
 ++  out  (out-quay:aut 'token'^tok)
 ++  in   in-code:aut
 ++  bak  ((bak-parse-access:aut . ~) |=(tok=token:aut +>(tok tok)))