diff --git a/src/components/account/fission/implementations/common.ts b/src/components/account/fission/implementations/common.ts
index 9abfbc8e..d1532ec1 100644
--- a/src/components/account/fission/implementations/common.ts
+++ b/src/components/account/fission/implementations/common.ts
@@ -192,7 +192,7 @@ export async function did<FS>(
 
   // DID is issuer of that username UCAN
   return accountProof
-    ? Ucan.decode(accountProof.token).payload.iss
+    ? accountProof.issuer
     : null
 }
 
@@ -206,7 +206,7 @@ export async function fileSystemDID<FS>(
 
   // DID is issuer of that username UCAN
   return accountProof
-    ? Ucan.decode(accountProof.token).payload.aud
+    ? accountProof.audience
     : null
 }
 
@@ -231,8 +231,6 @@ export async function provideAuthority(
     inventory
   )
 
-  console.log("provideAuthority", maybeTicket)
-
   if (!maybeTicket) return []
   return [maybeTicket]
 }
diff --git a/src/components/authority/browser-url/provider.ts b/src/components/authority/browser-url/provider.ts
index 57e42fe0..d43bd945 100644
--- a/src/components/authority/browser-url/provider.ts
+++ b/src/components/authority/browser-url/provider.ts
@@ -309,6 +309,7 @@ class ProviderSession<AccountAnnex extends Account.AnnexParentType> extends Sess
     const fileSystemTickets = Tickets.collectUnique(fileSystemTicketBundles.flat())
 
     const accessKeys = fsQueries
+      .filter(q => Path.isPartition("private", q.path))
       .map(q => this.inventory.findAccessKey(q.path, q.did))
       .reduce(
         (acc, a) => a ? [...acc, a] : acc,
diff --git a/src/components/authority/browser-url/requestor.ts b/src/components/authority/browser-url/requestor.ts
index e974c513..cbd352fe 100644
--- a/src/components/authority/browser-url/requestor.ts
+++ b/src/components/authority/browser-url/requestor.ts
@@ -137,7 +137,7 @@ async function messageHandler(params: MessageHandlerParams) {
   const msg = await decodeChannelData(params.event.data)
   if (!msg) return
 
-  params.resetTimeout()
+  const timeoutId = params.resetTimeout()
 
   const sessionsCache = params.sessionsCache
   const sessionFromCache = sessionsCache[msg.did]
@@ -152,6 +152,7 @@ async function messageHandler(params: MessageHandlerParams) {
   if (session.ended()) {
     delete sessionsCache[msg.did]
     params.channel.close()
+    clearTimeout(timeoutId)
   }
 }
 
@@ -224,8 +225,6 @@ class RequestorSession extends Session {
 
     const payload = decryptJSONPayload(decryption.cipher, msg.payload)
 
-    console.log(payload)
-
     if (payload.dismissed === true) {
       this.eventEmitter.emit("request:dismissed")
       return this.end
@@ -237,7 +236,9 @@ class RequestorSession extends Session {
       || !Array.isArray(payload.accountTickets)
       || !Array.isArray(payload.approved)
       || !Array.isArray(payload.fileSystemTickets)
-      || !payload.accessKeys.every((p: unknown) => isString(p))
+      || !payload.accessKeys.every((p: unknown) =>
+        isObject(p) && isString(p.did) && isString(p.key) && isString(p.path)
+      )
       || !payload.accountTickets.every((p: unknown) => isObject(p))
       || !payload.approved.every((p: unknown) => isString(p) || isObject(p))
       || !payload.fileSystemTickets.every((p: unknown) => isObject(p))
@@ -267,16 +268,6 @@ class RequestorSession extends Session {
     await this.cabinet.addTickets("file_system", fileSystemTickets)
     await this.cabinet.addAccessKeys(accessKeys)
 
-    console.log(
-      accountTickets.map((t: Ticket) => Ucan.decode(t.token))
-    )
-
-    console.log(
-      fileSystemTickets.map((t: Ticket) => Ucan.decode(t.token))
-    )
-
-    console.log(accessKeys)
-
     const queries = payload.approved.map(q => Query.fromJSON(q))
     this.eventEmitter.emit("request:authorised", { queries })
     this.eventEmitter.emit("request:authorized", { queries })
diff --git a/src/inventory.ts b/src/inventory.ts
index af5229c5..63714a94 100644
--- a/src/inventory.ts
+++ b/src/inventory.ts
@@ -65,7 +65,7 @@ export class Inventory {
     return unwrappedPath.reduce(
       (acc: null | { did: string; key: Uint8Array; path: Path.Distinctive<Path.Segments> }, _p, idx) => {
         if (acc) return acc
-        const partialPath = Path.fromKind(pathKind, ...unwrappedPath.slice(0, idx))
+        const partialPath = Path.fromKind(pathKind, ...unwrappedPath.slice(0, idx + 1))
         const key = this.lookupAccessKey(partialPath, did)
         return key ? { did, key: key, path: partialPath } : null
       },
diff --git a/src/ticket/index.ts b/src/ticket/index.ts
index 539fd899..00e6b0f9 100644
--- a/src/ticket/index.ts
+++ b/src/ticket/index.ts
@@ -19,8 +19,6 @@ export async function cid(ticket: Ticket): Promise<CID> {
 }
 
 export function collectUnique(tickets: Ticket[]): Ticket[] {
-  console.log("collect", tickets)
-
   return tickets.reduce((acc, ticket) => {
     if (acc.tokens.includes(ticket.token)) {
       return acc