diff --git a/web/authorize.qtpl b/web/authorize.qtpl
index 594dc54..3a8a3ea 100644
--- a/web/authorize.qtpl
+++ b/web/authorize.qtpl
@@ -1,121 +1,139 @@
 {% import "source.toby3d.me/website/indieauth/internal/domain" %}
 
-{% code type AuthPage struct {
+{% code type AuthorizePage struct {
   BaseOf
   Client              *domain.Client
-  Me                  *domain.Me
   RedirectURI         *domain.URL
+  Me                  *domain.Me
   CodeChallengeMethod domain.CodeChallengeMethod
   ResponseType        domain.ResponseType
   Scope               domain.Scopes
+  CSRF                []byte
   CodeChallenge       string
-  CSRF                string
   State               string
 } %}
 
-{% func (p *AuthPage) Lang() %}
-  en
-{% endfunc %}
-
-{% func (p *AuthPage) Title() %}
-  Authorize {%s p.Client.Name[0] %}
-{% endfunc %}
-
-{% func (p *AuthPage) Head() %}
-{% endfunc %}
-
-{% func (p *AuthPage) Body() %}
-  {% if p.Client.Logo[0] != nil %}
-    <img
-      alt="{%s p.Client.Name[0] %}"
-      crossorigin="anonymous"
-      decoding="async"
-      height="140"
-      importance="high"
-      loading="lazy"
-      referrerpolicy="no-referrer-when-downgrade"
-      src="{%s p.Client.Logo[0].String() %}"
-      width="140">
+{% func (p *AuthorizePage) Title() %}
+  {% if p.Client.GetName() == "" %}
+    {%= p.T("Authorize %s", p.Client.GetName()) %}
+  {% else %}
+    {%= p.T("Authorize application") %}
   {% endif %}
+{% endfunc %}
 
-  <h2>{%s p.Client.Name[0] %}</h2>
-
-  <form
-    accept-charset="utf-8"
-    action="/api/authorize"
-    autocomplete="off"
-    enctype="application/x-www-form-urlencoded"
-    method="post"
-    novalidate="true"
-    target="_self">
-
-    {% if p.CSRF != "" %}
-      <input
-        name="_csrf"
-        type="hidden"
-        value="{%s p.CSRF %}">
+{% func (p *AuthorizePage) Body() %}
+  <header>
+    {% if p.Client.GetLogo() != nil %}
+      <img
+        alt="{%s p.Client.GetName() %}"
+        crossorigin="anonymous"
+        decoding="async"
+        height="140"
+        importance="high"
+        loading="lazy"
+        referrerpolicy="no-referrer-when-downgrade"
+        src="{%s p.Client.GetLogo().String() %}"
+        width="140">
     {% endif %}
 
-    <input
-      name="response_type"
-      type="hidden"
-      value="code">
+    <h2>
+      {% if p.Client.GetURL() != nil %}
+        <a href="{%s p.Client.GetURL().String() %}">
+      {% endif %}
+      {% if p.Client.GetName() != "" %}
+        {%s p.Client.GetName() %}
+      {% else %}
+        {%s p.Client.ID.String() %}
+      {% endif %}
+      {% if p.Client.GetURL() != nil %}
+        </a>
+      {% endif %}
+    </h2>
+  </header>
 
-    <input
-      name="client_id"
-      type="hidden"
-      value="{%s p.Client.URL[0].String() %}">
+  <main>
+    <form
+      accept-charset="utf-8"
+      action="/api/authorize"
+      autocomplete="off"
+      enctype="application/x-www-form-urlencoded"
+      method="post"
+      novalidate="true"
+      target="_self">
 
-    <input
-      name="redirect_uri"
-      type="hidden"
-      value="{%s p.RedirectURI.String() %}">
+      {% if p.CSRF != nil %}
+        <input
+          type="hidden"
+          name="_csrf"
+          value="{%z p.CSRF %}">
+      {% endif %}
 
-    <input
-      name="state"
-      type="hidden"
-      value="{%s p.State %}">
+      {% for key, val := range map[string]string{
+        "client_id":     p.Client.ID.String(),
+        "redirect_uri":  p.RedirectURI.String(),
+        "response_type": p.ResponseType.String(),
+        "state":         p.State,
+      } %}
+        <input
+          type="hidden"
+          name="{%s key %}"
+          value="{%s val %}">
+      {% endfor %}
 
-    {% if p.CodeChallenge != "" %}
-      <input
-        name="code_challenge"
-        type="hidden"
-        value="{%s p.CodeChallenge %}">
+      {% if len(p.Scope) > 0 %}
+      <fieldset>
+        <legend>{%= p.T("Choose your scopes") %}</legend>
 
-      <input
-        name="code_challenge_method"
-        type="hidden"
-        value="{%s p.CodeChallengeMethod.String() %}">
-    {% endif %}
+        {% for _, scope := range p.Scope %}
+          <div>
+            <label>
+              <input
+                type="checkbox"
+                name="scope[]"
+                value="{%s scope.String() %}"
+                checked>
 
-    {% if len(p.Scope) != 0 %}
-      <input
-        name="scope"
-        type="hidden"
-        value="{%s p.Scope.String() %}">
-    {% endif %}
+              {%s scope.String() %}
+            </label>
+          </div>
+        {% endfor %}
+      </fieldset>
+      {% endif %}
 
-    {% if p.Me != nil %}
-      <input
-        name="me"
-        type="hidden"
-        value="{%s p.Me.String() %}">
-    {% endif %}
+      {% if p.CodeChallenge != "" %}
+        <input
+          type="hidden"
+          name="code_challenge"
+          value="{%s p.CodeChallenge %}">
 
-    <button
-      name="authorize"
-      type="submit"
-      value="deny">
+        <input
+          type="hidden"
+          name="code_challenge_method"
+          value="{%s p.CodeChallengeMethod.String() %}">
+      {% endif %}
 
-      {%= p.T("Deny") %}
-    </button>
+      {% if p.Me != nil %}
+        <input
+          type="hidden"
+          name="me"
+          value="{%s p.Me.String() %}">
+      {% endif %}
 
-    <button
-      name="authorize"
-      type="submit"
-      value="allow">
+      <button
+        type="submit"
+        name="authorize"
+        value="deny">
 
-      {%= p.T("Allow") %}
-    </button>
-  </form>
+        {%= p.T("Deny") %}
+      </button>
+
+      <button
+        type="submit"
+        name="authorize"
+        value="allow">
+
+        {%= p.T("Allow") %}
+      </button>
+    </form>
+  </main>
 {% endfunc %}
\ No newline at end of file
diff --git a/web/authorize.qtpl.go b/web/authorize.qtpl.go
index 3fd96fc..665cce8 100644
--- a/web/authorize.qtpl.go
+++ b/web/authorize.qtpl.go
@@ -21,61 +21,46 @@ var (
 )
 
 //line web/authorize.qtpl:3
-type AuthPage struct {
+type AuthorizePage struct {
 	BaseOf
 	Client              *domain.Client
-	Me                  *domain.Me
 	RedirectURI         *domain.URL
+	Me                  *domain.Me
 	CodeChallengeMethod domain.CodeChallengeMethod
 	ResponseType        domain.ResponseType
 	Scope               domain.Scopes
+	CSRF                []byte
 	CodeChallenge       string
-	CSRF                string
 	State               string
 }
 
 //line web/authorize.qtpl:16
-func (p *AuthPage) StreamLang(qw422016 *qt422016.Writer) {
+func (p *AuthorizePage) StreamTitle(qw422016 *qt422016.Writer) {
 //line web/authorize.qtpl:16
 	qw422016.N().S(`
-  en
-`)
+  `)
+//line web/authorize.qtpl:17
+	if p.Client.GetName() == "" {
+//line web/authorize.qtpl:17
+		qw422016.N().S(`
+    `)
 //line web/authorize.qtpl:18
-}
-
+		p.StreamT(qw422016, "Authorize %s", p.Client.GetName())
 //line web/authorize.qtpl:18
-func (p *AuthPage) WriteLang(qq422016 qtio422016.Writer) {
-//line web/authorize.qtpl:18
-	qw422016 := qt422016.AcquireWriter(qq422016)
-//line web/authorize.qtpl:18
-	p.StreamLang(qw422016)
-//line web/authorize.qtpl:18
-	qt422016.ReleaseWriter(qw422016)
-//line web/authorize.qtpl:18
-}
-
-//line web/authorize.qtpl:18
-func (p *AuthPage) Lang() string {
-//line web/authorize.qtpl:18
-	qb422016 := qt422016.AcquireByteBuffer()
-//line web/authorize.qtpl:18
-	p.WriteLang(qb422016)
-//line web/authorize.qtpl:18
-	qs422016 := string(qb422016.B)
-//line web/authorize.qtpl:18
-	qt422016.ReleaseByteBuffer(qb422016)
-//line web/authorize.qtpl:18
-	return qs422016
-//line web/authorize.qtpl:18
-}
-
+		qw422016.N().S(`
+  `)
+//line web/authorize.qtpl:19
+	} else {
+//line web/authorize.qtpl:19
+		qw422016.N().S(`
+    `)
 //line web/authorize.qtpl:20
-func (p *AuthPage) StreamTitle(qw422016 *qt422016.Writer) {
+		p.StreamT(qw422016, "Authorize application")
 //line web/authorize.qtpl:20
-	qw422016.N().S(`
-  Authorize `)
+		qw422016.N().S(`
+  `)
 //line web/authorize.qtpl:21
-	qw422016.E().S(p.Client.Name[0])
+	}
 //line web/authorize.qtpl:21
 	qw422016.N().S(`
 `)
@@ -83,7 +68,7 @@ func (p *AuthPage) StreamTitle(qw422016 *qt422016.Writer) {
 }
 
 //line web/authorize.qtpl:22
-func (p *AuthPage) WriteTitle(qq422016 qtio422016.Writer) {
+func (p *AuthorizePage) WriteTitle(qq422016 qtio422016.Writer) {
 //line web/authorize.qtpl:22
 	qw422016 := qt422016.AcquireWriter(qq422016)
 //line web/authorize.qtpl:22
@@ -94,7 +79,7 @@ func (p *AuthPage) WriteTitle(qq422016 qtio422016.Writer) {
 }
 
 //line web/authorize.qtpl:22
-func (p *AuthPage) Title() string {
+func (p *AuthorizePage) Title() string {
 //line web/authorize.qtpl:22
 	qb422016 := qt422016.AcquireByteBuffer()
 //line web/authorize.qtpl:22
@@ -109,254 +94,297 @@ func (p *AuthPage) Title() string {
 }
 
 //line web/authorize.qtpl:24
-func (p *AuthPage) StreamHead(qw422016 *qt422016.Writer) {
+func (p *AuthorizePage) StreamBody(qw422016 *qt422016.Writer) {
 //line web/authorize.qtpl:24
 	qw422016.N().S(`
-`)
-//line web/authorize.qtpl:25
-}
-
-//line web/authorize.qtpl:25
-func (p *AuthPage) WriteHead(qq422016 qtio422016.Writer) {
-//line web/authorize.qtpl:25
-	qw422016 := qt422016.AcquireWriter(qq422016)
-//line web/authorize.qtpl:25
-	p.StreamHead(qw422016)
-//line web/authorize.qtpl:25
-	qt422016.ReleaseWriter(qw422016)
-//line web/authorize.qtpl:25
-}
-
-//line web/authorize.qtpl:25
-func (p *AuthPage) Head() string {
-//line web/authorize.qtpl:25
-	qb422016 := qt422016.AcquireByteBuffer()
-//line web/authorize.qtpl:25
-	p.WriteHead(qb422016)
-//line web/authorize.qtpl:25
-	qs422016 := string(qb422016.B)
-//line web/authorize.qtpl:25
-	qt422016.ReleaseByteBuffer(qb422016)
-//line web/authorize.qtpl:25
-	return qs422016
-//line web/authorize.qtpl:25
-}
-
-//line web/authorize.qtpl:27
-func (p *AuthPage) StreamBody(qw422016 *qt422016.Writer) {
-//line web/authorize.qtpl:27
-	qw422016.N().S(`
-  `)
-//line web/authorize.qtpl:28
-	if p.Client.Logo[0] != nil {
-//line web/authorize.qtpl:28
-		qw422016.N().S(`
-    <img
-      alt="`)
-//line web/authorize.qtpl:30
-		qw422016.E().S(p.Client.Name[0])
-//line web/authorize.qtpl:30
-		qw422016.N().S(`"
-      crossorigin="anonymous"
-      decoding="async"
-      height="140"
-      importance="high"
-      loading="lazy"
-      referrerpolicy="no-referrer-when-downgrade"
-      src="`)
-//line web/authorize.qtpl:37
-		qw422016.E().S(p.Client.Logo[0].String())
-//line web/authorize.qtpl:37
-		qw422016.N().S(`"
-      width="140">
-  `)
-//line web/authorize.qtpl:39
-	}
-//line web/authorize.qtpl:39
-	qw422016.N().S(`
-
-  <h2>`)
-//line web/authorize.qtpl:41
-	qw422016.E().S(p.Client.Name[0])
-//line web/authorize.qtpl:41
-	qw422016.N().S(`</h2>
-
-  <form
-    accept-charset="utf-8"
-    action="/api/authorize"
-    autocomplete="off"
-    enctype="application/x-www-form-urlencoded"
-    method="post"
-    novalidate="true"
-    target="_self">
-
+  <header>
     `)
-//line web/authorize.qtpl:52
-	if p.CSRF != "" {
-//line web/authorize.qtpl:52
+//line web/authorize.qtpl:26
+	if p.Client.GetLogo() != nil {
+//line web/authorize.qtpl:26
 		qw422016.N().S(`
-      <input
-        name="_csrf"
-        type="hidden"
-        value="`)
-//line web/authorize.qtpl:56
-		qw422016.E().S(p.CSRF)
-//line web/authorize.qtpl:56
+      <img
+        alt="`)
+//line web/authorize.qtpl:28
+		qw422016.E().S(p.Client.GetName())
+//line web/authorize.qtpl:28
+		qw422016.N().S(`"
+        crossorigin="anonymous"
+        decoding="async"
+        height="140"
+        importance="high"
+        loading="lazy"
+        referrerpolicy="no-referrer-when-downgrade"
+        src="`)
+//line web/authorize.qtpl:35
+		qw422016.E().S(p.Client.GetLogo().String())
+//line web/authorize.qtpl:35
+		qw422016.N().S(`"
+        width="140">
+    `)
+//line web/authorize.qtpl:37
+	}
+//line web/authorize.qtpl:37
+	qw422016.N().S(`
+
+    <h2>
+      `)
+//line web/authorize.qtpl:40
+	if p.Client.GetURL() != nil {
+//line web/authorize.qtpl:40
+		qw422016.N().S(`
+        <a href="`)
+//line web/authorize.qtpl:41
+		qw422016.E().S(p.Client.GetURL().String())
+//line web/authorize.qtpl:41
 		qw422016.N().S(`">
-    `)
-//line web/authorize.qtpl:57
+      `)
+//line web/authorize.qtpl:42
 	}
-//line web/authorize.qtpl:57
+//line web/authorize.qtpl:42
+	qw422016.N().S(`
+      `)
+//line web/authorize.qtpl:43
+	if p.Client.GetName() != "" {
+//line web/authorize.qtpl:43
+		qw422016.N().S(`
+        `)
+//line web/authorize.qtpl:44
+		qw422016.E().S(p.Client.GetName())
+//line web/authorize.qtpl:44
+		qw422016.N().S(`
+      `)
+//line web/authorize.qtpl:45
+	} else {
+//line web/authorize.qtpl:45
+		qw422016.N().S(`
+        `)
+//line web/authorize.qtpl:46
+		qw422016.E().S(p.Client.ID.String())
+//line web/authorize.qtpl:46
+		qw422016.N().S(`
+      `)
+//line web/authorize.qtpl:47
+	}
+//line web/authorize.qtpl:47
+	qw422016.N().S(`
+      `)
+//line web/authorize.qtpl:48
+	if p.Client.GetURL() != nil {
+//line web/authorize.qtpl:48
+		qw422016.N().S(`
+        </a>
+      `)
+//line web/authorize.qtpl:50
+	}
+//line web/authorize.qtpl:50
+	qw422016.N().S(`
+    </h2>
+  </header>
+
+  <main>
+    <form
+      accept-charset="utf-8"
+      action="/api/authorize"
+      autocomplete="off"
+      enctype="application/x-www-form-urlencoded"
+      method="post"
+      novalidate="true"
+      target="_self">
+
+      `)
+//line web/authorize.qtpl:64
+	if p.CSRF != nil {
+//line web/authorize.qtpl:64
+		qw422016.N().S(`
+        <input
+          type="hidden"
+          name="_csrf"
+          value="`)
+//line web/authorize.qtpl:68
+		qw422016.E().Z(p.CSRF)
+//line web/authorize.qtpl:68
+		qw422016.N().S(`">
+      `)
+//line web/authorize.qtpl:69
+	}
+//line web/authorize.qtpl:69
 	qw422016.N().S(`
 
-    <input
-      name="response_type"
-      type="hidden"
-      value="code">
-
-    <input
-      name="client_id"
-      type="hidden"
-      value="`)
-//line web/authorize.qtpl:67
-	qw422016.E().S(p.Client.URL[0].String())
-//line web/authorize.qtpl:67
-	qw422016.N().S(`">
-
-    <input
-      name="redirect_uri"
-      type="hidden"
-      value="`)
-//line web/authorize.qtpl:72
-	qw422016.E().S(p.RedirectURI.String())
-//line web/authorize.qtpl:72
-	qw422016.N().S(`">
-
-    <input
-      name="state"
-      type="hidden"
-      value="`)
-//line web/authorize.qtpl:77
-	qw422016.E().S(p.State)
-//line web/authorize.qtpl:77
-	qw422016.N().S(`">
-
-    `)
+      `)
+//line web/authorize.qtpl:71
+	for key, val := range map[string]string{
+		"client_id":     p.Client.ID.String(),
+		"redirect_uri":  p.RedirectURI.String(),
+		"response_type": p.ResponseType.String(),
+		"state":         p.State,
+	} {
+//line web/authorize.qtpl:76
+		qw422016.N().S(`
+        <input
+          type="hidden"
+          name="`)
 //line web/authorize.qtpl:79
+		qw422016.E().S(key)
+//line web/authorize.qtpl:79
+		qw422016.N().S(`"
+          value="`)
+//line web/authorize.qtpl:80
+		qw422016.E().S(val)
+//line web/authorize.qtpl:80
+		qw422016.N().S(`">
+      `)
+//line web/authorize.qtpl:81
+	}
+//line web/authorize.qtpl:81
+	qw422016.N().S(`
+
+      `)
+//line web/authorize.qtpl:83
+	if len(p.Scope) > 0 {
+//line web/authorize.qtpl:83
+		qw422016.N().S(`
+      <fieldset>
+        <legend>`)
+//line web/authorize.qtpl:85
+		p.StreamT(qw422016, "Choose your scopes")
+//line web/authorize.qtpl:85
+		qw422016.N().S(`</legend>
+
+        `)
+//line web/authorize.qtpl:87
+		for _, scope := range p.Scope {
+//line web/authorize.qtpl:87
+			qw422016.N().S(`
+          <div>
+            <label>
+              <input
+                type="checkbox"
+                name="scope[]"
+                value="`)
+//line web/authorize.qtpl:93
+			qw422016.E().S(scope.String())
+//line web/authorize.qtpl:93
+			qw422016.N().S(`"
+                checked>
+
+              `)
+//line web/authorize.qtpl:96
+			qw422016.E().S(scope.String())
+//line web/authorize.qtpl:96
+			qw422016.N().S(`
+            </label>
+          </div>
+        `)
+//line web/authorize.qtpl:99
+		}
+//line web/authorize.qtpl:99
+		qw422016.N().S(`
+      </fieldset>
+      `)
+//line web/authorize.qtpl:101
+	}
+//line web/authorize.qtpl:101
+	qw422016.N().S(`
+
+      `)
+//line web/authorize.qtpl:103
 	if p.CodeChallenge != "" {
-//line web/authorize.qtpl:79
+//line web/authorize.qtpl:103
 		qw422016.N().S(`
-      <input
-        name="code_challenge"
-        type="hidden"
-        value="`)
-//line web/authorize.qtpl:83
+        <input
+          type="hidden"
+          name="code_challenge"
+          value="`)
+//line web/authorize.qtpl:107
 		qw422016.E().S(p.CodeChallenge)
-//line web/authorize.qtpl:83
+//line web/authorize.qtpl:107
 		qw422016.N().S(`">
 
-      <input
-        name="code_challenge_method"
-        type="hidden"
-        value="`)
-//line web/authorize.qtpl:88
+        <input
+          type="hidden"
+          name="code_challenge_method"
+          value="`)
+//line web/authorize.qtpl:112
 		qw422016.E().S(p.CodeChallengeMethod.String())
-//line web/authorize.qtpl:88
+//line web/authorize.qtpl:112
 		qw422016.N().S(`">
-    `)
-//line web/authorize.qtpl:89
+      `)
+//line web/authorize.qtpl:113
 	}
-//line web/authorize.qtpl:89
+//line web/authorize.qtpl:113
 	qw422016.N().S(`
 
-    `)
-//line web/authorize.qtpl:91
-	if len(p.Scope) != 0 {
-//line web/authorize.qtpl:91
-		qw422016.N().S(`
-      <input
-        name="scope"
-        type="hidden"
-        value="`)
-//line web/authorize.qtpl:95
-		qw422016.E().S(p.Scope.String())
-//line web/authorize.qtpl:95
-		qw422016.N().S(`">
-    `)
-//line web/authorize.qtpl:96
-	}
-//line web/authorize.qtpl:96
-	qw422016.N().S(`
-
-    `)
-//line web/authorize.qtpl:98
+      `)
+//line web/authorize.qtpl:115
 	if p.Me != nil {
-//line web/authorize.qtpl:98
+//line web/authorize.qtpl:115
 		qw422016.N().S(`
-      <input
-        name="me"
-        type="hidden"
-        value="`)
-//line web/authorize.qtpl:102
+        <input
+          type="hidden"
+          name="me"
+          value="`)
+//line web/authorize.qtpl:119
 		qw422016.E().S(p.Me.String())
-//line web/authorize.qtpl:102
+//line web/authorize.qtpl:119
 		qw422016.N().S(`">
-    `)
-//line web/authorize.qtpl:103
+      `)
+//line web/authorize.qtpl:120
 	}
-//line web/authorize.qtpl:103
+//line web/authorize.qtpl:120
 	qw422016.N().S(`
 
-    <button
-      name="authorize"
-      type="submit"
-      value="deny">
+      <button
+        type="submit"
+        name="authorize"
+        value="deny">
 
-      `)
-//line web/authorize.qtpl:110
+        `)
+//line web/authorize.qtpl:127
 	p.StreamT(qw422016, "Deny")
-//line web/authorize.qtpl:110
+//line web/authorize.qtpl:127
 	qw422016.N().S(`
-    </button>
+      </button>
 
-    <button
-      name="authorize"
-      type="submit"
-      value="allow">
+      <button
+        type="submit"
+        name="authorize"
+        value="allow">
 
-      `)
-//line web/authorize.qtpl:118
+        `)
+//line web/authorize.qtpl:135
 	p.StreamT(qw422016, "Allow")
-//line web/authorize.qtpl:118
+//line web/authorize.qtpl:135
 	qw422016.N().S(`
-    </button>
-  </form>
+      </button>
+    </form>
+  </main>
 `)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 }
 
-//line web/authorize.qtpl:121
-func (p *AuthPage) WriteBody(qq422016 qtio422016.Writer) {
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
+func (p *AuthorizePage) WriteBody(qq422016 qtio422016.Writer) {
+//line web/authorize.qtpl:139
 	qw422016 := qt422016.AcquireWriter(qq422016)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	p.StreamBody(qw422016)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	qt422016.ReleaseWriter(qw422016)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 }
 
-//line web/authorize.qtpl:121
-func (p *AuthPage) Body() string {
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
+func (p *AuthorizePage) Body() string {
+//line web/authorize.qtpl:139
 	qb422016 := qt422016.AcquireByteBuffer()
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	p.WriteBody(qb422016)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	qs422016 := string(qb422016.B)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	qt422016.ReleaseByteBuffer(qb422016)
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 	return qs422016
-//line web/authorize.qtpl:121
+//line web/authorize.qtpl:139
 }
diff --git a/web/callback.qtpl b/web/callback.qtpl
new file mode 100644
index 0000000..d03f25c
--- /dev/null
+++ b/web/callback.qtpl
@@ -0,0 +1,15 @@
+{% import "source.toby3d.me/website/indieauth/internal/domain" %}
+
+{% code type CallbackPage struct {
+  BaseOf
+  Token *domain.Token
+} %}
+
+{% collapsespace %}
+{% func (p *CallbackPage) Body() %}
+  {% if p.Token != nil %}
+    <h1>{%s p.Token.Me.String() %}</h1>
+    <small>{%s p.Token.AccessToken %}</small>
+  {% endif %}
+{% endfunc %}
+{% endcollapsespace %}
diff --git a/web/callback.qtpl.go b/web/callback.qtpl.go
new file mode 100644
index 0000000..7bfc26b
--- /dev/null
+++ b/web/callback.qtpl.go
@@ -0,0 +1,76 @@
+// Code generated by qtc from "callback.qtpl". DO NOT EDIT.
+// See https://github.com/valyala/quicktemplate for details.
+
+//line web/callback.qtpl:1
+package web
+
+//line web/callback.qtpl:1
+import "source.toby3d.me/website/indieauth/internal/domain"
+
+//line web/callback.qtpl:3
+import (
+	qtio422016 "io"
+
+	qt422016 "github.com/valyala/quicktemplate"
+)
+
+//line web/callback.qtpl:3
+var (
+	_ = qtio422016.Copy
+	_ = qt422016.AcquireByteBuffer
+)
+
+//line web/callback.qtpl:3
+type CallbackPage struct {
+	BaseOf
+	Token *domain.Token
+}
+
+//line web/callback.qtpl:9
+func (p *CallbackPage) StreamBody(qw422016 *qt422016.Writer) {
+//line web/callback.qtpl:9
+	qw422016.N().S(` `)
+//line web/callback.qtpl:10
+	if p.Token != nil {
+//line web/callback.qtpl:10
+		qw422016.N().S(` <h1>`)
+//line web/callback.qtpl:11
+		qw422016.E().S(p.Token.Me.String())
+//line web/callback.qtpl:11
+		qw422016.N().S(`</h1> <small>`)
+//line web/callback.qtpl:12
+		qw422016.E().S(p.Token.AccessToken)
+//line web/callback.qtpl:12
+		qw422016.N().S(`</small> `)
+//line web/callback.qtpl:13
+	}
+//line web/callback.qtpl:13
+	qw422016.N().S(` `)
+//line web/callback.qtpl:14
+}
+
+//line web/callback.qtpl:14
+func (p *CallbackPage) WriteBody(qq422016 qtio422016.Writer) {
+//line web/callback.qtpl:14
+	qw422016 := qt422016.AcquireWriter(qq422016)
+//line web/callback.qtpl:14
+	p.StreamBody(qw422016)
+//line web/callback.qtpl:14
+	qt422016.ReleaseWriter(qw422016)
+//line web/callback.qtpl:14
+}
+
+//line web/callback.qtpl:14
+func (p *CallbackPage) Body() string {
+//line web/callback.qtpl:14
+	qb422016 := qt422016.AcquireByteBuffer()
+//line web/callback.qtpl:14
+	p.WriteBody(qb422016)
+//line web/callback.qtpl:14
+	qs422016 := string(qb422016.B)
+//line web/callback.qtpl:14
+	qt422016.ReleaseByteBuffer(qb422016)
+//line web/callback.qtpl:14
+	return qs422016
+//line web/callback.qtpl:14
+}
diff --git a/web/home.qtpl b/web/home.qtpl
index 9911b99..04adc14 100644
--- a/web/home.qtpl
+++ b/web/home.qtpl
@@ -2,26 +2,24 @@
 
 {% code type HomePage struct {
   BaseOf
-  RedirectURI   []*domain.URL
-  Client        *domain.Client
-  AuthEndpoint,
-  State         string
+  Client *domain.Client
+  State  string
 } %}
 
 {% collapsespace %}
 {% func (p *HomePage) Head() %}
   {%= p.BaseOf.Head() %}
-  {% for i := range p.RedirectURI %}
-    <link rel="redirect_uri" href="{%s p.RedirectURI[i].String() %}">
+  {% for i := range p.Client.RedirectURI %}
+    <link rel="redirect_uri" href="{%s p.Client.RedirectURI[i].String() %}">
   {% endfor %}
 {% endfunc %}
 
 {% func (p *HomePage) Body() %}
-  <div class="h-app h-x-app">
+  <header class="h-app h-x-app">
     <img
       class="u-logo"
-      src="{%s p.Client.Logo[0].String() %}"
-      alt="{%s p.Client.Name[0] %}"
+      src="{%s p.Client.GetLogo().String() %}"
+      alt="{%s p.Client.GetName() %}"
       crossorigin="anonymous"
       decoding="async"
       height="140"
@@ -32,24 +30,27 @@
     <h1>
       <a
         class="p-name u-url"
-        href="{%s p.Client.URL[0].String() %}">
+        href="{%s p.Client.GetURL().String() %}">
 
-        {%s p.Client.Name[0] %}
+        {%s p.Client.GetName() %}
       </a>
     </h1>
+  </header>
 
+  <main>
     <form
       method="get"
-      action="{%s p.AuthEndpoint %}"
+      action="/authorize"
       enctype="application/x-www-form-urlencoded"
       accept-charset="utf-8"
       target="_self">
 
       {% for name, value := range map[string]string {
-        "client_id":      p.Client.ID.String(),
-        "redirect_uri":   p.Client.RedirectURI[0].String(),
-        "response_type":  "code",
-        "state":          p.State,
+        "client_id":     p.Client.ID.String(),
+        "redirect_uri":  p.Client.RedirectURI[0].String(),
+        "response_type": domain.ResponseTypeCode.String(),
+        "state":         p.State,
+        "scope":         domain.Scopes{domain.ScopeProfile, domain.ScopeEmail}.String(),
       } %}
         <input
           type="hidden"
@@ -57,11 +58,6 @@
           value="{%s value %}">
       {% endfor %}
 
-      <input
-        type="hidden"
-        name="scope"
-        value="{%s domain.ScopeProfile.String() %} {%s domain.ScopeEmail.String() %}">
-
       <input
         type="url"
         name="me"
@@ -72,6 +68,6 @@
 
       <button type="submit">{%= p.T("Sign In") %}</button>
     </form>
-  </div>
+  </main>
 {% endfunc %}
 {% endcollapsespace %}
diff --git a/web/home.qtpl.go b/web/home.qtpl.go
index 9efc90d..28916d4 100644
--- a/web/home.qtpl.go
+++ b/web/home.qtpl.go
@@ -23,143 +23,130 @@ var (
 //line web/home.qtpl:3
 type HomePage struct {
 	BaseOf
-	RedirectURI []*domain.URL
-	Client      *domain.Client
-	AuthEndpoint,
-	State string
+	Client *domain.Client
+	State  string
 }
 
-//line web/home.qtpl:12
+//line web/home.qtpl:10
 func (p *HomePage) StreamHead(qw422016 *qt422016.Writer) {
-//line web/home.qtpl:12
+//line web/home.qtpl:10
 	qw422016.N().S(` `)
-//line web/home.qtpl:13
+//line web/home.qtpl:11
 	p.BaseOf.StreamHead(qw422016)
-//line web/home.qtpl:13
+//line web/home.qtpl:11
 	qw422016.N().S(` `)
-//line web/home.qtpl:14
-	for i := range p.RedirectURI {
-//line web/home.qtpl:14
+//line web/home.qtpl:12
+	for i := range p.Client.RedirectURI {
+//line web/home.qtpl:12
 		qw422016.N().S(` <link rel="redirect_uri" href="`)
-//line web/home.qtpl:15
-		qw422016.E().S(p.RedirectURI[i].String())
-//line web/home.qtpl:15
+//line web/home.qtpl:13
+		qw422016.E().S(p.Client.RedirectURI[i].String())
+//line web/home.qtpl:13
 		qw422016.N().S(`"> `)
-//line web/home.qtpl:16
+//line web/home.qtpl:14
 	}
-//line web/home.qtpl:16
+//line web/home.qtpl:14
 	qw422016.N().S(` `)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 }
 
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 func (p *HomePage) WriteHead(qq422016 qtio422016.Writer) {
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	qw422016 := qt422016.AcquireWriter(qq422016)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	p.StreamHead(qw422016)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	qt422016.ReleaseWriter(qw422016)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 }
 
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 func (p *HomePage) Head() string {
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	qb422016 := qt422016.AcquireByteBuffer()
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	p.WriteHead(qb422016)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	qs422016 := string(qb422016.B)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	qt422016.ReleaseByteBuffer(qb422016)
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 	return qs422016
-//line web/home.qtpl:17
+//line web/home.qtpl:15
 }
 
-//line web/home.qtpl:19
+//line web/home.qtpl:17
 func (p *HomePage) StreamBody(qw422016 *qt422016.Writer) {
-//line web/home.qtpl:19
-	qw422016.N().S(` <div class="h-app h-x-app"> <img class="u-logo" src="`)
-//line web/home.qtpl:23
-	qw422016.E().S(p.Client.Logo[0].String())
-//line web/home.qtpl:23
+//line web/home.qtpl:17
+	qw422016.N().S(` <header class="h-app h-x-app"> <img class="u-logo" src="`)
+//line web/home.qtpl:21
+	qw422016.E().S(p.Client.GetLogo().String())
+//line web/home.qtpl:21
 	qw422016.N().S(`" alt="`)
-//line web/home.qtpl:24
-	qw422016.E().S(p.Client.Name[0])
-//line web/home.qtpl:24
+//line web/home.qtpl:22
+	qw422016.E().S(p.Client.GetName())
+//line web/home.qtpl:22
 	qw422016.N().S(`" crossorigin="anonymous" decoding="async" height="140" importance="high" referrerpolicy="no-referrer-when-downgrade" width="140"> <h1> <a class="p-name u-url" href="`)
-//line web/home.qtpl:35
-	qw422016.E().S(p.Client.URL[0].String())
-//line web/home.qtpl:35
+//line web/home.qtpl:33
+	qw422016.E().S(p.Client.GetURL().String())
+//line web/home.qtpl:33
 	qw422016.N().S(`"> `)
-//line web/home.qtpl:37
-	qw422016.E().S(p.Client.Name[0])
-//line web/home.qtpl:37
-	qw422016.N().S(` </a> </h1> <form method="get" action="`)
-//line web/home.qtpl:43
-	qw422016.E().S(p.AuthEndpoint)
-//line web/home.qtpl:43
-	qw422016.N().S(`" enctype="application/x-www-form-urlencoded" accept-charset="utf-8" target="_self"> `)
+//line web/home.qtpl:35
+	qw422016.E().S(p.Client.GetName())
+//line web/home.qtpl:35
+	qw422016.N().S(` </a> </h1> </header> <main> <form method="get" action="/authorize" enctype="application/x-www-form-urlencoded" accept-charset="utf-8" target="_self"> `)
 //line web/home.qtpl:48
 	for name, value := range map[string]string{
 		"client_id":     p.Client.ID.String(),
 		"redirect_uri":  p.Client.RedirectURI[0].String(),
-		"response_type": "code",
+		"response_type": domain.ResponseTypeCode.String(),
 		"state":         p.State,
+		"scope":         domain.Scopes{domain.ScopeProfile, domain.ScopeEmail}.String(),
 	} {
-//line web/home.qtpl:53
+//line web/home.qtpl:54
 		qw422016.N().S(` <input type="hidden" name="`)
-//line web/home.qtpl:56
+//line web/home.qtpl:57
 		qw422016.E().S(name)
-//line web/home.qtpl:56
+//line web/home.qtpl:57
 		qw422016.N().S(`" value="`)
-//line web/home.qtpl:57
+//line web/home.qtpl:58
 		qw422016.E().S(value)
-//line web/home.qtpl:57
+//line web/home.qtpl:58
 		qw422016.N().S(`"> `)
-//line web/home.qtpl:58
+//line web/home.qtpl:59
 	}
-//line web/home.qtpl:58
-	qw422016.N().S(` <input type="hidden" name="scope" value="`)
-//line web/home.qtpl:63
-	qw422016.E().S(domain.ScopeProfile.String())
-//line web/home.qtpl:63
-	qw422016.N().S(` `)
-//line web/home.qtpl:63
-	qw422016.E().S(domain.ScopeEmail.String())
-//line web/home.qtpl:63
-	qw422016.N().S(`"> <input type="url" name="me" placeholder="https://example.com/" inputmode="url" autocomplete="url" required> <button type="submit">`)
-//line web/home.qtpl:73
+//line web/home.qtpl:59
+	qw422016.N().S(` <input type="url" name="me" placeholder="https://example.com/" inputmode="url" autocomplete="url" required> <button type="submit">`)
+//line web/home.qtpl:69
 	p.StreamT(qw422016, "Sign In")
-//line web/home.qtpl:73
-	qw422016.N().S(`</button> </form> </div> `)
-//line web/home.qtpl:76
+//line web/home.qtpl:69
+	qw422016.N().S(`</button> </form> </main> `)
+//line web/home.qtpl:72
 }
 
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 func (p *HomePage) WriteBody(qq422016 qtio422016.Writer) {
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	qw422016 := qt422016.AcquireWriter(qq422016)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	p.StreamBody(qw422016)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	qt422016.ReleaseWriter(qw422016)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 }
 
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 func (p *HomePage) Body() string {
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	qb422016 := qt422016.AcquireByteBuffer()
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	p.WriteBody(qb422016)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	qs422016 := string(qb422016.B)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	qt422016.ReleaseByteBuffer(qb422016)
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 	return qs422016
-//line web/home.qtpl:76
+//line web/home.qtpl:72
 }