diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go
index 4249e5b5..83eb601a 100644
--- a/pkg/jwtmanager/jwtmanager.go
+++ b/pkg/jwtmanager/jwtmanager.go
@@ -90,11 +90,9 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt
 
 	// https://godoc.org/github.com/dgrijalva/jwt-go#NewWithClaims
 	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
-	log.Debugf("token: %v", token)
 
 	// log.Debugf("token: %v", token)
-	log.Debugf("token expires: %d", claims.StandardClaims.ExpiresAt)
-	log.Debugf("diff from now: %d", claims.StandardClaims.ExpiresAt-time.Now().Unix())
+	log.Debugf("token created, expires: %d diff from now: %d", claims.StandardClaims.ExpiresAt, claims.StandardClaims.ExpiresAt-time.Now().Unix())
 
 	// token -> string. Only server knows this secret (foobar).
 	ss, err := token.SignedString([]byte(cfg.Cfg.JWT.Secret))
@@ -103,7 +101,10 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt
 		log.Errorf("signed token error: %s", err)
 	}
 	if cfg.Cfg.JWT.Compress {
-		return compressAndEncodeTokenString(ss)
+		ss, err = compressAndEncodeTokenString(ss)
+		if ss == "" || err != nil {
+			log.Errorf("compressed token error: %s", err)
+		}
 	}
 	return ss
 }
@@ -141,10 +142,10 @@ func SiteInToken(site string, token *jwt.Token) bool {
 
 // ParseTokenString converts signed token to jwt struct
 func ParseTokenString(tokenString string) (*jwt.Token, error) {
-	log.Debugf("tokenString %s", tokenString)
+	log.Debugf("tokenString length: %d", len(tokenString))
 	if cfg.Cfg.JWT.Compress {
 		tokenString = decodeAndDecompressTokenString(tokenString)
-		log.Debugf("decompressed tokenString %s", tokenString)
+		log.Debugf("decompressed tokenString length %d", len(tokenString))
 	}
 
 	return jwt.ParseWithClaims(tokenString, &VouchClaims{}, func(token *jwt.Token) (interface{}, error) {
@@ -184,19 +185,6 @@ func PTokenClaims(ptoken *jwt.Token) (*VouchClaims, error) {
 	return ptokenClaims, nil
 }
 
-// PTokenToUsername returns the Username in the validated ptoken
-func PTokenToUsername(ptoken *jwt.Token) (string, error) {
-	return ptoken.Claims.(*VouchClaims).Username, nil
-
-	// var ptokenClaims VouchClaims
-	// ptokenClaims, err := PTokenClaims(ptoken)
-	// if err != nil {
-	// 	log.Error(err)
-	// 	return "", err
-	// }
-	// return ptokenClaims.Username, nil
-}
-
 func decodeAndDecompressTokenString(encgzipss string) string {
 
 	var gzipss []byte
@@ -219,20 +207,20 @@ func decodeAndDecompressTokenString(encgzipss string) string {
 	return string(ss)
 }
 
-func compressAndEncodeTokenString(ss string) string {
+func compressAndEncodeTokenString(ss string) (string, error) {
 	var buf bytes.Buffer
 	zw := gzip.NewWriter(&buf)
 	if _, err := zw.Write([]byte(ss)); err != nil {
-		log.Fatal(err)
+		return "", err
 	}
 	if err := zw.Close(); err != nil {
-		log.Fatal(err)
+		return "", err
 	}
 
 	ret := base64.URLEncoding.EncodeToString(buf.Bytes())
 	// ret := url.QueryEscape(buf.String())
-	log.Debugf("compressed string: %s", ret)
-	return ret
+	log.Debugf("token compressed: was %d bytes, now %d", len(ss), len(ret))
+	return ret, nil
 }
 
 // FindJWT look for JWT in Cookie, JWT Header, Authorization Header (OAuth2 Bearer Token)
@@ -271,17 +259,14 @@ func ClaimsFromJWT(jwt string) (*VouchClaims, error) {
 
 	jwtParsed, err := ParseTokenString(jwt)
 	if err != nil {
-		// it didn't parse, which means its bad, start over
-		log.Error("jwtParsed returned error, clearing cookie")
-		return claims, err
+		return nil, err
 	}
 
 	claims, err = PTokenClaims(jwtParsed)
 	if err != nil {
 		// claims = jwtmanager.PTokenClaims(jwtParsed)
 		// if claims == &jwtmanager.VouchClaims{} {
-		return claims, err
+		return nil, err
 	}
-	log.Debugf("JWT Claims: %+v", claims)
 	return claims, nil
 }
diff --git a/pkg/jwtmanager/jwtmanager_test.go b/pkg/jwtmanager/jwtmanager_test.go
index 24817dea..f696e0f2 100644
--- a/pkg/jwtmanager/jwtmanager_test.go
+++ b/pkg/jwtmanager/jwtmanager_test.go
@@ -59,22 +59,6 @@ func init() {
 	json.Unmarshal([]byte(claimjson), &customClaims.Claims)
 }
 
-func TestCreateUserTokenStringAndParseToUsername(t *testing.T) {
-
-	uts := CreateUserTokenString(u1, customClaims, t1)
-	assert.NotEmpty(t, uts)
-
-	utsParsed, err := ParseTokenString(uts)
-	if utsParsed == nil || err != nil {
-		t.Error(err)
-	} else {
-		log.Debugf("test parsed token string %v", utsParsed)
-		ptUsername, _ := PTokenToUsername(utsParsed)
-		assert.Equal(t, u1.Username, ptUsername)
-	}
-
-}
-
 func TestClaims(t *testing.T) {
 	populateSites()
 	log.Debugf("jwt config %s %d", string(cfg.Cfg.JWT.Secret), cfg.Cfg.JWT.MaxAge)
@@ -91,5 +75,4 @@ func TestClaims(t *testing.T) {
 	log.Infof("utsParsed: %+v", utsParsed)
 	log.Infof("Sites: %+v", Sites)
 	assert.True(t, SiteInToken(cfg.Cfg.Domains[0], utsParsed))
-
 }
diff --git a/pkg/providers/common/common.go b/pkg/providers/common/common.go
index 6e0566b0..363e98ef 100644
--- a/pkg/providers/common/common.go
+++ b/pkg/providers/common/common.go
@@ -15,28 +15,29 @@ import (
 	"encoding/json"
 	"net/http"
 
-	"github.com/vouch/vouch-proxy/pkg/cfg"
-	"github.com/vouch/vouch-proxy/pkg/structs"
 	"go.uber.org/zap"
 	"golang.org/x/oauth2"
+
+	"github.com/vouch/vouch-proxy/pkg/cfg"
+	"github.com/vouch/vouch-proxy/pkg/structs"
 )
 
 var log *zap.SugaredLogger
 
-// configure see main.go configure()
+// Configure see main.go configure()
 func Configure() {
 	log = cfg.Logging.Logger
 }
 
 // PrepareTokensAndClient setup the client, usually for a UserInfo request
-func PrepareTokensAndClient(r *http.Request, ptokens *structs.PTokens, setpid bool) (*http.Client, *oauth2.Token, error) {
+func PrepareTokensAndClient(r *http.Request, ptokens *structs.PTokens, setProviderToken bool) (*http.Client, *oauth2.Token, error) {
 	providerToken, err := cfg.OAuthClient.Exchange(context.TODO(), r.URL.Query().Get("code"))
 	if err != nil {
 		return nil, nil, err
 	}
 	ptokens.PAccessToken = providerToken.AccessToken
 
-	if setpid {
+	if setProviderToken {
 		if providerToken.Extra("id_token") != nil {
 			// Certain providers (eg. gitea) don't provide an id_token
 			// and it's not necessary for the authentication phase
@@ -46,7 +47,7 @@ func PrepareTokensAndClient(r *http.Request, ptokens *structs.PTokens, setpid bo
 		}
 	}
 
-	log.Debugf("ptokens: %+v", ptokens)
+	log.Debugf("ptokens: accessToken length: %d, IdToken length: %d", len(ptokens.PAccessToken), len(ptokens.PIdToken))
 
 	client := cfg.OAuthClient.Client(context.TODO(), providerToken)
 	return client, providerToken, err