diff --git a/phase-2/poc-2/AuthServer.js b/phase-2/poc-2/AuthServer.js
index 9f63872..048d408 100644
--- a/phase-2/poc-2/AuthServer.js
+++ b/phase-2/poc-2/AuthServer.js
@@ -61,6 +61,16 @@ class AuthServer {
       `scope=${scopeStr}&` +
       `state=${stateStr}`;
   }
+  createAllowUrl({ clientId, code, scope, state }) {
+    console.log('creating callback url', clientId, code, scope, state);
+    const clientIdStr = encodeURIComponent(clientId);
+    const scopeStr = encodeURIComponent(scope);
+    const stateStr = encodeURIComponent(state);
+    return `/allow?` +
+      `scope=${scopeStr}&` +
+      `client_id=${clientIdStr}&` +
+      `state=${stateStr}`;
+  }
 }
 
 module.exports = { AuthServer };
\ No newline at end of file
diff --git a/phase-2/poc-2/client.js b/phase-2/poc-2/client.js
index d397a3a..817d40d 100644
--- a/phase-2/poc-2/client.js
+++ b/phase-2/poc-2/client.js
@@ -22,12 +22,12 @@ class Client {
       `scope=${encodeURIComponent(scope)}&` +
       `state=${encodeURI(state)}`;
   }
-  makeStartScreen() {
+  makeStartScreen(prefix) {
     return `
       <body style="background-color:#e3f2fa">
       <h2>SURF Research Cloud</h2>
       <ul>
-      <li>Click <a href="${this.makeAuthorizeUrl('webdav-folder', makeid(8))}">here</a> to discover SRAM-based services to connect with your VM.</li>
+      <li>Click <a href="${this.makeAuthorizeUrl('webdav-folder', makeid(prefix, 8))}">here</a> to discover SRAM-based services to connect with your VM.</li>
       <li>Click <a href="">here</a> to discover Danish services to connect with your VM.</li>
       </ul>
       <h2>Tokens:</h2>
@@ -57,6 +57,8 @@ class Client {
       <h2>SURF Research Cloud</h2>
       The remote WebDAV folder you shared as: <p><tt>${scopeInfo.humanReadable['en-US']}</tt></p> was successfully mounted!
       This client will be able to access it at:<br> ${scopeInfo.protocols.webdav.url}
+      <h2>Tokens:</h2>
+      <pre>${JSON.stringify(this.tokens, null, 2)}</pre>
     `;
   }
   authServerRequest(url, code) {
diff --git a/phase-2/poc-2/clientApp.js b/phase-2/poc-2/clientApp.js
index dac7685..1bb22c9 100644
--- a/phase-2/poc-2/clientApp.js
+++ b/phase-2/poc-2/clientApp.js
@@ -16,7 +16,7 @@ http.createServer(async (req, res) => {
     const scopeInfo = await client.fetchScopeInfo(code);
     res.end(client.makeCallbackScreen(scopeInfo));
   } else {
-    res.end(client.makeStartScreen());
+    res.end(client.makeStartScreen('surf-research-cloud-'));
   }
 }).listen(OUR_PORT);
 console.log(`Client is running on port ${OUR_PORT}`);
diff --git a/phase-2/poc-2/primaryAuth.js b/phase-2/poc-2/primaryAuth.js
index 626321e..26a973d 100644
--- a/phase-2/poc-2/primaryAuth.js
+++ b/phase-2/poc-2/primaryAuth.js
@@ -22,6 +22,19 @@ const server = new AuthServer({
   clients
 });
 
+function handleOverview(req, res, serverData) {
+  res.writeHead(200, {'Content-Type': 'text/html'});
+  res.write(`
+    <body style="background-color:#faf9e3">
+    <h2>Auth server (SRAM)</h2>
+    Here are some services you may want to share resources from, connected to your account:
+    <ul>`);
+  Object.keys(serverData.grants).forEach(grant => {
+      res.write(`<li>${grant}</li>`);
+  });
+  res.end(`</ul></body>`);
+}
+
 http.createServer(async (req, res) => {  
   console.log(req.url.toString());
   if (req.url.startsWith('/callback')) {
@@ -33,7 +46,7 @@ http.createServer(async (req, res) => {
     const clientLabel = clients[clientId].label;
     const clientRedirectUri = clients[clientId].redirectUri;
     const upstreamInfo = await client.fetchScopeInfo(upstreamCode);
-    const downstreamCode = makeid(8);
+    const downstreamCode = makeid('primary-code-', 8);
     const downstreamScopeId = 'research-drive:' + upstreamScope;
     server.storeGrant(downstreamCode, downstreamScopeId);
     server.storeScopeInfo(downstreamScopeId, {
@@ -54,7 +67,10 @@ http.createServer(async (req, res) => {
     res.end(`
       <body style="background-color:#faf9e3">
       <h2>Are you sure?</h2>
-      Are you sure you want to share "${upstreamInfo.humanReadable['en-US']}" with client "${clientLabel}"?<br><a href="${downstreamCallbackUrl}">yes</a> / <a href="no.html">no</a>`);
+      Are you sure you want to share "${upstreamInfo.humanReadable['en-US']}" with client "${clientLabel}"?<br><a href="${downstreamCallbackUrl}">yes</a> / <a href="no.html">no</a>
+      <h2>Data:</h2>
+      <pre>${JSON.stringify(server.getData(), null, 2)}</pre>
+    `);
   } else if (req.url?.startsWith('/authorize')) {
     const url_parts = url.parse(req.url, true);
     const query = url_parts.query;
@@ -63,7 +79,7 @@ http.createServer(async (req, res) => {
       console.log(`need to pick ${query.scope}!`);
       if (query.state && query.client_id) {
         const clientState = query.state;
-        const upstreamTicket = makeid(8);
+        const upstreamTicket = makeid('primary-ticket-', 8);
         server.storeTicket(upstreamTicket, { clientState, clientId: query.client_id });
         const upstreamUrl = client.makeAuthorizeUrl(query.scope, upstreamTicket);
         res.end(`
@@ -84,6 +100,8 @@ http.createServer(async (req, res) => {
     server.handleToken(req, res);
   } else  if (req.url?.startsWith('/scope')) {
     server.handleScopeInfo(req, res);
+  } else {
+    handleOverview(req, res, server.getData());
   }
 }).listen(OUR_PORT);
 console.log(`Primary is running on port ${OUR_PORT}`);
diff --git a/phase-2/poc-2/secondaryAuth.js b/phase-2/poc-2/secondaryAuth.js
index 605e63d..43a147f 100644
--- a/phase-2/poc-2/secondaryAuth.js
+++ b/phase-2/poc-2/secondaryAuth.js
@@ -49,31 +49,26 @@ const data = {
     }
 };
 
+function handleOverview(req, res, serverData) {
+  res.writeHead(200, {'Content-Type': 'text/html'});
+  res.write(`
+    <body style="background-color:#faf9e3">
+    <h2>Auth server (SRAM)</h2>
+    Here are some services you may want to share resources from, connected to your account:
+    <ul>`);
+  Object.keys(serverData.grants).forEach(grant => {
+      res.write(`<li>${grant}</li>`);
+  });
+  res.end(`</ul></body>`);
+}
+
 http.createServer((req, res) => { 
   console.log(req.url.toString());
   if (req.url?.startsWith('/authorize')) {
-    const scopeId = makeid(8);
-    const code = makeid(16);
-    server.storeGrant(code, scopeId);
     const url_parts = url.parse(req.url, true);
     const query = url_parts.query;
     const clientId = query.client_id;
     const state = query.state;
-    console.log(`new transaction; minting scope ${scopeId} with code ${code}`, query);
-    // FIXME: store this _after_ the user consents, not before!
-    server.storeScopeInfo(scopeId, {
-      type: "ticket",
-      humanReadable: {
-        "en-US": "photos -> 2023 -> January"
-      },
-      machineReadableInternal: "RD://pietjepuk/files/photos/2023/January",
-      protocols: {
-        webdav: {
-          url: "https://dav.rd123.surf.nl:4523/pietjepuk/files/photos/2023/January",
-          "protocol-version": "8.6n"
-        }
-      }
-    });
     res.writeHead(200, {'Content-Type': 'text/html'});
     res.end(`
       <body style="background-color:#e3fae7">
@@ -85,7 +80,7 @@ http.createServer((req, res) => {
           <li>2021</li>
           <li>2022</li>
           <li><ul>
-            <li><a href="${server.createCallbackUrl({ clientId, code, scope: scopeId, state })}">January</a></li>
+            <li><a href="${server.createAllowUrl({ clientId, scope: 'January', state })}">January</a></li>
             <li>...</li>
           </ul></li>    
           <li>2023</li>
@@ -93,12 +88,44 @@ http.createServer((req, res) => {
       </ul>
       <h2>Data:</h2>
       <pre>${JSON.stringify(server.getData(), null, 2)}</pre>
-    
     `);
-  } else  if (req.url?.startsWith('/token')) {
+  } else  if (req.url?.startsWith('/allow')) {
+      const scopeId = makeid('secondary-scope-', 8);
+      const code = makeid('secondary-code-', 16);
+      server.storeGrant(code, scopeId);
+      const url_parts = url.parse(req.url, true);
+      const query = url_parts.query;
+      const clientId = query.client_id;
+      const state = query.state;
+      console.log(`new transaction; minting scope ${scopeId} with code ${code}`, query);
+      // FIXME: store this _after_ the user consents, not before!
+      server.storeScopeInfo(scopeId, {
+        type: "ticket",
+        humanReadable: {
+          "en-US": "photos -> 2023 -> January"
+        },
+        machineReadableInternal: "RD://pietjepuk/files/photos/2023/January",
+        protocols: {
+          webdav: {
+            url: "https://dav.rd123.surf.nl:4523/pietjepuk/files/photos/2023/January",
+            "protocol-version": "8.6n"
+          }
+        }
+      });
+      res.writeHead(200, {'Content-Type': 'text/html'});
+      res.end(`
+        <body style="background-color:#e3fae7">
+        <a href="${server.createCallbackUrl({ clientId, code, scope: scopeId, state })}">back to where you came from</a>
+        <h2>Data:</h2>
+        <pre>${JSON.stringify(server.getData(), null, 2)}</pre>
+      
+      `);
+    } else  if (req.url?.startsWith('/token')) {
     server.handleToken(req, res);
   } else  if (req.url?.startsWith('/scope')) {
     server.handleScopeInfo(req, res);
+  } else {
+    handleOverview(req, res, server.getData());
   }
 }).listen(OUR_PORT);
 console.log(`Secondary is running on port ${OUR_PORT}`);
diff --git a/phase-2/poc-2/util.js b/phase-2/poc-2/util.js
index a1f8b9b..e94406a 100644
--- a/phase-2/poc-2/util.js
+++ b/phase-2/poc-2/util.js
@@ -1,4 +1,4 @@
-function makeid(length) {
+function makeid(prefix, length) {
     let result = '';
     const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
     const charactersLength = characters.length;
@@ -7,7 +7,7 @@ function makeid(length) {
       result += characters.charAt(Math.floor(Math.random() * charactersLength));
       counter += 1;
     }
-    return result;
+    return prefix + result;
 }
 
 module.exports = {