diff --git a/.github/workflows/PR-validation.yml b/.github/workflows/PR-validation.yml
new file mode 100644
index 00000000..ca26694c
--- /dev/null
+++ b/.github/workflows/PR-validation.yml
@@ -0,0 +1,53 @@
+name: PR validation
+on:
+  pull_request:
+    types: [synchronize, opened, reopened, edited]
+    branches:
+      - master
+jobs:
+  test-api:
+    permissions:
+      id-token: write # Required for authentication through OIDC to AWS
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Report workflow details
+        run: |
+          echo "Repository ${{ github.repository }}."
+          echo "Trigger ref ${{ github.ref }}, base-ref ${{ github.base_ref }}, head_ref ${{ github.head_ref }}."
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Report files updated in PR
+        run: |
+          git fetch -q origin ${{ github.base_ref }} ${{ github.head_ref }}
+          git diff --name-only origin/${{ github.base_ref }} origin/${{ github.head_ref }}
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+      - name: Install clojure and clojure cli (clj)
+        uses: DeLaGuardo/setup-clojure@12.3
+        with:
+          cli: 1.10.1.536
+      - name: Report runtime details
+        run: |
+          echo "Github runner OS: ${{ runner.os }}"
+      - name: AWS credentials configuration
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
+          role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-test-api
+          aws-region: us-east-1
+      - name: Download and install Datomic Pro
+        run: |
+          aws s3 cp s3://wormbase/datomic-pro/distro/datomic-pro-1.0.6165.zip ./
+          unzip datomic-pro-1.0.6165.zip
+          cd datomic-pro-1.0.6165/
+          bin/maven-install
+      - name: Generate pom file
+        run: |
+          clojure -Spom
+      - name: Run Integration tests
+        run: |
+          make run-tests GOOGLE_APP_PROFILE=dev
+  #TODO: add UI and API build and container packaging test
diff --git a/Makefile b/Makefile
index 789028bb..27c3ae62 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 ECR_REPO_NAME := wormbase/names
 EB_APP_ENV_FILE := app-env.config
-PROJ_NAME ?= wormbase-names
-LOCAL_GOOGLE_REDIRECT_URI = "http://lvh.me:3000"
+PROJ_NAME ?= wormbase-names-dev
+LOCAL_GOOGLE_REDIRECT_URI := "http://lvh.me:3000"
 ifeq ($(PROJ_NAME), wormbase-names)
 	WB_DB_URI ?= "datomic:ddb://us-east-1/WSNames/wormbase"
 	GOOGLE_REDIRECT_URI ?= "https://names.wormbase.org"
@@ -11,7 +11,7 @@ else ifeq ($(PROJ_NAME), wormbase-names-test)
 	GOOGLE_REDIRECT_URI ?= "https://test-names.wormbase.org"
 	GOOGLE_APP_PROFILE ?= "prod"
 else
-	WB_DB_URI ?= "datomic:ddb://us-east-1/WSNames-test-14/wormbase"
+	WB_DB_URI ?= "datomic:ddb-local://localhost:8000/WBNames_local/wormbase"
 #   Ensure GOOGLE_REDIRECT_URI is defined appropriately as an env variable or CLI argument
 #   if intended for AWS deployment (default is set for local execution)
 	GOOGLE_REDIRECT_URI ?= ${LOCAL_GOOGLE_REDIRECT_URI}
@@ -235,14 +235,17 @@ run-tests: google-oauth2-secrets \
 	@ export API_GOOGLE_OAUTH_CLIENT_ID=${GOOGLE_OAUTH_CLIENT_ID} && \
 	  export API_GOOGLE_OAUTH_CLIENT_SECRET=${GOOGLE_OAUTH_CLIENT_SECRET} && \
 	  export GOOGLE_REDIRECT_URI=${LOCAL_GOOGLE_REDIRECT_URI} && \
-	  clj -A:datomic-pro:webassets:dev:test:run-tests
+	  clojure -A:datomic-pro:logging:webassets:dev:test:run-tests
 
 .PHONY: run-dev-server
+run-dev-webserver: PORT := 4010
 run-dev-webserver: google-oauth2-secrets \
                    $(call print-help,run-dev-webserver PORT=<port> WB_DB_URI=<datomic-uri> \
 				   GOOGLE_REDIRECT_URI=<google-redirect-uri>,\
                    Run a local development webserver.)
-	@ export API_GOOGLE_OAUTH_CLIENT_ID=${GOOGLE_OAUTH_CLIENT_ID} && \
+	@ export WB_DB_URI=${WB_DB_URI} && export PORT=${PORT} && \
+	 export GOOGLE_REDIRECT_URI=${GOOGLE_REDIRECT_URI} && \
+	 export API_GOOGLE_OAUTH_CLIENT_ID=${GOOGLE_OAUTH_CLIENT_ID} && \
 	 export API_GOOGLE_OAUTH_CLIENT_SECRET=${GOOGLE_OAUTH_CLIENT_SECRET} && \
 	 clj -A:logging:datomic-pro:webassets:dev -m wormbase.names.service
 
@@ -259,7 +262,7 @@ run-dev-ui: google-oauth2-secrets\
 .PHONY: google-oauth2-secrets
 google-oauth2-secrets: \
                        $(call print-help,google-oauth2-secrets,\
-                       Store the Google oauth2 client details in a secrets file.)
+                       Store the Google oauth2 client details as env variables.)
 	$(eval GOOGLE_OAUTH_CLIENT_ID = $(shell aws ssm get-parameter --name "/name-service/${GOOGLE_APP_PROFILE}/google-oauth2-app-config/client-id" --query "Parameter.Value" --output text --with-decryption))
 	$(call check_defined, GOOGLE_OAUTH_CLIENT_ID)
 	$(eval GOOGLE_OAUTH_CLIENT_SECRET = $(shell aws ssm get-parameter --name "/name-service/${GOOGLE_APP_PROFILE}/google-oauth2-app-config/client-secret" --query "Parameter.Value" --output text --with-decryption))
diff --git a/README.md b/README.md
index 4004c7c1..c3aa6a57 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
     * [REST API](#rest-api)
        - [Tools](#tools)
           * [Running a Clojure REPL](#running-a-clojure-repl)
+          * [Debug printing](#debug-printing)
     * [Client app (web interface)](#client-app-web-interface)
  - [Testing](#testing)
  - [Release & deployment](#release--deployment)
@@ -152,6 +153,28 @@ This can be done via the following command:
 clj -A:outdated
 ```
 
+#### Debug printing
+Standard logging is done using `ch.qos.logback/logback` (`-classic` and `-core`), but this is not flexible
+for limited-scale (local) debug printing during coding and debugging. To enable more flexible debug printing:
+
+ 1. In the file you want to enable temporary debug printing, replace the loading of the `clojure.tools.logging` library
+    with the `taoensso.timbre` library instead (using the same `:log` alias).
+
+ 2. Add the following line below the library loading section
+    ```clojure
+    (log/merge-config! {:level :debug})
+    ```
+    This will enable all log printing up to debug level within that file,
+    but leave the application-default logging outside of it, enabling a
+    more focused log inspection.
+
+ 3. Add any additional debug logging with the standard `(log/debug "string" object)`
+
+`taoensso.timbre` will by default print logs to the following format:
+```
+<date> <timestamp> <device-name> <LOGLEVEL> [<namespace>] - <log message>
+```
+
 ### Client app (web interface)
 Correct functionality of the client app can be tested in two ways:
 - Running a client development server (during development), to test individual functionality. See [instructions below](#local-rest).
@@ -276,7 +299,7 @@ To deploy an update for the main application, change your working dir
 to the repository root dir and execute the following commands (bash):
 ```bash
 # Build the client application to ensure no errors occur.
-make ui-build
+make ui-build GOOGLE_APP_PROFILE=prod
 
 # Generate the pom.xml file (not version-controlled)
 # to ensure no errors occur (in API code)
@@ -309,12 +332,12 @@ sudo service docker start
 # NOTE: To deploy a tagged or branched codeversion that does not equal your (potentially dirty) working-dir content,
 #       use the additional argument REF_NAME=<ref-name>
 #       E.g. make release AWS_PROFILE=wormbase REF_NAME=wormbase-names-1.4.7
-make release [AWS_PROFILE=<profile_name>]
+make release [AWS_PROFILE=<profile_name>] GOOGLE_APP_PROFILE=prod
 
 # Deploy the application to an EB environmnent.
 # Before execution:
-# * Ensure to specify the correct EB environment name, in order to prevent
-#   accidental deployments to the production environment!
+# * Ensure to specify the correct EB environment name,
+#   (otherwise deployment to non-existing dev environment will be attempted)
 # * Check if the hard-coded WB_DB_URI default (see MakeFile) applies.
 #   If not, define WB_DB_URI to point to the appropriate datomic DB.
 # * Ensure to define the correct GOOGLE_REDIRECT_URI for google authentication (http://lvh.me:3000 when developing locally)
diff --git a/client/package-lock.json b/client/package-lock.json
index fafd0ff0..9ef97ea1 100644
--- a/client/package-lock.json
+++ b/client/package-lock.json
@@ -1585,9 +1585,9 @@
       }
     },
     "@react-oauth/google": {
-      "version": "0.8.0",
-      "resolved": "https://registry.npmjs.org/@react-oauth/google/-/google-0.8.0.tgz",
-      "integrity": "sha512-xmIhYvvaBSblOzo3Fqv762lqub92SOFR8eRR7QpPyFPZEXZcOymaMuEkRSUKUrbu+9wfB8qtOaGMRJzrN7U2PA=="
+      "version": "0.12.1",
+      "resolved": "https://registry.npmjs.org/@react-oauth/google/-/google-0.12.1.tgz",
+      "integrity": "sha512-qagsy22t+7UdkYAiT5ZhfM4StXi9PPNvw0zuwNmabrWyMKddczMtBIOARflbaIj+wHiQjnMAsZmzsUYuXeyoSg=="
     },
     "@samverschueren/stream-to-observable": {
       "version": "0.3.0",
diff --git a/client/package.json b/client/package.json
index 7575e7db..15931d51 100644
--- a/client/package.json
+++ b/client/package.json
@@ -15,7 +15,7 @@
   "dependencies": {
     "@material-ui/core": "3.9.2",
     "@material-ui/icons": "3.0.2",
-    "@react-oauth/google": "^0.8.0",
+    "@react-oauth/google": "0.12.x",
     "classnames": "2.2.6",
     "copy-to-clipboard": "3.2.0",
     "react-copy-to-clipboard": "5.1.0",
diff --git a/client/src/App.js b/client/src/App.js
index 2000f5b1..a353fdf9 100644
--- a/client/src/App.js
+++ b/client/src/App.js
@@ -7,8 +7,10 @@ import Main from './containers/Main';
 import { theme, MuiThemeProvider } from './components/elements';
 
 export default () => (
-  <GoogleOAuthProvider clientId={process.env.REACT_APP_GOOGLE_OAUTH_CLIENT_ID}>
-    <React.StrictMode>
+  <React.StrictMode>
+    <GoogleOAuthProvider
+      clientId={process.env.REACT_APP_GOOGLE_OAUTH_CLIENT_ID}
+    >
       <BrowserRouter>
         <Authenticate>
           <EntityTypesContextProvider>
@@ -18,6 +20,6 @@ export default () => (
           </EntityTypesContextProvider>
         </Authenticate>
       </BrowserRouter>
-    </React.StrictMode>
-  </GoogleOAuthProvider>
+    </GoogleOAuthProvider>
+  </React.StrictMode>
 );
diff --git a/client/src/components/elements/SpeciesSelect.js b/client/src/components/elements/SpeciesSelect.js
index b44c8a31..88e33df1 100644
--- a/client/src/components/elements/SpeciesSelect.js
+++ b/client/src/components/elements/SpeciesSelect.js
@@ -7,7 +7,7 @@ import { useDataFetch } from '../../containers/Authenticate';
 
 const SpeciesSelect = (props) => {
   const memoizedFetchFunc = useCallback(
-    (authorizedFetch) =>
+    (fetchFn) =>
       mockFetchOrNot(
         (mockFetch) => {
           return mockFetch.get('*', [
@@ -27,7 +27,7 @@ const SpeciesSelect = (props) => {
           ]);
         },
         () =>
-          authorizedFetch(`/api/species`, {
+          fetchFn(`/api/species`, {
             method: 'GET',
           })
       ),
diff --git a/client/src/containers/Authenticate/Login.js b/client/src/containers/Authenticate/Login.js
index d7b7d79a..421b1eef 100644
--- a/client/src/containers/Authenticate/Login.js
+++ b/client/src/containers/Authenticate/Login.js
@@ -13,7 +13,7 @@ class Login extends Component {
             <div className={classes.errorMessage}>{errorMessage}</div>
           </div>
         ) : null}
-        <Button onClick={onSignIn} variant="raised">
+        <Button onClick={onSignIn} variant="contained">
           Login with Google
         </Button>
       </div>
diff --git a/client/src/containers/Authenticate/Logout.js b/client/src/containers/Authenticate/Logout.js
index 4cca0cc2..b7c5d26d 100644
--- a/client/src/containers/Authenticate/Logout.js
+++ b/client/src/containers/Authenticate/Logout.js
@@ -6,7 +6,7 @@ import { Button } from '../../components/elements';
 const Logout = (props) => {
   return (
     <Button
-      variant="raised"
+      variant="contained"
       onClick={() => {
         props.onLogout();
         props.history.push('/');
diff --git a/client/src/containers/Authenticate/Profile.js b/client/src/containers/Authenticate/Profile.js
index a377de0c..ca3b8deb 100644
--- a/client/src/containers/Authenticate/Profile.js
+++ b/client/src/containers/Authenticate/Profile.js
@@ -1,5 +1,4 @@
 import React from 'react';
-import { CopyToClipboard } from 'react-copy-to-clipboard';
 import PropTypes from 'prop-types';
 import { withStyles } from '../../components/elements';
 
@@ -10,19 +9,7 @@ const Profile = (props) => {
       <span>ID: {props.id}</span>
       <br />
       <span>Email: {props.email}</span>
-      <span>
-        ID-token:{' '}
-        <div>
-          <textarea>{props.id_token}</textarea>
-          <br />
-          <CopyToClipboard text={props.id_token}>
-            <div>
-              <button>Copy to clipboard</button>
-            </div>
-          </CopyToClipboard>
-        </div>
-      </span>
-      <div className={props.classes.logout}>{props.children}</div>
+      <div className={props.classes.actions}>{props.children}</div>
     </div>
   );
 };
@@ -32,7 +19,6 @@ Profile.propTypes = {
   name: PropTypes.string.isRequired,
   email: PropTypes.string.isRequired,
   id: PropTypes.string.isRequired,
-  onLogout: PropTypes.func.isRequired,
   children: PropTypes.element,
 };
 
@@ -44,8 +30,8 @@ const styles = (theme) => ({
     justifyContent: 'center',
     alignItems: 'center',
   },
-  logout: {
-    margin: theme.spacing.unit * 6,
+  actions: {
+    margin: theme.spacing.unit * 4,
   },
 });
 
diff --git a/client/src/containers/Authenticate/TokenMgmt.js b/client/src/containers/Authenticate/TokenMgmt.js
new file mode 100644
index 00000000..4c856b9f
--- /dev/null
+++ b/client/src/containers/Authenticate/TokenMgmt.js
@@ -0,0 +1,171 @@
+import React, { useContext, useReducer, useEffect } from 'react';
+import { CopyToClipboard } from 'react-copy-to-clipboard';
+
+import { Button } from '../../components/elements';
+import AuthorizationContext from '../../containers/Authenticate/AuthorizationContext';
+import { useCallback } from 'react';
+
+const ACTION_STORE = 'STORE';
+const ACTION_REVOKE = 'REVOKE';
+const UPDATE_METADATA = 'UPDATE_METADATA';
+
+function tokenMetaDataReducer(state, action) {
+  let newState = { ...state };
+
+  switch (action.type) {
+    case UPDATE_METADATA:
+      console.log('Metadata update trigerred.');
+      newState = { ...action['payload'] };
+      break;
+    default:
+      console.log('Invalid action type detected:');
+      console.log(action.type);
+      throw new Error();
+  }
+
+  return newState;
+}
+
+function tokenReducer(state, action) {
+  const newState = { ...state };
+
+  switch (action.type) {
+    case ACTION_STORE:
+      newState['apiToken'] = action.payload;
+      break;
+    case ACTION_REVOKE:
+      newState['apiToken'] = null;
+      break;
+    default:
+      console.log('Invalid action type detected:');
+      console.log(action.type);
+      throw new Error();
+  }
+
+  return newState;
+}
+
+function TokenMgmt() {
+  const { authorizedFetch, user } = useContext(AuthorizationContext);
+
+  const [tokenState, dispatchTokenState] = useReducer(tokenReducer, {
+    apiToken: null,
+  });
+
+  const [tokenMetaDataState, dispatchTokenMetaData] = useReducer(
+    tokenMetaDataReducer,
+    {
+      'token-stored?': false,
+      'last-used': null,
+    }
+  );
+
+  const updateTokenMetadata = useCallback(
+    () => {
+      authorizedFetch('/api/auth/token-metadata', { method: 'GET' })
+        .then((response) => {
+          if (response.ok) {
+            return response.json();
+          } else {
+            console.log(
+              'Error while retrieving token metadata. Returned response: ',
+              response
+            );
+            throw new Error('Error while retrieving token metadata');
+          }
+        })
+        .then((data) => {
+          console.log('token-metadata result received:', data);
+
+          dispatchTokenMetaData({ type: UPDATE_METADATA, payload: data });
+        })
+        .catch((error) => {
+          console.log(
+            'Error caught on authorizedFetch for token-metadata:',
+            error
+          );
+        });
+    },
+    [authorizedFetch]
+  );
+
+  const noTokenInstructions =
+    'No stored ID token to display.\n' +
+    "Click the 'Store token' button below to store the current ID token and display it here.";
+  const newTokenInstructions =
+    'Stored tokens can not be retrieved for display after storage.\n' +
+    "Click the 'Store token' button below to store a new token (invalidating the current stored token) and display it here.";
+
+  function storeTokenHandler() {
+    console.log('storeTokenHandler triggered.');
+
+    authorizedFetch(`/api/auth/token`, {
+      method: 'POST',
+    }).then((response) => {
+      if (response.ok) {
+        dispatchTokenState({ type: ACTION_STORE, payload: user.id_token });
+      } else {
+        console.log('Error returned by /auth/token POST endpoint.');
+        throw new Error('API endpoint for token storage returned error.');
+      }
+    });
+  }
+
+  function revokeTokenHandler() {
+    console.log('revokeTokenHandler triggered.');
+
+    authorizedFetch(`/api/auth/token`, {
+      method: 'DELETE',
+    }).then((response) => {
+      if (response.ok) {
+        dispatchTokenState({ type: ACTION_REVOKE });
+      } else {
+        console.log('Error returned by /auth/token DELETE endpoint.');
+        throw new Error('API endpoint for token revoking returned error.');
+      }
+    });
+  }
+
+  useEffect(
+    () => {
+      updateTokenMetadata();
+    },
+    [tokenState, updateTokenMetadata]
+  );
+
+  return (
+    <div>
+      <span>
+        Token stored?: {tokenMetaDataState['token-stored?'] ? 'Yes' : 'No'}
+      </span>
+      <br />
+      <span>Token last used: {tokenMetaDataState['last-used'] || 'Never'}</span>
+      <br />
+      <textarea
+        disabled={true}
+        style={{ width: '100%', height: 65 }}
+        value={
+          tokenState.apiToken
+            ? tokenState.apiToken
+            : tokenMetaDataState['token-stored?']
+            ? newTokenInstructions
+            : noTokenInstructions
+        }
+      />
+      <CopyToClipboard text={tokenState.apiToken}>
+        <div>
+          <button>Copy to clipboard</button>
+        </div>
+      </CopyToClipboard>
+      <br />
+      <Button variant="contained" onClick={storeTokenHandler}>
+        Store token
+      </Button>
+      <Button variant="contained" onClick={revokeTokenHandler}>
+        Revoke token
+      </Button>
+    </div>
+  );
+}
+
+export default TokenMgmt;
diff --git a/client/src/containers/Authenticate/index.js b/client/src/containers/Authenticate/index.js
index c08279b7..076944ae 100644
--- a/client/src/containers/Authenticate/index.js
+++ b/client/src/containers/Authenticate/index.js
@@ -4,6 +4,7 @@ import Login from './Login';
 import Logout from './Logout';
 import Profile from './Profile';
 import ProfileButton from './ProfileButton';
+import TokenMgmt from './TokenMgmt';
 import AuthorizationContext, {
   DEFAULT_AUTHENTICATION_STATE,
 } from './AuthorizationContext';
@@ -76,7 +77,7 @@ export default function Authenticate({ children }) {
     var return_val;
 
     try {
-      return_val = fetch(`/api/identity`, {
+      return_val = fetch(`/api/auth/identity`, {
         headers: identityHeaders,
       }).then((response) => {
         if (response.ok) {
@@ -168,6 +169,7 @@ export {
   Login,
   Logout,
   Profile,
+  TokenMgmt,
   AuthorizationContext,
   useDataFetch,
 };
diff --git a/client/src/containers/Entity/ActivitiesCopy.js b/client/src/containers/Entity/ActivitiesCopy.js
index 7a1531be..d9c9ec3e 100644
--- a/client/src/containers/Entity/ActivitiesCopy.js
+++ b/client/src/containers/Entity/ActivitiesCopy.js
@@ -54,7 +54,7 @@ function ActivitiesCopy({ entityType, activities }) {
       <p>Need the {entityType} IDs in the Ontology Annotator (OA)?</p>
       <p>
         <Button
-          variant="raised"
+          variant="contained"
           color="primary"
           disabled={entriesToday.length === 0}
           onClick={handleCopy}
diff --git a/client/src/containers/Entity/EntityCreate.js b/client/src/containers/Entity/EntityCreate.js
index 4a129856..52e9c067 100644
--- a/client/src/containers/Entity/EntityCreate.js
+++ b/client/src/containers/Entity/EntityCreate.js
@@ -70,11 +70,11 @@ class EntityCreate extends Component {
                     </ErrorBoundary>
                   ) : null}
                   <div className={classes.actions}>
-                    <Button variant="raised" {...buttonResetProps}>
+                    <Button variant="contained" {...buttonResetProps}>
                       Reset
                     </Button>
                     <ProgressButton
-                      variant="raised"
+                      variant="contained"
                       color="secondary"
                       {...buttonSubmitProps}
                     >
diff --git a/client/src/containers/Entity/EntityDirectory.js b/client/src/containers/Entity/EntityDirectory.js
index e8523af6..61352b12 100644
--- a/client/src/containers/Entity/EntityDirectory.js
+++ b/client/src/containers/Entity/EntityDirectory.js
@@ -27,7 +27,7 @@ const EntityDirectory = (props) => {
           <div className={classes.root}>
             <div className={classes.header}>
               <Button
-                variant="raised"
+                variant="contained"
                 color="secondary"
                 component={({ ...props }) => (
                   <Link to={`/${entityType}/new`} {...props} />
diff --git a/client/src/containers/Entity/EntityDirectoryButton.js b/client/src/containers/Entity/EntityDirectoryButton.js
index 34490dfa..2fec3522 100644
--- a/client/src/containers/Entity/EntityDirectoryButton.js
+++ b/client/src/containers/Entity/EntityDirectoryButton.js
@@ -7,7 +7,7 @@ export default function EntityDirectoryButton(props) {
 
   return (
     <Button
-      variant="raised"
+      variant="contained"
       component={({ ...props }) => <Link to={`/${entityType}`} {...props} />}
     >
       Back to directory
diff --git a/client/src/containers/Entity/EntityNotFound.js b/client/src/containers/Entity/EntityNotFound.js
index db0542db..aa9e44cb 100644
--- a/client/src/containers/Entity/EntityNotFound.js
+++ b/client/src/containers/Entity/EntityNotFound.js
@@ -16,7 +16,7 @@ function EntityNotFound(props) {
         <div className={classes.operations}>
           <EntityDirectoryButton entityType={entityType} />
           <Button
-            variant="raised"
+            variant="contained"
             color="secondary"
             component={({ ...props }) => (
               <Link to={`/${entityType}/new`} {...props} />
diff --git a/client/src/containers/Entity/EntityProfile.js b/client/src/containers/Entity/EntityProfile.js
index 5cfd0345..da65c253 100644
--- a/client/src/containers/Entity/EntityProfile.js
+++ b/client/src/containers/Entity/EntityProfile.js
@@ -56,7 +56,7 @@ class EntityProfile extends Component {
           <Button
             {...getOperationProps(OPERATION_KILL)}
             wbVariant="danger"
-            variant="raised"
+            variant="contained"
           >
             Kill {entityType}
           </Button>
@@ -64,7 +64,7 @@ class EntityProfile extends Component {
           <Button
             {...getOperationProps(OPERATION_RESURRECT)}
             wbVariant="danger"
-            variant="raised"
+            variant="contained"
           >
             Resurrect {entityType}
           </Button>
@@ -162,7 +162,7 @@ class EntityProfile extends Component {
                   <Typography variant="headline" gutterBottom>
                     {entityType} <em>{wbId}</em>{' '}
                     <Button
-                      variant="raised"
+                      variant="contained"
                       color="primary"
                       {...buttonCopyProps}
                     />
@@ -188,11 +188,11 @@ class EntityProfile extends Component {
                         </ErrorBoundary>
                       ) : null}
                       <div className={classes.actions}>
-                        <Button variant="raised" {...buttonResetProps}>
+                        <Button variant="contained" {...buttonResetProps}>
                           Reset
                         </Button>
                         <ProgressButton
-                          variant="raised"
+                          variant="contained"
                           color="secondary"
                           {...buttonSubmitProps}
                         >
diff --git a/client/src/containers/Gene/GeneProfile.js b/client/src/containers/Gene/GeneProfile.js
index cf0c9307..fffdb43b 100644
--- a/client/src/containers/Gene/GeneProfile.js
+++ b/client/src/containers/Gene/GeneProfile.js
@@ -85,7 +85,7 @@ class GeneProfile extends Component {
               {!dead && (
                 <Button
                   {...getOperationProps(OPERATION_MERGE)}
-                  variant="raised"
+                  variant="contained"
                 >
                   Merge Gene
                 </Button>
@@ -93,7 +93,7 @@ class GeneProfile extends Component {
               {!dead && (
                 <Button
                   {...getOperationProps(OPERATION_SPLIT)}
-                  variant="raised"
+                  variant="contained"
                 >
                   Split Gene
                 </Button>
@@ -101,7 +101,7 @@ class GeneProfile extends Component {
               {live && (
                 <Button
                   {...getOperationProps(OPERATION_SUPPRESS)}
-                  variant="raised"
+                  variant="contained"
                 >
                   Suppress Gene
                 </Button>
@@ -110,7 +110,7 @@ class GeneProfile extends Component {
                 <Button
                   {...getOperationProps(OPERATION_KILL)}
                   wbVariant="danger"
-                  variant="raised"
+                  variant="contained"
                 >
                   Kill Gene
                 </Button>
@@ -119,7 +119,7 @@ class GeneProfile extends Component {
                 <Button
                   {...getOperationProps(OPERATION_RESURRECT)}
                   wbVariant="danger"
-                  variant="raised"
+                  variant="contained"
                 >
                   Resurrect Gene
                 </Button>
diff --git a/client/src/containers/Home/index.js b/client/src/containers/Home/index.js
index eae954a2..82b43f11 100644
--- a/client/src/containers/Home/index.js
+++ b/client/src/containers/Home/index.js
@@ -22,7 +22,7 @@ function Home({ classes }) {
               <div className={classes.cell}>
                 <MuiThemeProvider theme={theme}>
                   <Button
-                    variant="raised"
+                    variant="contained"
                     color="secondary"
                     component={({ ...props }) => (
                       <Link to={`${path}/new`} {...props} />
diff --git a/client/src/containers/Main/index.js b/client/src/containers/Main/index.js
index db8b934b..b059694c 100644
--- a/client/src/containers/Main/index.js
+++ b/client/src/containers/Main/index.js
@@ -15,6 +15,7 @@ import Header, { NavBar } from '../Header';
 import {
   AuthorizationContext,
   ProfileButton,
+  TokenMgmt,
   Login,
   Logout,
   Profile,
@@ -64,7 +65,11 @@ function Main({ classes }) {
                   component={() => (
                     <DocumentTitle title="Your profile">
                       <Profile {...user}>
-                        <Logout onLogout={handleLogout} />
+                        <>
+                          <TokenMgmt />
+                          <br />
+                          <Logout onLogout={handleLogout} />
+                        </>
                       </Profile>
                     </DocumentTitle>
                   )}
diff --git a/deps.edn b/deps.edn
index 270f590e..441a567d 100644
--- a/deps.edn
+++ b/deps.edn
@@ -6,46 +6,45 @@
              "clojars" {:url "https://repo.clojars.org/"}}
  :deps
  {org.clojure/clojure {:mvn/version "1.10.1"}
-  org.clojure/data.csv {:mvn/version "1.0.0"}
+  org.clojure/data.csv {:mvn/version "1.0.1"}
   org.clojure/tools.cli {:mvn/version "1.0.194"}
-  org.clojure/tools.logging {:mvn/version "1.1.0"}
-  clojure.java-time {:mvn/version "0.3.2"}
-  aero {:mvn/version "1.1.6"}
+  org.clojure/tools.logging {:mvn/version "1.2.4"}
+  clojure.java-time/clojure.java-time {:mvn/version "1.4.2"}
+  aero/aero {:mvn/version "1.1.6"}
   bk/ring-gzip {:mvn/version "0.3.0"}
-  buddy/buddy-auth {:mvn/version "2.2.0"}
-  buddy/buddy-sign {:mvn/version "3.1.0"}
-  com.taoensso/nippy {:mvn/version "2.14.0"}
-  cheshire {:mvn/version "5.10.0"}
+  buddy/buddy-auth {:mvn/version "3.0.323"}
+  buddy/buddy-hashers {:mvn/version "2.0.167"}
   danlentz/clj-uuid {:mvn/version "0.1.9"}
-  environ {:mvn/version "1.2.0"}
-  expound {:mvn/version "0.8.5"}
-  com.google.api-client/google-api-client {:mvn/version "1.30.9"}
+  environ/environ {:mvn/version "1.2.0"}
+  expound/expound {:mvn/version "0.9.0"}
+  com.google.api-client/google-api-client {:mvn/version "2.2.0"}
   metosin/compojure-api {:mvn/version "2.0.0-alpha30"
                          :exclusions [frankiesardo/linked]}
-  metosin/muuntaja {:mvn/version "0.6.7"}
+  metosin/muuntaja {:mvn/version "0.6.8"}
+  metosin/ring-http-response {:mvn/version "0.9.3"}
   ikitommi/linked {:mvn/version "1.3.1-alpha1"}
-  mount {:mvn/version "0.1.16"}
-  phrase {:mvn/version "0.3-alpha4"}
-  ring/ring-codec {:mvn/version "1.1.2"}
-  ring/ring-defaults {:mvn/version "0.3.2"}
-  ring/ring-jetty-adapter {:mvn/version "1.8.1"}
-  semantic-csv {:mvn/version "0.2.1-alpha1"}
+  mount/mount {:mvn/version "0.1.17"}
+  phrase/phrase {:mvn/version "0.3-alpha4"}
+  ring/ring-core {:mvn/version "1.9.4"}
+  ring/ring-codec {:mvn/version "1.2.0"}
+  ring/ring-defaults {:mvn/version "0.4.0"}
+  ring/ring-jetty-adapter {:mvn/version "1.10.0"}
+  semantic-csv/semantic-csv {:mvn/version "0.2.1-alpha1"}
   user-agent/user-agent {:mvn/version "0.1.1"}
-  com.taoensso/encore {:mvn/version "2.120.0"}
   magnetcoop/stork {:mvn/version "0.1.6"}}
  :aliases
  {:1.9 {:override-deps {org.clojure/clojure {:mvn/version "1.9.0"}}}
   :1.10 {:override-deps {org.clojure/clojure {:mvn/version "1.10.0"}}}
   :depstar {:extra-deps {seancorfield/depstar {:mvn/version "0.5.2"}}}
   :webassets {:extra-paths ["resources"]}
-  :artifact-name {:extra-deps {metav {:mvn/version "1.5.2"}}
+  :artifact-name {:extra-deps {metav/metav {:mvn/version "1.5.2"}}
                   :main-opts ["-m" "metav.display"]}
-  :release {:extra-deps {metav {:mvn/version "1.5.2"}}
+  :release {:extra-deps {metav/metav {:mvn/version "1.5.2"}}
             :main-opts ["-m" "metav.release" "--module-name-override" "wormbase-names"]}
   :event-broadcast
   {:extra-deps
    {com.draines/postal {:mvn/version "2.0.3"}
-    amazonica {:mvn/version "0.3.152"}}}
+    amazonica/amazonica {:mvn/version "0.3.152"}}}
   :prod
   {:extra-deps
    {wormbase/ids {:mvn/version "0.6.5"}}}
@@ -71,11 +70,11 @@
                               :exclusions [org.clojure/tools.reader]}
     javax.servlet/javax.servlet-api {:mvn/version "4.0.0"}
     ring/ring-devel {:mvn/version "1.6.3"}
-    metav {:mvn/version "1.5.2"}
-    peridot {:mvn/version "0.5.0"}
+    metav/metav {:mvn/version "1.5.2"}
+    peridot/peridot {:mvn/version "0.5.0"}
     vvvvalvalval/datomock {:mvn/version "0.2.2"}}
    :extra-paths ["ids/src" "export/src" "test"]}
-  :clj-kondo {:extra-deps {clj-kondo {:mvn/version "RELEASE"}}
+  :clj-kondo {:extra-deps {clj-kondo/clj-kondo {:mvn/version "2023.09.06"}}
               :main-opts ["-m" "clj-kondo.main"]}
   :export
   {:extra-paths ["export/src" "ids/src"]
@@ -95,12 +94,13 @@
                                     :exclusions
                                     [;; Exclude transitive dependencies on all other logging
                                      ;; implementations, including other SLF4J bridges.
-                                     commons-logging
-                                     log4j
+                                     commons-logging/commons-logging
+                                     log4j/log4j
                                      org.apache.logging.log4j/log4j
                                      org.slf4j/simple
                                      org.slf4j/slf4j-jcl
                                      org.slf4j/slf4j-nop
                                      org.slf4j/slf4j-log4j12
                                      org.slf4j/slf4j-log4j13]}
-    ch.qos.logback/logback-core {:mvn/version "1.1.7"}}}}}
+    ch.qos.logback/logback-core {:mvn/version "1.1.7"}
+    com.taoensso/timbre {:mvn/version "4.1.0"}}}}}
diff --git a/docs/Google-Auth.md b/docs/Google-Auth.md
index c18bf712..d25c218a 100644
--- a/docs/Google-Auth.md
+++ b/docs/Google-Auth.md
@@ -7,12 +7,21 @@ Log in to the name service website using your wormbase google email (ending on `
 
 # API Authorization token
 As authorization mechanism, the names service requires that either a temporary Google Auth Code
-(for exchange using the identity endpoint) or a valid id_token is passed in through the HTTP(S) request Authorization header
-sent to all API endpoints.
-To obtain a valid ID-token for calling the API, log in to the name service website with your personal account,
-browse to your profile page (`/me`) and copy the ID-token shown (by clicking the `copy to clipboard` button).
-
-The token should then be passed in the header as described below.
+(for exchange using the identity endpoint) or a valid ID token is passed in through
+the HTTP(S) request Authorization header sent to all API endpoints.
+By default, ID tokens expire after 1 hour. To obtain a token that will be valid longer than 1 hour,
+which can be used for calling the API in scripting:
+ 1. Log in to the name service website with your personal wormbase google account
+ 2. Browse to your profile page (`/me`).
+ 3. Click the `store token` button to store the current ID token as an API token,
+    and copy the token that shows up in the textbox above (by clicking the `copy to clipboard` button).
+    This API token will only be visible once upon storing it to the database, and not after refreshing the page or in any later sessions.
+ *  If you forgot your API token, or the token was potentially leaked, click the `store token` button again
+    to store and display a new token and invalidate the old one.
+ *  If you no longer need (direct) API access to the name service, click the `revoke token` button
+    to revoke the currently stored token without generating a new one.
+
+The token should then be passed in the header as described below for direct API access.
 For example; given a suitable JSON file for the payload,
 the _curl_ command below creates a number of genes via the names service batch API:
 
diff --git a/export/src/wormbase/names/export.clj b/export/src/wormbase/names/export.clj
index 96a80d06..33d72899 100644
--- a/export/src/wormbase/names/export.clj
+++ b/export/src/wormbase/names/export.clj
@@ -2,7 +2,6 @@
   (:require
    [clojure.java.io :as io]
    [clojure.data.csv :as cd-csv]
-   [clojure.set :as set]
    [clojure.string :as str]
    [clojure.tools.cli :as cli]
    [datomic.api :as d]
diff --git a/ids/src/wormbase/ids/batch.clj b/ids/src/wormbase/ids/batch.clj
index 7c1ee7e3..36500787 100644
--- a/ids/src/wormbase/ids/batch.clj
+++ b/ids/src/wormbase/ids/batch.clj
@@ -19,7 +19,7 @@
    [clojure.core :as cc]
    [clojure.set :as set]
    [datomic.api :as d]
-   [wormbase.ids.core :refer [attr-schema-unique? identifier-format]]))
+   [wormbase.ids.core :refer [identifier-format]]))
 
 (defn- assoc-prov
   "Attach an identifier to `prov` making this a mapping suitable for tracking provenance for a batch.
@@ -32,12 +32,6 @@
   (when tx-data
     (cons prov tx-data)))
 
-(defn db-error? [exc]
-  (some->> (ex-data exc)
-           (keys)
-           (filter (fn has-db-ns? [k]
-                     (#{"db" "db.error"} (namespace k))))))
-
 (defrecord BatchResult [tx-result errors])
 
 (defrecord BatchError [error-type exc])
diff --git a/ids/src/wormbase/ids/core.clj b/ids/src/wormbase/ids/core.clj
index 0331e075..fce32bea 100644
--- a/ids/src/wormbase/ids/core.clj
+++ b/ids/src/wormbase/ids/core.clj
@@ -9,7 +9,7 @@
   (try
     (let [s-attr (:db/unique (d/entity db attr))]
       (#{:db.unique/identity :db.unique/value} s-attr))
-    (catch IllegalArgumentException iae)))
+    (catch IllegalArgumentException _)))
 
 (defn entids->data [db m k v]
     (assoc m
diff --git a/resources/config.edn b/resources/config.edn
index dc10543b..2676b06d 100644
--- a/resources/config.edn
+++ b/resources/config.edn
@@ -1,5 +1,4 @@
-{:auth-token #include "secrets/wb-auth-token.edn"
- :recent {:days-back 60}
+{:recent {:days-back 60}
  :datomic
  {:internal-namespaces
   ["db" "db.alter" "db.install" "db.excise" "db.sys" "conformity" "fressian"]}
diff --git a/resources/schema/definitions.edn b/resources/schema/definitions.edn
index 6759711d..ce329c39 100644
--- a/resources/schema/definitions.edn
+++ b/resources/schema/definitions.edn
@@ -106,6 +106,18 @@
        :cardinality :db.cardinality/one
        :unique :db.unique/value
        :noHistory true}
+  #:db{:ident :person/auth-token-stored-at
+       :valueType :db.type/instant
+       :cardinality :db.cardinality/one
+       :doc "When the current auth-token was stored."}
+  #:db{:ident :person/auth-token-last-used
+       :valueType :db.type/instant
+       :cardinality :db.cardinality/one
+       :doc "When the stored auth-token was last used to access the API."}
+  #:db{:ident :person/last-activity
+       :valueType :db.type/instant
+       :cardinality :db.cardinality/one
+       :doc "When the user last showed any activity in the NS (through either API or web)."}
   #:db{:ident :person/name
        :valueType :db.type/string
        :cardinality :db.cardinality/one
diff --git a/resources/updates/7.0.x-datomic-DB-updates.clj b/resources/updates/7.0.x-datomic-DB-updates.clj
new file mode 100644
index 00000000..549a9f5e
--- /dev/null
+++ b/resources/updates/7.0.x-datomic-DB-updates.clj
@@ -0,0 +1,25 @@
+(require '[datomic.api :as d])
+
+;;Change uri as appropriate on deploying to different environments
+(def uri "datomic:ddb-local://localhost:8000/WBNames_local/wormbase")
+(def conn (d/connect uri))
+(def db (d/db conn))
+
+;; Drop all currently stored auth-tokens (invalidated by new code, so no longer usable)
+(d/transact conn (map (fn [entity] [:db/retract (first entity) :person/auth-token (second entity)]) (d/q '[:find ?e ?authtoken :where [?e :person/email ?email] [?e :person/name ?name] [?e :person/auth-token ?authtoken]] db)))
+
+;; Install new attributes for auth-token and account usage tracking
+(def new-attributes [#:db{:ident :person/auth-token-stored-at,
+                          :valueType :db.type/instant,
+                          :cardinality :db.cardinality/one,
+                          :doc "When the current auth-token was stored."}
+                     #:db{:ident :person/auth-token-last-used,
+                          :valueType :db.type/instant,
+                          :cardinality :db.cardinality/one,
+                          :doc "When the stored auth-token was last used to access the API."}
+                     #:db{:ident :person/last-activity,
+                          :valueType :db.type/instant,
+                          :cardinality :db.cardinality/one,
+                          :doc "When the user last showed any activity in the NS (through either API or web)."}])
+
+(d/transact conn new-attributes)
diff --git a/src/wormbase/names/auth.clj b/src/wormbase/names/auth.clj
index 355d79cc..e753c578 100644
--- a/src/wormbase/names/auth.clj
+++ b/src/wormbase/names/auth.clj
@@ -3,29 +3,30 @@
             [buddy.auth.accessrules :as baa]
             [buddy.auth.backends.token :as babt]
             [buddy.auth.middleware :as auth-mw]
-            [buddy.sign.compact :as bsc]
+            [buddy.hashers :as bhasher]
             [clojure.tools.logging :as log]
+            [clojure.string :as str]
             [clojure.walk :as w]
+            [compojure.api.sweet :as sweet]
             [datomic.api :as d]
             [environ.core :as environ]
             [ring.middleware.defaults :as rmd]
             [ring.util.http-response :as http-response]
+            [wormbase.specs.auth :as ws-auth]
+            [wormbase.names.util :as wnu]
             [wormbase.util :as wu])
   (:import (com.google.api.client.auth.oauth2 TokenResponseException)
            (com.google.api.client.googleapis.auth.oauth2 GoogleAuthorizationCodeTokenRequest GoogleIdToken GoogleIdTokenVerifier$Builder)
            (com.google.api.client.http.javanet NetHttpTransport)
-           (com.google.api.client.json.jackson2 JacksonFactory)))
+           (com.google.api.client.json.gson GsonFactory)))
 
 (def ^:private net-transport (NetHttpTransport.))
 
-(def ^:private json-factory (JacksonFactory.))
-
-(def ^:private app-conf (wu/read-app-config))
+(def ^:private json-factory (GsonFactory.))
 
 (def ^:private token-verifier (.. (GoogleIdTokenVerifier$Builder. net-transport
                                                                   json-factory)
-                                  (setAudience (->> (get environ/env :api-google-oauth-client-id)
-                                                    (apply list)))
+                                  (setAudience (list (get environ/env :api-google-oauth-client-id)))
                                   (build)))
 
 (defn google-auth-code-to-id-token
@@ -38,7 +39,6 @@
      (new GoogleAuthorizationCodeTokenRequest
           net-transport
           json-factory
-          "https://oauth2.googleapis.com/token"
           (get environ/env :api-google-oauth-client-id)
           (get environ/env :api-google-oauth-client-secret)
           authCode
@@ -49,71 +49,131 @@
     (catch Exception e
       (log/warn "Caught Exception during GoogleAuthorizationCodeTokenRequest construction & execution:" e))))
 
-(defn parse-token
-  "Parse provided Google ID token, returns a map containing the information associated with the token.
-   Returns nil if the token cannot be parsed as Google Auth code nor Google ID token."
-  [^String token]
-   (try
-     (some->> (GoogleIdToken/parse json-factory token)
-              (.getPayload)
-              (into {})
-              (w/keywordize-keys))
-     (catch IllegalArgumentException _
-       nil)))
+(defn parse-token-str
+  "Parse provided Google ID token string, returns a GoogleIdToken object.
+   Returns nil if the token string cannot be parsed as Google ID token."
+  ^GoogleIdToken
+  [^String token-str]
+  (if (not (or
+            (str/blank? token-str)
+            (= token-str "null")))
+    (try
+      (GoogleIdToken/parse json-factory token-str)
+      (catch java.io.IOException e
+        (log/warn "Caught invalid token-str. IOException:" e))
+      (catch Exception ex
+        (log/error "parse-token-str exception:" ex ". token-str provided:" token-str)))
+    nil))
+
+(defn get-id-token-payload
+  "Get the GoogleIdToken payload containing the information associated with the token
+   (from a GoogleIdToken object)."
+  [^GoogleIdToken token]
+  (try
+    (.getPayload token)
+    (catch IllegalArgumentException _
+      (log/error "Invalid googleIdToken object provided. getPayload method not found."))))
+
+(defn to-keywordized-map
+  "Convert an object into a keywordized map"
+  [object]
+  (some->> object
+           (into {})
+           (w/keywordize-keys)))
+
+(defn get-token-payload-map
+  "Parse a Google ID token string, return a keywordized map of the GoogleIdToken.payload"
+  [^String google-ID-token-str]
+  (some-> (parse-token-str google-ID-token-str)
+          (get-id-token-payload)
+          (to-keywordized-map)))
 
 (defn verify-token-gapi
-  "Return a truthy value if the token is valid."
-  [token]
-  (some->> (.verify token-verifier token)
-           (.getPayload)))
+  "Returns true if the token is valid."
+  [^String token]
+  (some-> (parse-token-str token)
+          (.verify token-verifier)))
 
 (defn verify-token
   "Verify the token via Google API(s).
   Returns a map containing the information held in the Google ID Token."
   [^String token]
-  (try
-    (when-let [gtoken (verify-token-gapi token)]
-      (when (and
-             gtoken
-             (= (.getHostedDomain gtoken) "wormbase.org")
-             (true? (.getEmailVerified gtoken)))
-        (w/keywordize-keys (into {} gtoken))))
-    (catch Exception exc
-      (log/error exc "Invalid token supplied"))))
+  (if (verify-token-gapi token)
+    (let [gtoken (some-> (parse-token-str token)
+                         (get-id-token-payload))]
+      (if (and gtoken
+               (= (.getHostedDomain gtoken) "wormbase.org")
+               (true? (.getEmailVerified gtoken)))
+        (to-keywordized-map gtoken)
+        (log/warn "Token failed domain verification (token must correspond to verified @wormbase.org email address).")))
+    (log/warn "Token failed google API verification.")))
 
 (defn query-person
-  "Query the database for a WormBase person, given the schema attribute
-  and token associated with authentication.
+  "Query the database for a WormBase person, given a unique schema attribute
+  and a unique value to match.
 
   Return a map containing the information about a person, omitting the auth token."
-  [db ident auth-token]
-  (let [person (d/pull db '[*] [ident auth-token])]
+  [db ident-attr ident-value]
+  (let [person (d/pull db '[*] [ident-attr ident-value])]
     (when (:db/id person)
       (dissoc person :person/auth-token))))
 
-(defn sign-token
-  "Sign a token using a key from the application configuration."
-  [auth-token-conf token]
-  (bsc/sign (str token) (:key auth-token-conf)))
+(defn derive-token-hash
+  "Return a hash derived from provided token for database storage."
+  [token]
+  (bhasher/derive (str token) {:alg :argon2id}))
+
+(defn matching-token-hash?
+  "Verify if a provided token matches a hashed token.
+   Returns true if token matches, false if not, nil on error."
+  [raw-token hashed-token]
+  (if (or
+       (str/blank? raw-token)
+       (= raw-token "null")
+       (str/blank? hashed-token)
+       (= hashed-token "null"))
+    false
+    (some->
+     (try
+       (bhasher/verify (str raw-token) (str hashed-token))
+       (catch clojure.lang.ExceptionInfo e
+         (log/error "Failed to verify token with stored hash." e)))
+     (:valid))))
 
 (defrecord Identification [id-token token-info person])
 
-(defn verified-person
-  "Return a person from the database having a matching stored token."
-  [db auth-token-conf parsed-token]
-  (let [email (:email parsed-token)]
-    (when-let [{stored-token :person/auth-token} (d/pull db
-                                                       '[:person/auth-token]
-                                                       [:person/email email])]
-
-      (when (try
-              (bsc/unsign stored-token (:key auth-token-conf)
-                          (select-keys auth-token-conf [:max-age]))
-              (catch Exception _
-                (log/debug "Failed to unsigned stored token"
-                           {:stored-token stored-token
-                            :key (:key auth-token-conf)})))
-        (query-person db :person/email email)))))
+(defn get-person-matching-token
+  "Returns a person from the database with:
+   * Matching email address
+   * Active profile state in DB
+   * A matching stored (signed) auth-token"
+  [conn db token-str email]
+
+  (when-let [person (d/pull db
+                            '[:person/auth-token :person/active?]
+                            [:person/email email])]
+    (when (and (:person/active? person)
+               (matching-token-hash? token-str (:person/auth-token person)))
+      ;;Update :person/auth-token-last-used attribute to indicate API token usage
+      (let [person (query-person db :person/email email)]
+        @(d/transact conn
+                     [[:db/add
+                       (:db/id person)
+                       :person/auth-token-last-used
+                       (wu/now)]])
+        person))))
+
+(defn successful-login
+  "Store the identification of a successful login
+   and store the login timestamp in the DB."
+  [conn identification]
+  (let [person (:person identification)]
+    @(d/transact conn
+                 [[:db/add
+                   (:db/id person)
+                   :person/last-activity
+                   (wu/now)]]))
+  (map->Identification identification))
 
 (defn identify
   "Identify the wormbase user associated with request based on token.
@@ -122,27 +182,36 @@
    Conditionally associates the authentication token with the user in the database.
    Return an Identification record."
   [request ^String token]
-  (let [auth-token-conf (:auth-token app-conf)
-        google-ID-token (or (google-auth-code-to-id-token token)
-                            token)
-        parsed-token (try
-                       (parse-token google-ID-token)
-                       (catch Exception ex
-                         (log/error ex "Malformed token")))
-        db (:db request)]
-    (when parsed-token
-      (if-let [person (verified-person db auth-token-conf parsed-token)]
-        (map->Identification {:id-token google-ID-token :token-info parsed-token :person person})
-        (when-let [tok (verify-token token)]
+  (let [google-ID-token-str (or (google-auth-code-to-id-token token)
+                                token)
+        parsed-token-map (get-token-payload-map google-ID-token-str)
+        email (some-> parsed-token-map
+                      (:email parsed-token-map))
+        db (:db request)
+        conn (:conn request)]
+    (log/debug "Initiating token-based identification.")
+    (if parsed-token-map
+      (if-let [person (get-person-matching-token conn db google-ID-token-str email)]
+        ;Verified person found matching token
+        (do
+          (log/debug "Verified person found with matching stored auth-code:" person)
+          (successful-login conn {:id-token google-ID-token-str :token-info parsed-token-map :person person}))
+        ;No verified person found matching token
+        (if-let [tok (verify-token google-ID-token-str)]
+          ;Provided token verified
           (if-let [person (query-person db :person/email (:email tok))]
-            (let [auth-token (sign-token auth-token-conf tok)]
-              @(d/transact-async (:conn request)
-                                 [[:db/add
-                                   (:db/id person)
-                                   :person/auth-token
-                                   auth-token]])
-              (map->Identification {:id-token google-ID-token :token-info parsed-token :person person}))
-            (log/warn "NO PERSON FOUND IN DB:" tok)))))))
+            ;Person found matching verified token
+            (do
+              (log/debug "No verified person found based on stored auth-code,
+                          but token verified as valid. Person matching verified token: " person)
+              (successful-login conn {:id-token google-ID-token-str :token-info parsed-token-map :person person}))
+            ;No person found matching verified token
+            (log/warn "No person found in db for verified token:" tok))
+          ;Provided token fails to verify
+          (log/warn "Unverified (or expired) token received (and token did not match stored auth-code of any verified person).")))
+      (when (not (or (str/blank? google-ID-token-str)
+                     (= google-ID-token-str "null")))
+        (log/warn "Received token failed to parse." )))))
 
 (def backend (babt/token-backend {:authfn identify}))
 
@@ -173,4 +242,93 @@
 
 (def restrict-to-authenticated (restrict-access auth/authenticated?))
 
+;; Endpoint handlers
+(defn get-identity [request]
+  (let [identity (wnu/unqualify-keys (-> request :identity) "identity")
+        person (wnu/unqualify-keys (:person identity) "person")
+        id-token (:id-token identity)
+        token-info (:token-info identity)]
+    (http-response/ok {:person person
+                       :id-token id-token
+                       :token-info token-info})))
+
+(defn store-auth-token [request]
+  (if-let [signed-auth-token (some->
+                              (wnu/unqualify-keys (-> request :identity) "identity")
+                              (:id-token)
+                              (derive-token-hash))]
+    (let [person (-> (wnu/unqualify-keys (-> request :identity) "identity")
+                     (:person))]
+      (log/debug "Storing new auth-token for user" (:person/email person))
+      @(d/transact (:conn request)
+                   [[:db/add
+                     (:db/id person)
+                     :person/auth-token
+                     signed-auth-token]
+                    [:db/add
+                     (:db/id person)
+                     :person/auth-token-stored-at
+                     (wu/now)]])
+      (http-response/ok))
+    (http-response/internal-server-error)))
+
+(defn delete-auth-token [request]
+  (let [person (-> (wnu/unqualify-keys (-> request :identity) "identity")
+                   (:person))]
+    (log/debug "Revoking stored auth-token for user" (:person/email person))
+    @(d/transact (:conn request)
+                 [[:db/retract
+                   (:db/id person)
+                   :person/auth-token]
+                  [:db/retract
+                   (:db/id person)
+                   :person/auth-token-stored-at]
+                  [:db/retract
+                   (:db/id person)
+                   :person/auth-token-last-used]])
+    (http-response/ok)))
+
+(defn get-token-metadata [request]
+  (let [person (-> (wnu/unqualify-keys (-> request :identity) "identity")
+                   (:person)
+                   (wnu/unqualify-keys "person"))
+        token-last-used (:auth-token-last-used person)
+        _ (log/debug "token-last-used:" token-last-used)
+        token-stored? (not (nil? (:auth-token-stored-at person)))
+        _ (log/debug "token-stored?:" token-stored?)]
+    (http-response/ok {:token-stored? token-stored?
+                       :last-used token-last-used})))
 
+;; API endpoints
+(def routes
+  (sweet/routes
+   (sweet/context "/auth" []
+     :tags ["authentication"]
+     (sweet/context "/identity" []
+       :tags ["authentication" "identity"]
+       (sweet/resource
+        {:get
+         {:summary "Get the identity for the authenticated and authorized user making the request."
+          :x-name ::get-identity
+          :responses (wnu/http-responses-for-read {:schema ::ws-auth/identity-response})
+          :handler get-identity}}))
+     (sweet/context "/token" []
+       :tags ["authentication"]
+       (sweet/resource
+        {:post
+         {:summary "Store the current ID token for future scripting usage. This will invalidate the previously stored token."
+          :responses (wnu/response-map http-response/ok {:schema ::ws-auth/empty-response})
+          :handler store-auth-token}
+         :delete
+         {:summary "Delete the stored token, invalidating it for future use."
+          :responses (wnu/response-map http-response/ok {:schema ::ws-auth/empty-response})
+          :handler delete-auth-token}}))
+     (sweet/context "/token-metadata" []
+       :tags ["authentication"]
+       (sweet/resource
+        {:get
+         {:summary "Get token metadata such as token storage state (yes/no) and usage."
+          :x-name ::get-token-metadata
+          :responses (wnu/http-responses-for-read {:schema ::ws-auth/token-metadata-response})
+          :handler get-token-metadata}}))
+     )))
diff --git a/src/wormbase/names/batch/generic.clj b/src/wormbase/names/batch/generic.clj
index f69da5ea..1a53118c 100644
--- a/src/wormbase/names/batch/generic.clj
+++ b/src/wormbase/names/batch/generic.clj
@@ -4,7 +4,7 @@
    [compojure.api.sweet :as sweet]
    [clj-uuid :as uuid]
    [datomic.api :as d]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [ring.util.http-response :refer [bad-request created not-found! not-modified ok]]
    [spec-tools.spec :as sts]
    [wormbase.db :as wdb]
diff --git a/src/wormbase/names/identity.clj b/src/wormbase/names/identity.clj
deleted file mode 100644
index 884d3161..00000000
--- a/src/wormbase/names/identity.clj
+++ /dev/null
@@ -1,27 +0,0 @@
-(ns wormbase.names.identity
-  (:require
-   [compojure.api.sweet :as sweet]
-   [ring.util.http-response :refer [ok]]
-   [wormbase.specs.identity :as wsident]
-   [wormbase.names.util :as wnu]))
-
-(defn get-identity [request]
-  (let [identity (wnu/unqualify-keys (-> request :identity) "identity")
-        person (wnu/unqualify-keys (:person identity) "person")
-        id-token (:id-token identity)
-        token-info (:token-info identity)]
-    (ok {:person person
-         :id-token id-token
-         :token-info token-info} )))
-
-
-(def routes
-  (sweet/routes
-   (sweet/context "/identity" []
-     :tags ["identity"]
-     (sweet/resource
-      {:get
-       {:summary "Get the identity for the authenticated and authorized user making the request."
-        :x-name ::get-identity
-        :responses (wnu/http-responses-for-read {:schema ::wsident/identity-response})
-        :handler get-identity}}))))
diff --git a/src/wormbase/names/importers/processing.clj b/src/wormbase/names/importers/processing.clj
index f5fe65d7..cfc5f1a3 100644
--- a/src/wormbase/names/importers/processing.clj
+++ b/src/wormbase/names/importers/processing.clj
@@ -7,7 +7,7 @@
    [clojure.string :as str]
    [datomic.api :as d]
    [environ.core :as environ]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [semantic-csv.core :as sc]
    [wormbase.names.auth :as wna]
    [wormbase.specs.entity :as wse]
@@ -130,7 +130,7 @@
       (jt/zoned-date-time tz)
       (jt/with-zone-same-instant tz)
       (jt/instant)
-      (jt/to-java-date)))
+      (jt/java-date)))
 
 (defn check-environ! []
   (when-not (environ/env :token)
diff --git a/src/wormbase/names/provenance.clj b/src/wormbase/names/provenance.clj
index 0e75c499..1d4b7642 100644
--- a/src/wormbase/names/provenance.clj
+++ b/src/wormbase/names/provenance.clj
@@ -3,7 +3,7 @@
             [clojure.spec.alpha :as s]
             [clojure.string :as str]
             [datomic.api :as d]
-            [java-time :as jt]
+            [java-time.api :as jt]
             [wormbase.db :as wdb]
             [wormbase.names.agent :as wna]
             [wormbase.names.util :as wnu]
@@ -47,7 +47,7 @@
         whence (-> (get prov :provenance/when (jt/instant))
                    (jt/zoned-date-time tz)
                    (jt/with-zone-same-instant tz)
-                   (jt/to-java-date))
+                   (jt/java-date))
         how (-> request :headers wna/identify)
         why (:provenance/why prov)
         prov {:db/id "datomic.tx"
diff --git a/src/wormbase/names/recent.clj b/src/wormbase/names/recent.clj
index 729fe3ea..cefcd785 100644
--- a/src/wormbase/names/recent.clj
+++ b/src/wormbase/names/recent.clj
@@ -2,7 +2,7 @@
   (:require
    [compojure.api.sweet :as sweet]
    [datomic.api :as d]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [ring.util.http-response :refer [ok]]
    [wormbase.names.provenance :as wnp]
    [wormbase.names.util :as wnu]
@@ -10,8 +10,6 @@
    [wormbase.util :as wu])
   (:import (java.util Date)))
 
-(def conf (:recent (wu/read-app-config)))
-
 (defn- find-max-imported-date [db]
   (let [max-tx-inst (d/q '[:find (max ?inst) .
                            :where
@@ -23,7 +21,7 @@
                    (jt/instant))]
     (-> max-date
         (jt/plus (jt/seconds 1))
-        (jt/to-java-date))))
+        (jt/java-date))))
 
 (def imported-date (memoize find-max-imported-date))
 
@@ -45,7 +43,7 @@
          from-t (if (and from (>= (compare from import-date) 0))
                   from
                   import-date)
-         until-t (or until (jt/to-java-date (jt/instant)))]
+         until-t (or until (jt/java-date (jt/instant)))]
      ;; Timings for the `tx-ids` query below with default configured time window (60 days)
      ;; (excluding pull expressions)
      ;; jvm (cold): 107.266427 msecs
@@ -108,8 +106,6 @@
 (def batch-rules '[[(filter-events ?tx ?needle)
                     [?tx :batch/id _ _ ]]])
 
-(def response-schema (wnu/response-map ok {:schema {:activities ::wsr/activities}}))
-
 (defn handle
   ([request rules puller needle from until]
    (handle request rules puller needle from until #{:agent/console :agent/web}))
@@ -117,7 +113,7 @@
    (let [{conn :conn db :db} request
          log (d/log conn)
          from* (or from (wu/days-ago wsr/*default-days-ago*))
-         until* (or until (jt/to-java-date (jt/instant)))
+         until* (or until (jt/java-date (jt/instant)))
          items (activities db log rules puller (or needle "") how from* until*)
          etag (some-> items first :t wnu/encode-etag)]
      (some-> {:from from* :until until*}
@@ -179,7 +175,7 @@
   (binding [db (d/db conn) log (d/log conn)
             pull-prov-only (prov-only-puller db log)
             pull-changes-and-prov (changes-and-prov-puller db log)
-            from (jt/to-java-date (jt/instant))
+            from (jt/java-date (jt/instant))
             until (wu/days-ago 2)]
     (activities db log entity-rules pull-changes-and-prov "gene")
     (activities db log entity-rules-rules pull-changes-and-prov "gene" from until)
diff --git a/src/wormbase/names/service.clj b/src/wormbase/names/service.clj
index dd4d4da6..79bd9c15 100644
--- a/src/wormbase/names/service.clj
+++ b/src/wormbase/names/service.clj
@@ -7,13 +7,12 @@
    [muuntaja.middleware :as mmw]
    [wormbase.db :as wdb]
    [wormbase.db.schema :as wdbs]
-   [wormbase.names.auth :as wna]
+   [wormbase.names.auth :as wn-auth]
    [wormbase.names.batch :as wn-batch]
    [wormbase.names.coercion] ;; coercion scheme
    [wormbase.names.entity :as wne]
    [wormbase.names.errhandlers :as wn-eh]
    [wormbase.names.gene :as wn-gene]
-   [wormbase.names.identity :as wn-identity]
    [wormbase.names.person :as wn-person]
    [wormbase.names.recent :as wn-recent]
    [wormbase.names.response-formats :as wnrf]
@@ -24,7 +23,8 @@
    [ring.middleware.gzip :as ring-gzip]
    [ring.middleware.not-modified :as rmnm]
    [ring.middleware.resource :as ring-resource]
-   [ring.util.http-response :as http-response]))
+   [ring.util.http-response :as http-response]
+   [ring.util.response :as ring-response]))
 
 (defn- wrap-not-found
   "Fallback 404 handler."
@@ -37,9 +37,9 @@
         (http-response/not-found {:message "Resource not found (fallback)"})
 
         :else
-        (-> (http-response/resource-response "client_build/index.html")
-            (http-response/content-type "text/html")
-            (http-response/status 200))))))
+        (-> (ring-response/resource-response "client_build/index.html")
+            (ring-response/content-type "text/html")
+            (ring-response/status 200))))))
 
 (def ^:private swagger-validator-url
   "The URL used to validate the swagger JSON produced by the application."
@@ -83,7 +83,7 @@
     :exceptions {:handlers wn-eh/handlers}
     :middleware [wrap-static-resources
                  wdb/wrap-datomic
-                 wna/wrap-auth
+                 wn-auth/wrap-auth
                  mmw/wrap-format
                  rmnm/wrap-not-modified
                  wrap-not-found
@@ -91,10 +91,10 @@
     :swagger swagger-ui}
    (sweet/context "" []
      (sweet/context "/api" []
-       :middleware [wna/restrict-to-authenticated]
+       :middleware [wn-auth/restrict-to-authenticated]
+       wn-auth/routes
        wn-species/routes
        wn-gene/routes
-       wn-identity/routes
        wn-person/routes
        wn-recent/routes
        wn-batch/routes
diff --git a/src/wormbase/names/stats.clj b/src/wormbase/names/stats.clj
index f47fea8d..81ac2f42 100644
--- a/src/wormbase/names/stats.clj
+++ b/src/wormbase/names/stats.clj
@@ -3,7 +3,6 @@
    [clojure.walk :as w]
    [compojure.api.sweet :as sweet]
    [datomic.api :as d]
-   [ring.middleware.not-modified :as rmnm]
    [ring.util.http-response :refer [ok]]
    [wormbase.names.util :as wnu]
    [wormbase.specs.stats :as wsst]))
@@ -29,14 +28,11 @@
          (w/stringify-keys))))
 
 (defn handle-summary [request]
-  (let [etag (some-> request :db d/basis-t wnu/encode-etag)]
-    (-> (summary request)
-        (ok)
-        (wnu/add-etag-header-maybe etag))))
+  (-> (summary request)
+      (ok)))
 
 (def routes (sweet/routes
              (sweet/context "/stats" []
-               :middleware [rmnm/wrap-not-modified]
                :tags ["stats"]
                (sweet/resource
                 {:get
diff --git a/src/wormbase/names/util.clj b/src/wormbase/names/util.clj
index d7ce2d91..2e3d7d75 100644
--- a/src/wormbase/names/util.clj
+++ b/src/wormbase/names/util.clj
@@ -6,20 +6,15 @@
    [clojure.string :as str]
    [clojure.walk :as w]
    [buddy.core.codecs :as codecs]
-   [buddy.core.codecs.base64 :as b64]
    [datomic.api :as d]
    [expound.alpha :refer [expound-str]]
    [phrase.alpha :as ph]
-   [ring.util.http-response :refer [bad-request conflict header not-found not-modified ok]]
+   [ring.util.http-response :refer [bad-request conflict not-found not-modified ok]]
+   [ring.util.response :refer [header]]
    [wormbase.db :as wdb]
    [wormbase.specs.common :as wsc]
    [wormbase.specs.validation :as wsv]))
 
-(defn- nsify [domain kw]
-  (if (namespace kw)
-    kw
-    (keyword domain (name kw))))
-
 ;; trunc and datom-table taken from day-of-datomic repo (congnitect).
 
 (defn trunc
@@ -143,7 +138,7 @@
             bid)))
 
 (defn encode-etag [latest-t]
-  (some-> latest-t str b64/encode codecs/bytes->str))
+  (some-> latest-t codecs/long->bytes codecs/bytes->b64 codecs/bytes->str))
 
 (defn add-etag-header-maybe [response etag]
   (if (seq etag)
diff --git a/src/wormbase/specs/identity.clj b/src/wormbase/specs/auth.clj
similarity index 64%
rename from src/wormbase/specs/identity.clj
rename to src/wormbase/specs/auth.clj
index 4dfecb78..7765d8f7 100644
--- a/src/wormbase/specs/identity.clj
+++ b/src/wormbase/specs/auth.clj
@@ -1,4 +1,4 @@
-(ns wormbase.specs.identity
+(ns wormbase.specs.auth
   (:require
    [clojure.spec.alpha :as s]
    [spec-tools.core :as stc]
@@ -35,3 +35,19 @@
 
 (s/def ::identity-response (stc/spec {:spec (s/keys :req-un [::id-token ::token-info ::person])
                                       :swagger/example example-identity}))
+
+(s/def ::token-stored? (stc/spec {:spec sts/boolean?
+                                  :swagger/example false
+                                  :description "Boolean indicating whether or not a token is currently stored for a person."}))
+
+(s/def ::last-used (stc/spec {:spec (s/nilable sts/inst?)
+                              :swagger/example "2023-12-19T14:11:34Z"
+                              :description "Datestring indicating when a token was last used to access the name service."}))
+
+(def example-token-metadata {:token-stored? true
+                             :last-used "2023-12-19T14:11:34Z"})
+
+(s/def ::token-metadata-response (stc/spec {:spec (s/keys :req-un [::token-stored? ::last-used])
+                                            :swagger/example example-token-metadata}))
+
+(s/def ::empty-response (stc/spec {:spec (s/cat)}))
diff --git a/src/wormbase/specs/provenance.clj b/src/wormbase/specs/provenance.clj
index 47b3106f..c6bdb38b 100644
--- a/src/wormbase/specs/provenance.clj
+++ b/src/wormbase/specs/provenance.clj
@@ -2,7 +2,7 @@
   (:require
    [clojure.spec.alpha :as s]
    [clojure.string :as str]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [spec-tools.core :as stc]
    [spec-tools.spec :as sts]
    [wormbase.specs.person] ;; side effecting: to bring in specs
diff --git a/src/wormbase/specs/recent.clj b/src/wormbase/specs/recent.clj
index 79f655ce..bbb3ca27 100644
--- a/src/wormbase/specs/recent.clj
+++ b/src/wormbase/specs/recent.clj
@@ -2,7 +2,7 @@
   (:require
    [clojure.spec.alpha :as s]
    [clojure.string :as str]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [spec-tools.spec :as sts]
    [spec-tools.core :as stc]
    [wormbase.util :as wu]
diff --git a/src/wormbase/util.clj b/src/wormbase/util.clj
index fe6d38ca..f0008636 100644
--- a/src/wormbase/util.clj
+++ b/src/wormbase/util.clj
@@ -5,7 +5,7 @@
    [clojure.string :as str]
    [clojure.walk :as w]
    [aero.core :as aero]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [wormbase.ids.core :as wic])
   (:import
    (java.io File PushbackReader)
@@ -49,7 +49,7 @@
 (defn days-ago [n]
   (-> (jt/instant)
       (jt/minus (jt/days n))
-      (jt/to-java-date)))
+      (jt/java-date)))
 
 (defn format-java-date [dt & {:keys [tz fmt]
                               :or {tz (jt/zone-id)
@@ -73,7 +73,7 @@
   ([tz]
    (-> (jt/instant)
        (jt/zoned-date-time (jt/zone-id tz))
-       (jt/to-java-date)))
+       (jt/java-date)))
   ([]
    (now "UTC")))
 
diff --git a/test-system/deps.edn b/test-system/deps.edn
index e78e255d..4af79c44 100644
--- a/test-system/deps.edn
+++ b/test-system/deps.edn
@@ -1,12 +1,12 @@
 {:paths ["src"]
  :deps {org.clojure/clojure {:mvn/version "1.10.1"}
         org.clojure/tools.cli {:mvn/version "1.0.194"}
-        amazonica {:mvn/version "0.3.152"}
-        clojure.java-time {:mvn/version "0.3.2"}}
+        amazonica/amazonica {:mvn/version "0.3.152"}
+        clojure.java-time/clojure.java-time {:mvn/version "1.4.2"}}
  :aliases
  {:test {:extra-paths ["test"]
          :extra-deps {org.clojure/test.check {:mvn/version "1.0.0"}}}
-  :clj-kondo {:extra-deps {clj-kondo {:mvn/version "RELEASE"}}
+  :clj-kondo {:extra-deps {clj-kondo/clj-kondo {:mvn/version "2023.09.06"}}
               :main-opts ["-m" "clj-kondo.main"]}
   :runner
   {:extra-deps {com.cognitect/test-runner
diff --git a/test-system/src/wormbase/names/test_system.clj b/test-system/src/wormbase/names/test_system.clj
index 0f48fbcb..6d8eb585 100644
--- a/test-system/src/wormbase/names/test_system.clj
+++ b/test-system/src/wormbase/names/test_system.clj
@@ -6,7 +6,7 @@
    [amazonica.aws.dynamodbv2 :as ddb]
    [amazonica.aws.elasticbeanstalk :as eb]
    [amazonica.aws.securitytoken :as st]
-   [java-time :as jt]))
+   [java-time.api :as jt]))
 
 (def operator-iam-spec
   {:role-arn "arn:aws:iam::357210185381:role/wb-names-test-system-operator"
diff --git a/test/integration/merge_genes_test.clj b/test/integration/merge_genes_test.clj
index 9d2de2be..44645048 100644
--- a/test/integration/merge_genes_test.clj
+++ b/test/integration/merge_genes_test.clj
@@ -2,7 +2,7 @@
   (:require
    [clojure.test :as t]
    [datomic.api :as d]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [ring.util.http-predicates :as ru-hp]
    [wormbase.constdata :refer [elegans-ln]]
    [wormbase.db :as wdb]
diff --git a/test/integration/service_test.clj b/test/integration/service_test.clj
index 52634912..dcba78d8 100644
--- a/test/integration/service_test.clj
+++ b/test/integration/service_test.clj
@@ -2,7 +2,7 @@
   (:require
    [clojure.test :as t]
    [ring.util.http-predicates :as ru-hp]
-   [ring.util.http-response :as http-response]
+   [ring.util.response :as ring-response]
    [wormbase.db-testing :as db-testing]
    [wormbase.fake-auth]
    [wormbase.names.service :as service]))
@@ -19,5 +19,5 @@
                      :request-method :get})]
       (t/is (not (nil? response)))
       (t/is (ru-hp/ok? response))
-      (t/is (http-response/get-header response "content-type") "text/html"))))
+      (t/is (ring-response/get-header response "content-type") "text/html"))))
 
diff --git a/test/integration/stats_test.clj b/test/integration/stats_test.clj
index d98e891b..15e2a06e 100644
--- a/test/integration/stats_test.clj
+++ b/test/integration/stats_test.clj
@@ -16,11 +16,6 @@
 
 (t/deftest test-summary
   (t/testing "Stats summary renders with ok response on first access."
-    (let [response (stats-summary)
-          etag (get-in response [:headers "etag"])]
+    (let [response (stats-summary)]
       (t/is (ru-hp/ok? response))
-      (t/is (set/subset? #{:gene :variation :sequence-feature} (:body response)))
-      (t/testing "Status summary renders a not-modified response when nothing has changed."
-        (let [extra-headers {"if-none-match" etag}
-              response2 (stats-summary extra-headers)]
-          (t/is (ru-hp/not-modified? response2)))))))
+      (t/is (set/subset? #{:gene :variation :sequence-feature} (:body response))))))
diff --git a/test/wormbase/api_test_client.clj b/test/wormbase/api_test_client.clj
index 79659b53..e7b7a178 100644
--- a/test/wormbase/api_test_client.clj
+++ b/test/wormbase/api_test_client.clj
@@ -55,19 +55,23 @@
   (send-request entity-kind :put data :sub-path identifier :current-user current-user :extra-headers extra-headers))
 
 (defn summary
-  [entity-kind identifier & {:keys [params extra-headers]
+  [entity-kind identifier & {:keys [params extra-headers current-user]
                              :or {params {}
-                                  extra-headers nil}}]
-  (let [headers (merge {"content-type" "application/json"
-                        "authorization" "Token FAKED"}
-                       extra-headers)
-        path (str "/api/" entity-kind (and identifier (str "/" identifier)))]
-    (parsed-response
-     (tu/get*
-      service/app
-      path
-      params
-      headers))))
+                                  extra-headers nil
+                                  current-user default-user}}]
+  (binding [fake-auth/*gapi-verify-token-response* (make-auth-payload
+                                                     :current-user
+                                                     current-user)]
+     (let [headers (merge {"content-type" "application/json"
+                           "authorization" "Token FAKED"}
+                          extra-headers)
+           path (str "/api/" entity-kind (and identifier (str "/" identifier)))]
+       (parsed-response
+        (tu/get*
+         service/app
+         path
+         params
+         headers)))))
 
 (defn delete
   [entity-kind path & {:keys [current-user payload extra-headers]
diff --git a/test/wormbase/db_testing.clj b/test/wormbase/db_testing.clj
index 16df5cc1..2e545f83 100644
--- a/test/wormbase/db_testing.clj
+++ b/test/wormbase/db_testing.clj
@@ -3,12 +3,10 @@
    [clojure.core.cache :as cache]
    [datomock.core :as dm]
    [datomic.api :as d]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [mount.core :as mount]
    [wormbase.db :as wdb]
-   [wormbase.db.schema :as schema]
-   [wormbase.names.auth :as wna]
-   [wormbase.util :as wu]))
+   [wormbase.db.schema :as schema]))
 
 ;;; fixture caching and general approach taken verbatim from:
 ;;; https://vvvvalvalval.github.io/posts/2016-07-24-datomic-web-app-a-practical-guide.html
@@ -19,12 +17,7 @@
     (schema/ensure-schema conn)
     ;; A set of fake users
     @(d/transact-async conn [{:person/email "tester@wormbase.org"
-                              :person/id "WBPerson007"
-                              :person/auth-token (wna/sign-token
-                                                  (-> (wu/read-app-config)
-                                                      :auth-token)
-                                                  {"email" "tester@wormbase.org"
-                                                   "hd" "wormbase.org"})}
+                              :person/id "WBPerson007"}
                              {:person/email "tester2@wormbase.org"}
                              {:person/email "tester3@wormbase.org"}
                              {:db/ident :event/test-fixture-assertion}])
diff --git a/test/wormbase/fake_auth.clj b/test/wormbase/fake_auth.clj
index cf492227..5ce5cc09 100644
--- a/test/wormbase/fake_auth.clj
+++ b/test/wormbase/fake_auth.clj
@@ -34,21 +34,23 @@
     pl))
 
 (alter-var-root
- (var wn-auth/verify-token-gapi)
+ (var wn-auth/verify-token)
  (fn fake-google-api-verify-token [_]
-   (fn verify-token-pretend [_]
-     (log/debug "NOTICE: Faking verifying token with Google API")
+   (fn [_]
+     (log/debug "NOTICE: Faking wn-auth/verify-token (verifying token with Google API)")
      (when-not (nil? *gapi-verify-token-response*)
        (doseq [[k v] defaults]
          (when-not (get *gapi-verify-token-response* k)
            (.set *gapi-verify-token-response* k v)))
-       *gapi-verify-token-response*))))
+       (some->> *gapi-verify-token-response*
+                (into {})
+                (w/keywordize-keys))))))
 
 (alter-var-root
- (var wn-auth/parse-token)
- (fn fake-parse-token [_]
+ (var wn-auth/get-token-payload-map)
+ (fn fake-get-token-payload-map [_]
    (fn [_]
-     (log/debug "NOTICE: faking wna/parse-token")
+     (log/debug "NOTICE: faking wna-auth/get-token-payload-map")
      (merge
       (w/keywordize-keys defaults)
       (some->> *gapi-verify-token-response*
diff --git a/test/wormbase/gen_specs/person.clj b/test/wormbase/gen_specs/person.clj
index 4f3fc667..7f25c2f7 100644
--- a/test/wormbase/gen_specs/person.clj
+++ b/test/wormbase/gen_specs/person.clj
@@ -2,7 +2,6 @@
   (:require
    [clojure.spec.alpha :as s]
    [miner.strgen :as sg]
-   [wormbase.gen-specs.util :as util]
    [wormbase.specs.person :as wsp]))
 
 (def email (sg/string-generator wsp/email-regexp))
diff --git a/test/wormbase/test_utils.clj b/test/wormbase/test_utils.clj
index d5485a73..5d9852ef 100644
--- a/test/wormbase/test_utils.clj
+++ b/test/wormbase/test_utils.clj
@@ -6,7 +6,7 @@
    [clojure.tools.logging :as log]
    [compojure.api.routes :as routes]
    [datomic.api :as d]
-   [java-time :as jt]
+   [java-time.api :as jt]
    [muuntaja.core :as muuntaja]
    [peridot.core :as p]
    [wormbase.constdata :refer [elegans-ln]]
@@ -238,7 +238,7 @@
 (defn provenance
   [_ & {:keys [how what whence why person _ batch-id]
         :or {how :agent/console
-             whence (jt/to-java-date (jt/instant))
+             whence (jt/java-date (jt/instant))
              what :event/test-fixture-assertion
              person [:person/email "tester@wormbase.org"]}}]
   (merge {:db/id "datomic.tx"