diff --git a/binaries/geph5-client/src/client_inner.rs b/binaries/geph5-client/src/client_inner.rs
index cd2bd1d..38acba6 100644
--- a/binaries/geph5-client/src/client_inner.rs
+++ b/binaries/geph5-client/src/client_inner.rs
@@ -61,7 +61,7 @@ static CONN_REQ_CHAN: CtxField<(
 
 static COUNTER: AtomicU64 = AtomicU64::new(0);
 
-static CONCURRENCY: usize = 6;
+static CONCURRENCY: usize = 1;
 
 #[tracing::instrument(skip_all, fields(instance=COUNTER.fetch_add(1, Ordering::Relaxed)))]
 pub async fn client_once(ctx: AnyCtx<Config>) -> anyhow::Result<()> {
@@ -218,8 +218,10 @@ async fn client_auth(
                 crypt_hello: ClientCryptHello::X25519((&my_esk).into()),
             };
             write_prepend_length(&client_hello.stdcode(), &mut pipe).await?;
+            tracing::trace!(server, "wrote client hello");
             let exit_hello: ExitHello =
                 stdcode::deserialize(&read_prepend_length(&mut pipe).await?)?;
+            tracing::trace!(server, "received exit hello");
             // verify the exit hello
             let signed_value = (&client_hello, &exit_hello.inner).stdcode();
             pubkey
diff --git a/binaries/geph5-exit/src/listen.rs b/binaries/geph5-exit/src/listen.rs
index f979ad3..f324958 100644
--- a/binaries/geph5-exit/src/listen.rs
+++ b/binaries/geph5-exit/src/listen.rs
@@ -29,7 +29,7 @@ mod b2e_process;
 use crate::{
     broker::BrokerRpcTransport,
     proxy::proxy_stream,
-    ratelimit::{get_load, get_ratelimiter, TOTAL_BYTE_COUNT},
+    ratelimit::{get_load, get_ratelimiter, RateLimiter, TOTAL_BYTE_COUNT},
     CONFIG_FILE, SIGNING_SECRET,
 };
 
@@ -176,6 +176,8 @@ async fn handle_client(mut client: impl Pipe) -> anyhow::Result<()> {
     // execute the authentication
     let client_hello: ClientHello = stdcode::deserialize(&read_prepend_length(&mut client).await?)?;
 
+    tracing::debug!("client_hello received");
+
     let keys: Option<([u8; 32], [u8; 32])>;
     let exit_hello_inner: ExitHelloInner = match client_hello.crypt_hello {
         ClientCryptHello::SharedSecretChallenge(key) => {
@@ -195,9 +197,15 @@ async fn handle_client(mut client: impl Pipe) -> anyhow::Result<()> {
         }
     };
 
-    let (level, token, _sig): (AccountLevel, ClientToken, UnblindedSignature) =
-        stdcode::deserialize(&client_hello.credentials)?;
-    let ratelimit = get_ratelimiter(level, token).await;
+    let ratelimit = if CONFIG_FILE.wait().broker.is_some() {
+        let (level, token, _sig): (AccountLevel, ClientToken, UnblindedSignature) =
+            stdcode::deserialize(&client_hello.credentials)
+                .context("cannot deserialize credentials")?;
+        get_ratelimiter(level, token).await
+    } else {
+        RateLimiter::unlimited()
+    };
+
     // TODO authenticate against broker's public key
 
     let exit_hello = ExitHello {