diff --git a/src/apps/common/apputils.c b/src/apps/common/apputils.c
index 0ef52c05..32cad8b7 100644
--- a/src/apps/common/apputils.c
+++ b/src/apps/common/apputils.c
@@ -899,4 +899,53 @@ struct event_base *turn_event_base_new(void)
 	return event_base_new_with_config(cfg);
 }
 
+/////////// OAUTH /////////////////
+
+void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *oakd)
+{
+	if(raw && oakd) {
+
+		ns_bzero(oakd,sizeof(oauth_key_data));
+
+		oakd->timestamp = (turn_time_t)raw->timestamp;
+		oakd->lifetime = raw->lifetime;
+
+		ns_bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg));
+		ns_bcopy(raw->auth_alg,oakd->auth_alg,sizeof(oakd->auth_alg));
+		ns_bcopy(raw->hkdf_hash_func,oakd->hkdf_hash_func,sizeof(oakd->hkdf_hash_func));
+		ns_bcopy(raw->kid,oakd->kid,sizeof(oakd->kid));
+
+		if(raw->ikm_key[0]) {
+			size_t ikm_key_size = 0;
+			char *ikm_key = (char*)base64_decode(raw->ikm_key,strlen(raw->ikm_key),&ikm_key_size);
+			if(ikm_key) {
+				ns_bcopy(ikm_key,oakd->ikm_key,ikm_key_size);
+				oakd->ikm_key_size = ikm_key_size;
+				turn_free(ikm_key,ikm_key_size);
+			}
+		}
+
+		if(raw->as_rs_key[0]) {
+			size_t as_rs_key_size = 0;
+			char *as_rs_key = (char*)base64_decode(raw->as_rs_key,strlen(raw->as_rs_key),&as_rs_key_size);
+			if(as_rs_key) {
+				ns_bcopy(as_rs_key,oakd->as_rs_key,as_rs_key_size);
+				oakd->as_rs_key_size = as_rs_key_size;
+				turn_free(as_rs_key,as_rs_key_size);
+			}
+		}
+
+		if(raw->auth_key[0]) {
+			size_t auth_key_size = 0;
+			char *auth_key = (char*)base64_decode(raw->auth_key,strlen(raw->auth_key),&auth_key_size);
+			if(auth_key) {
+				ns_bcopy(auth_key,oakd->auth_key,auth_key_size);
+				oakd->auth_key_size = auth_key_size;
+				turn_free(auth_key,auth_key_size);
+			}
+		}
+
+	}
+}
+
 //////////////////////////////////////////////////////////////
diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h
index 21815c4c..0868d6e9 100644
--- a/src/apps/common/apputils.h
+++ b/src/apps/common/apputils.h
@@ -36,6 +36,7 @@
 #include <openssl/ssl.h>
 
 #include "ns_turn_ioaddr.h"
+#include "ns_turn_msg_defs.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -69,6 +70,22 @@ enum _TURN_TLS_TYPE {
 
 typedef enum _TURN_TLS_TYPE TURN_TLS_TYPE;
 
+////////////////////////////////////////////
+
+struct _oauth_key_data_raw {
+	char kid[OAUTH_KID_SIZE+1];
+	char ikm_key[OAUTH_KEY_SIZE+1];
+	u64bits timestamp;
+	u32bits lifetime;
+	char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1];
+	char as_rs_alg[OAUTH_ALG_SIZE+1];
+	char as_rs_key[OAUTH_KEY_SIZE+1];
+	char auth_alg[OAUTH_ALG_SIZE+1];
+	char auth_key[OAUTH_KEY_SIZE+1];
+};
+
+typedef struct _oauth_key_data_raw oauth_key_data_raw;
+
 //////////////////////////////////////////
 
 #define EVENT_DEL(ev) if(ev) { event_del(ev); event_free(ev); ev=NULL; }
@@ -150,6 +167,10 @@ unsigned char *base64_decode(const char *data,
 
 const char* turn_get_ssl_method(SSL *ssl, const char* mdefault);
 
+////////////// OAUTH UTILS ////////////////
+
+void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *oakd);
+
 //////////// Event Base /////////////////////
 
 struct event_base *turn_event_base_new(void);
diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c
index 211d9f8f..aaba035d 100644
--- a/src/apps/common/ns_turn_utils.c
+++ b/src/apps/common/ns_turn_utils.c
@@ -32,6 +32,8 @@
 #include "ns_turn_ioalib.h"
 #include "ns_turn_msg_defs.h"
 
+#include <event2/http.h>
+
 #include <time.h>
 
 #include <pthread.h>
diff --git a/src/apps/common/ns_turn_utils.h b/src/apps/common/ns_turn_utils.h
index 3b0a92e6..f57fea5c 100644
--- a/src/apps/common/ns_turn_utils.h
+++ b/src/apps/common/ns_turn_utils.h
@@ -36,8 +36,7 @@
 #endif
 
 #include "ns_turn_ioaddr.h"
-
-#include <event2/http.h>
+//#include <event2/http.h>
 
 #ifdef __cplusplus
 extern "C" {
diff --git a/src/apps/relay/dbdrivers/dbdriver.c b/src/apps/relay/dbdrivers/dbdriver.c
index e3b3b997..abf797fd 100644
--- a/src/apps/relay/dbdrivers/dbdriver.c
+++ b/src/apps/relay/dbdrivers/dbdriver.c
@@ -89,52 +89,3 @@ turn_dbdriver_t * get_dbdriver() {
   return _driver;
 }
 
-/////////// OAUTH /////////////////
-
-void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *oakd)
-{
-	if(raw && oakd) {
-
-		ns_bzero(oakd,sizeof(oauth_key_data));
-
-		oakd->timestamp = (turn_time_t)raw->timestamp;
-		oakd->lifetime = raw->lifetime;
-
-		ns_bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg));
-		ns_bcopy(raw->auth_alg,oakd->auth_alg,sizeof(oakd->auth_alg));
-		ns_bcopy(raw->hkdf_hash_func,oakd->hkdf_hash_func,sizeof(oakd->hkdf_hash_func));
-		ns_bcopy(raw->kid,oakd->kid,sizeof(oakd->kid));
-
-		if(raw->ikm_key[0]) {
-			size_t ikm_key_size = 0;
-			char *ikm_key = (char*)base64_decode(raw->ikm_key,strlen(raw->ikm_key),&ikm_key_size);
-			if(ikm_key) {
-				ns_bcopy(ikm_key,oakd->ikm_key,ikm_key_size);
-				oakd->ikm_key_size = ikm_key_size;
-				turn_free(ikm_key,ikm_key_size);
-			}
-		}
-
-		if(raw->as_rs_key[0]) {
-			size_t as_rs_key_size = 0;
-			char *as_rs_key = (char*)base64_decode(raw->as_rs_key,strlen(raw->as_rs_key),&as_rs_key_size);
-			if(as_rs_key) {
-				ns_bcopy(as_rs_key,oakd->as_rs_key,as_rs_key_size);
-				oakd->as_rs_key_size = as_rs_key_size;
-				turn_free(as_rs_key,as_rs_key_size);
-			}
-		}
-
-		if(raw->auth_key[0]) {
-			size_t auth_key_size = 0;
-			char *auth_key = (char*)base64_decode(raw->auth_key,strlen(raw->auth_key),&auth_key_size);
-			if(auth_key) {
-				ns_bcopy(auth_key,oakd->auth_key,auth_key_size);
-				oakd->auth_key_size = auth_key_size;
-				turn_free(auth_key,auth_key_size);
-			}
-		}
-
-	}
-}
-
diff --git a/src/apps/relay/dbdrivers/dbdriver.h b/src/apps/relay/dbdrivers/dbdriver.h
index e68da531..29e8ef20 100644
--- a/src/apps/relay/dbdrivers/dbdriver.h
+++ b/src/apps/relay/dbdrivers/dbdriver.h
@@ -42,22 +42,6 @@ extern "C" {
 
 ////////////////////////////////////////////
 
-struct _oauth_key_data_raw {
-	char kid[OAUTH_KID_SIZE+1];
-	char ikm_key[OAUTH_KEY_SIZE+1];
-	u64bits timestamp;
-	u32bits lifetime;
-	char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1];
-	char as_rs_alg[OAUTH_ALG_SIZE+1];
-	char as_rs_key[OAUTH_KEY_SIZE+1];
-	char auth_alg[OAUTH_ALG_SIZE+1];
-	char auth_key[OAUTH_KEY_SIZE+1];
-};
-
-typedef struct _oauth_key_data_raw oauth_key_data_raw;
-
-////////////////////////////////////////////
-
 typedef struct _turn_dbdriver_t {
   int (*get_auth_secrets)(secrets_list_t *sl, u08bits *realm);
   int (*get_user_key)(u08bits *usname, u08bits *realm, hmackey_t key);
@@ -89,10 +73,6 @@ int convert_string_key_to_binary(char* keysource, hmackey_t key, size_t sz);
 persistent_users_db_t * get_persistent_users_db(void);
 turn_dbdriver_t * get_dbdriver(void);
 
-////////////// OAUTH UTILS ////////////////
-
-void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *oakd);
-
 ////////////////////////////////////////////
 
 #ifdef __cplusplus
diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c
index f2e8c218..9b08250d 100644
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@@ -2019,7 +2019,7 @@ static int decode_oauth_token_normal(u08bits *server_name, encoded_oauth_token *
 		    }
 
 		    if(ns_bcmp(check_mac,mac,mac_size)) {
-		    	OAUTH_ERROR("%s: mac is wrong\n",__FUNCTION__);
+		    	OAUTH_ERROR("%s: token integrity check failed\n",__FUNCTION__);
 		    	return -1;
 		    }
 		}
@@ -2158,9 +2158,9 @@ static int decode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
 		}
 
 		unsigned char* encoded_field = (unsigned char*)etoken->token;
-		unsigned int encoded_field_size = (unsigned int)etoken->size-OAUTH_AEAD_NONCE_SIZE;
-		unsigned char* nonce = ((unsigned char*)etoken->token) + encoded_field_size;
-		unsigned char* tag = ((unsigned char*)etoken->token) + encoded_field_size - OAUTH_AEAD_TAG_SIZE;
+		unsigned int encoded_field_size = (unsigned int)etoken->size-OAUTH_AEAD_NONCE_SIZE - OAUTH_AEAD_TAG_SIZE;
+		unsigned char* nonce = ((unsigned char*)etoken->token) + encoded_field_size + OAUTH_AEAD_TAG_SIZE;
+		unsigned char* tag = ((unsigned char*)etoken->token) + encoded_field_size;
 
 		dtoken->mac_size = 0;
 
@@ -2184,8 +2184,6 @@ static int decode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
 		if(1 != EVP_DecryptInit_ex(&ctx, NULL, NULL, (unsigned char *)key->as_rs_key, nonce))
 			return -1;
 
-		EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_AEAD_TAG_SIZE, tag);
-
 		int outl=0;
 		size_t sn_len = strlen((char*)server_name);
 
@@ -2197,8 +2195,11 @@ static int decode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
 		if(1 != EVP_DecryptUpdate(&ctx, decoded_field, &outl, encoded_field, (int)encoded_field_size))
 			return -1;
 		int tmp_outl = 0;
-		if(EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl)<1)
+		EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_AEAD_TAG_SIZE, tag);
+		if(EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl)<1) {
+			OAUTH_ERROR("%s: token integrity check failed\n",__FUNCTION__);
 			return -1;
+		}
 
 		outl += tmp_outl;