diff --git a/internal/backend/README.md b/internal/backend/README.md
index f9a119a..0b58972 100644
--- a/internal/backend/README.md
+++ b/internal/backend/README.md
@@ -17,7 +17,10 @@ This is a purposefully "simple" application backend made specifically for _my_ a
     crash: true, // crash reports
     management: false, // managing
     // further permissions can be added as needed
-  }
+  },
+  allowedOrigins:[
+  	"http://foo.bar" // Request with this origin header is considered to be under this key.
+  ]
 }
 ```
 
diff --git a/internal/backend/header.go b/internal/backend/header.go
index 331d410..ea3d998 100644
--- a/internal/backend/header.go
+++ b/internal/backend/header.go
@@ -3,6 +3,7 @@ package backend
 import (
 	"errors"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 	"time"
@@ -16,10 +17,11 @@ var (
 )
 
 type ApiKey struct {
-	Perm  map[string]bool `json:"perm" bson:"perm"`
-	ID    string          `json:"id" bson:"_id" valkey:",key"`
-	AppID string          `json:"appID" bson:"appID"`
-	Death int64           `json:"death" bson:"death"`
+	Perm           map[string]bool `json:"perm" bson:"perm"`
+	ID             string          `json:"id" bson:"_id" valkey:",key"`
+	AppID          string          `json:"appID" bson:"appID"`
+	Death          int64           `json:"death" bson:"death"`
+	AllowedOrigins []string        `json:"allowedOrigins" bson:"allowedOrigins"`
 }
 
 func (k ApiKey) GetID() string {
@@ -38,12 +40,6 @@ func (b *Backend) ParseHeader(r *http.Request) (*ParsedHeader, error) {
 	out := &ParsedHeader{}
 	key := r.Header.Get("X-API-Key")
 
-	//TODO: Remove legacy code
-	if key == "" {
-		key = r.URL.Query().Get("key")
-	}
-
-	token := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
 	if key != "" {
 		apiKey, err := b.keyTable.Get(r.Context(), key)
 		if err == ErrNotFound {
@@ -55,7 +51,20 @@ func (b *Backend) ParseHeader(r *http.Request) (*ParsedHeader, error) {
 			return nil, ErrApiKeyUnauthorized
 		}
 		out.Key = apiKey
+	} else {
+		fmt.Println(r.Header.Get("origin"))
+		keys, err := b.keyTable.Find(r.Context(), map[string]any{"allowedOrigins": r.Header.Get("origin")})
+		if err == ErrNotFound {
+			return nil, ErrApiKeyUnauthorized
+		} else if err != nil {
+			return nil, err
+		}
+		if keys[0].Death > 0 && time.Unix(keys[0].Death, 0).Before(time.Now()) {
+			return nil, ErrApiKeyUnauthorized
+		}
+		out.Key = &keys[0]
 	}
+	token := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
 	if token != "" && b.userTable != nil {
 		t, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
 			return b.jwtPub, nil
@@ -104,14 +113,14 @@ func (b *Backend) VerifyHeader(w http.ResponseWriter, r *http.Request, keyPerm s
 	hdr, err := b.ParseHeader(r)
 	if hdr == nil || hdr.Key == nil {
 		if err == ErrApiKeyUnauthorized {
-			fmt.Println("yo1")
 			ReturnError(w, http.StatusUnauthorized, "invalidKey", "Application not authorized")
 			return nil, nil
 		}
-		ReturnError(w, http.StatusInternalServerError, "internal", "Server error")
+		ReturnError(w, http.StatusUnauthorized, "noKey", "No API Key provided")
 		return nil, err
 	}
 	if err != nil && !errors.Is(err, ErrTokenUnauthorized) {
+		log.Println("error parsing header:", err)
 		ReturnError(w, http.StatusInternalServerError, "internal", "Server error")
 		return nil, err
 	}
@@ -119,13 +128,11 @@ func (b *Backend) VerifyHeader(w http.ResponseWriter, r *http.Request, keyPerm s
 		if allowManagementKey {
 			return hdr, nil
 		} else {
-			fmt.Println("yo2")
 			ReturnError(w, http.StatusUnauthorized, "invalidKey", "Application not authorized")
 			return nil, nil
 		}
 	}
 	if _, ok := b.apps[hdr.Key.AppID]; !ok {
-		fmt.Println("yo3")
 		ReturnError(w, http.StatusUnauthorized, "invalidKey", "Application not authorized")
 		return nil, errors.New("server misconfigured, appID present in DB, but App not added to backend")
 	}
diff --git a/main.go b/main.go
index 99ef670..0ee2e75 100644
--- a/main.go
+++ b/main.go
@@ -125,7 +125,7 @@ func setupBackend(mux *http.ServeMux) {
 			log.Println("error reading darkstorm user private key:", err)
 			goto here
 		}
-		back.AddUserAuth(db.NewMongoTable[backend.User](mongoClient.Database("darkstorm").Collection("users")), pub, priv)
+		back.AddUserAuth(db.NewMongoTable[backend.User](mongoClient.Database("darkstorm").Collection("users")), priv, pub)
 	} else {
 		back.AddCorsAddress("*")
 	}
@@ -180,7 +180,7 @@ func mainHandle(w http.ResponseWriter, r *http.Request) {
 
 const loginScreen = `
 <script src="https://unpkg.com/htmx-ext-json-enc@2.0.1/json-enc.js"></script>
-<form id="loginForm" hx-ext='json-enc' hx-post="https://api.darkstorm.tech/users/login">
+<form id="loginForm" onsubmit="login(event)">
 	<label for="username">Username:</label>
 	<input name="username" id="usernameInput"></input>
 	<label for="password">Password:</label>