diff --git a/exampleconfig.json b/exampleconfig.json
index 0007ffedbbf12932051b789126146985855e66db..2d65365888f37e18114280d103eaea80c77dffb7 100644
--- a/exampleconfig.json
+++ b/exampleconfig.json
@@ -6,6 +6,13 @@
     "port": 443,
     "cookie_secret": "supersecret"
   },
+  "database": {
+    "host": "localhost",
+    "user": "user",
+    "password": "supersecret",
+    "database": "dbname",
+    "dbtype": "mysql"
+  },
   "auth": {
     "provider": "google",
     "oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com",
@@ -13,8 +20,7 @@
     "oauth_callback_url": "https://sshca.example.com/auth/callback",
     "google_opts": {
       "domain": "example.com"
-    },
-    "jwt_signing_key": "supersecret"
+    }
   },
   "ssh": {
     "signing_key": "signing_key",
diff --git a/server/config/config.go b/server/config/config.go
index 3d12665d38b2197093e92257fad25b05d36e3a40..bf5bfc7db50edef95b8b9fe52a4c5f3e8541d507 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -39,7 +39,6 @@ type Auth struct {
 	OauthCallbackURL  string            `mapstructure:"oauth_callback_url"`
 	Provider          string            `mapstructure:"provider"`
 	ProviderOpts      map[string]string `mapstructure:"provider_opts"`
-	JWTSigningKey     string            `mapstructure:"jwt_signing_key"`
 }
 
 // SSH holds the configuration specific to signing ssh keys.
diff --git a/server/config/config_test.go b/server/config/config_test.go
index f97961a492215fb2d9d920853e38931225f7f209..067b0dcae25a52731971a27590166f1cc0e6e534 100644
--- a/server/config/config_test.go
+++ b/server/config/config_test.go
@@ -37,7 +37,6 @@ func TestAuthConfig(t *testing.T) {
 	a.Equal(auth.OauthClientID, "client_id")
 	a.Equal(auth.OauthClientSecret, "secret")
 	a.Equal(auth.OauthCallbackURL, "https://sshca.example.com/auth/callback")
-	a.Equal(auth.JWTSigningKey, "supersecret")
 }
 
 func TestSSHConfig(t *testing.T) {
diff --git a/server/main.go b/server/main.go
index 786fc9f42d9c10e2d1ef672c32bccb85663e5139..402b32156c19962b5f6110a749eef2fa22b40208 100644
--- a/server/main.go
+++ b/server/main.go
@@ -13,11 +13,11 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"golang.org/x/oauth2"
 
-	"github.com/dgrijalva/jwt-go"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/nsheridan/cashier/lib"
@@ -34,12 +34,11 @@ var (
 
 // appContext contains local context - cookiestore, authprovider, authsession, templates etc.
 type appContext struct {
-	cookiestore   *sessions.CookieStore
-	authprovider  auth.Provider
-	authsession   *auth.Session
-	views         *template.Template
-	sshKeySigner  *signer.KeySigner
-	jwtSigningKey []byte
+	cookiestore  *sessions.CookieStore
+	authprovider auth.Provider
+	authsession  *auth.Session
+	views        *template.Template
+	sshKeySigner *signer.KeySigner
 }
 
 // getAuthCookie retrieves a cookie from the request and validates it.
@@ -83,21 +82,17 @@ func parseKey(r *http.Request) (*lib.SignRequest, error) {
 // signHandler handles the "/sign" path.
 // It unmarshals the client token to an oauth token, validates it and signs the provided public ssh key.
 func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
-	// Retrieve the client token and verify it.
-	jwtoken, err := jwt.ParseFromRequest(r, func(t *jwt.Token) (interface{}, error) {
-		return a.jwtSigningKey, nil
-	})
-	if err != nil {
-		return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
+	var t string
+	if ah := r.Header.Get("Authorization"); ah != "" {
+		if len(ah) > 6 && strings.ToUpper(ah[0:7]) == "BEARER " {
+			t = ah[7:]
+		}
 	}
-	if !jwtoken.Valid {
-		log.Printf("Token %v not valid", jwtoken)
+	if t == "" {
 		return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
 	}
-	expiry := int64(jwtoken.Claims["exp"].(float64))
 	token := &oauth2.Token{
-		AccessToken: jwtoken.Claims["token"].(string),
-		Expiry:      time.Unix(expiry, 0),
+		AccessToken: t,
 	}
 	ok := a.authprovider.Valid(token)
 	if !ok {
@@ -156,16 +151,9 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 		http.Redirect(w, r, "/auth/login", http.StatusSeeOther)
 		return http.StatusSeeOther, nil
 	}
-	j := jwt.New(jwt.SigningMethodHS256)
-	j.Claims["token"] = tok.AccessToken
-	j.Claims["exp"] = tok.Expiry.Unix()
-	t, err := j.SignedString(a.jwtSigningKey)
-	if err != nil {
-		return http.StatusInternalServerError, err
-	}
 	page := struct {
 		Token string
-	}{t}
+	}{tok.AccessToken}
 	a.views.ExecuteTemplate(w, "token.html", page)
 	return http.StatusOK, nil
 }
@@ -232,11 +220,10 @@ func main() {
 	}
 
 	ctx := &appContext{
-		cookiestore:   sessions.NewCookieStore([]byte(config.Server.CookieSecret)),
-		authprovider:  authprovider,
-		views:         template.Must(template.ParseGlob("templates/*")),
-		sshKeySigner:  signer,
-		jwtSigningKey: []byte(config.Auth.JWTSigningKey),
+		cookiestore:  sessions.NewCookieStore([]byte(config.Server.CookieSecret)),
+		authprovider: authprovider,
+		views:        template.Must(template.ParseGlob("templates/*")),
+		sshKeySigner: signer,
 	}
 	ctx.cookiestore.Options = &sessions.Options{
 		MaxAge:   900,
diff --git a/testdata/config.go b/testdata/config.go
index ca856a82a7ddd85501dafe7c2feca32ec6c60b37..8b38fa620f69ee211661cc4b6c28e6aac922c403 100644
--- a/testdata/config.go
+++ b/testdata/config.go
@@ -18,8 +18,7 @@ var AuthConfig = []byte(`{
 		"oauth_callback_url": "https://sshca.example.com/auth/callback",
 		"provider_opts": {
 			"domain": "example.com"
-		},
-		"jwt_signing_key": "supersecret"
+		}
 	}
 }`)