diff --git a/TODO.md b/TODO.md
index d465b2d8..0812b840 100644
--- a/TODO.md
+++ b/TODO.md
@@ -6,6 +6,8 @@
 - Rewrite stores to use dictionaries instead of list pools
 - last updated date on tracks added via watchdog is broken
 - Disable the watchdog by default, and mark it as experimental
+- rename userid to server id in config file
+- Look into seeding jwts using user password + server id
 
 # DONE
 - Support auth headers
diff --git a/app/api/auth.py b/app/api/auth.py
index 61091148..4f36250d 100644
--- a/app/api/auth.py
+++ b/app/api/auth.py
@@ -99,6 +99,7 @@ def pair_device(query: PairDeviceQuery):
 
     Send a code to get an access token. Send an authenticated request without the code to generate a new token.
     """
+    # INFO: if user is already logged in, create a new pair code
     if current_user:
         token = create_new_token(get_jwt_identity())
         key = token["accesstoken"][-6:]
@@ -110,11 +111,16 @@ def pair_device(query: PairDeviceQuery):
 
         return {"code": key}
 
+    # INFO: if there's a pair code, return the token
     if query.code:
-        token = pair_token.get(query.code, {"msg": "Invalid code"})
-        pair_token = {}
+        token = pair_token.get(query.code, None)
 
-        return token
+        if token:
+            # INFO: reset pair_token
+            pair_token = {}
+            return token
+
+        return {"msg": "Invalid code"}, 400
 
     return {"msg": "No code provided"}, 400
 
@@ -355,7 +361,7 @@ def get_all_users(query: GetAllUsersQuery):
     return res
 
 
-@api.route("/user")
+@api.get("/user")
 def get_logged_in_user():
     """
     Get logged in user