diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/APIAuthentication.java b/full/src/main/java/de/ids_mannheim/korap/authentication/APIAuthentication.java
index 7b7da01..b90889b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/APIAuthentication.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/APIAuthentication.java
@@ -8,11 +8,11 @@
 
 import de.ids_mannheim.korap.config.JWTSigner;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationIface;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import net.sf.ehcache.Cache;
 import net.sf.ehcache.CacheManager;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java b/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
index c353884..2a3b676 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
@@ -9,12 +9,12 @@
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.FullConfiguration;
 import de.ids_mannheim.korap.config.Scopes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.dao.UserDao;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationIface;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.StringUtils;
 import de.ids_mannheim.korap.utils.TimeUtils;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/KustvaktAuthenticationManager.java b/full/src/main/java/de/ids_mannheim/korap/authentication/KustvaktAuthenticationManager.java
index 73728a4..acef1d5 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/KustvaktAuthenticationManager.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/KustvaktAuthenticationManager.java
@@ -22,11 +22,11 @@
 
 import de.ids_mannheim.korap.auditing.AuditRecord;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.AuthenticationMethod;
 import de.ids_mannheim.korap.config.BeansFactory;
 import de.ids_mannheim.korap.config.FullConfiguration;
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.URIParam;
+import de.ids_mannheim.korap.constant.AuthenticationMethod;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.dao.AdminDao;
 import de.ids_mannheim.korap.exceptions.EmptyResultException;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
@@ -41,10 +41,10 @@
 import de.ids_mannheim.korap.interfaces.db.AuditingIface;
 import de.ids_mannheim.korap.interfaces.db.UserDataDbIface;
 import de.ids_mannheim.korap.interfaces.defaults.ApacheValidator;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.DemoUser;
 import de.ids_mannheim.korap.user.KorAPUser;
 import de.ids_mannheim.korap.user.ShibUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.User.CorpusAccess;
 import de.ids_mannheim.korap.user.User.Location;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
index 44ed646..0cdd3d3 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
@@ -28,8 +28,8 @@
 
 import com.unboundid.ldap.sdk.*;
 
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
+import de.ids_mannheim.korap.constant.TokenType;
 
 import java.io.*;
 import java.util.*;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/OpenIDconnectAuthentication.java b/full/src/main/java/de/ids_mannheim/korap/authentication/OpenIDconnectAuthentication.java
index 368c390..1cc6150 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/OpenIDconnectAuthentication.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/OpenIDconnectAuthentication.java
@@ -3,14 +3,14 @@
 import com.nimbusds.jwt.SignedJWT;
 import de.ids_mannheim.korap.config.JWTSigner;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.handlers.OAuthDb;
 import de.ids_mannheim.korap.interfaces.AuthenticationIface;
 import de.ids_mannheim.korap.interfaces.db.PersistenceClient;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.NamingUtils;
 import de.ids_mannheim.korap.utils.StringUtils;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/SessionAuthentication.java b/full/src/main/java/de/ids_mannheim/korap/authentication/SessionAuthentication.java
index b32879e..23e83c3 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/SessionAuthentication.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/SessionAuthentication.java
@@ -1,13 +1,13 @@
 package de.ids_mannheim.korap.authentication;
 
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationIface;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.TimeUtils;
 import org.joda.time.DateTime;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/SessionFactory.java b/full/src/main/java/de/ids_mannheim/korap/authentication/SessionFactory.java
index 1817799..7292ad0 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/SessionFactory.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/SessionFactory.java
@@ -2,8 +2,8 @@
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.DemoUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.utils.ConcurrentMultiMap;
 import de.ids_mannheim.korap.utils.TimeUtils;
 import org.joda.time.DateTime;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/http/AuthorizationData.java b/full/src/main/java/de/ids_mannheim/korap/authentication/http/AuthorizationData.java
index a1ad185..236f26a 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/http/AuthorizationData.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/http/AuthorizationData.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.authentication.http;
 
-import de.ids_mannheim.korap.config.AuthenticationScheme;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
 import lombok.Getter;
 import lombok.Setter;
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpAuthorizationHandler.java b/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpAuthorizationHandler.java
index bea9bc1..7796345 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpAuthorizationHandler.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpAuthorizationHandler.java
@@ -3,7 +3,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
-import de.ids_mannheim.korap.config.AuthenticationScheme;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.utils.ParameterChecker;
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpUnauthorizedHandler.java b/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpUnauthorizedHandler.java
index 8e296bc..845d9ae 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpUnauthorizedHandler.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/http/HttpUnauthorizedHandler.java
@@ -8,7 +8,7 @@
 
 import org.springframework.stereotype.Component;
 
-import de.ids_mannheim.korap.config.AuthenticationScheme;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
 
 /** Implementation of HTTP authentication scheme (see RFC 7253 and 7617)
  *  for server creating responses with status 401 Unauthorized and 
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/spring/BasicAuthenticationManager.java b/full/src/main/java/de/ids_mannheim/korap/authentication/spring/BasicAuthenticationManager.java
index 49ec065..808cbf4 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/spring/BasicAuthenticationManager.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/spring/BasicAuthenticationManager.java
@@ -8,11 +8,11 @@
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
 import de.ids_mannheim.korap.config.Scopes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.dao.UserDao;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.KorAPUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.TimeUtils;
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/AuthCodeInfo.java b/full/src/main/java/de/ids_mannheim/korap/config/AuthCodeInfo.java
new file mode 100644
index 0000000..03c22d5
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/config/AuthCodeInfo.java
@@ -0,0 +1,33 @@
+package de.ids_mannheim.korap.config;
+
+import lombok.Data;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author hanl
+ * @date 13/05/2015
+ */
+@Data
+public class AuthCodeInfo {
+    private String clientId;
+    private String scopes;
+    private Integer userId;
+    private Boolean status;
+    private String code;
+    private List<String> tokens;
+
+
+    public AuthCodeInfo () {
+        this.setStatus(true);
+        this.tokens = new ArrayList<>();
+    }
+
+
+    public AuthCodeInfo (String clientid, String authcode) {
+        this();
+        this.clientId = clientid;
+        this.code = authcode;
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
new file mode 100644
index 0000000..426a873
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -0,0 +1,185 @@
+package de.ids_mannheim.korap.config;
+
+import com.nimbusds.jose.*;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jose.crypto.MACVerifier;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.exceptions.StatusCodes;
+import de.ids_mannheim.korap.security.context.TokenContext;
+import de.ids_mannheim.korap.user.GenericUserData;
+import de.ids_mannheim.korap.user.User;
+import de.ids_mannheim.korap.user.Userdata;
+import de.ids_mannheim.korap.utils.TimeUtils;
+import org.joda.time.DateTime;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.text.ParseException;
+import java.util.Map;
+
+/**
+ * @author hanl
+ * @date 19/05/2014
+ */
+public class JWTSigner {
+
+    private URL issuer;
+    private JWSSigner signer;
+    private JWSVerifier verifier;
+    private final int defaultttl;
+
+
+    public JWTSigner (final byte[] secret, URL issuer, final int defaulttl) {
+        this.issuer = issuer;
+        this.signer = new MACSigner(secret);
+        this.verifier = new MACVerifier(secret);
+        this.defaultttl = defaulttl;
+    }
+
+
+    public JWTSigner (final byte[] secret, String issuer)
+            throws MalformedURLException {
+        this(secret, new URL(issuer), 72 * 60 * 60);
+    }
+
+
+    public SignedJWT createJWT (User user, Map<String, Object> attr) {
+        return signContent(user, attr, defaultttl);
+    }
+
+
+    public SignedJWT signContent (User user, Map<String, Object> attr, int ttl) {
+        String scopes;
+
+        JWTClaimsSet cs = new JWTClaimsSet();
+        cs.setIssuerClaim(this.issuer.toString());
+
+        if ((scopes = (String) attr.get(Attributes.SCOPES)) != null) {
+            Userdata data = new GenericUserData();
+            data.readQuietly(attr, false);
+            Scopes claims = Scopes.mapScopes(scopes, data);
+            cs.setCustomClaims(claims.toMap());
+        }
+
+        cs.setSubjectClaim(user.getUsername());
+        if (attr.get(Attributes.CLIENT_ID) != null)
+            cs.setAudienceClaim(new String[] { (String) attr
+                    .get(Attributes.CLIENT_ID) });
+        cs.setExpirationTimeClaim(TimeUtils.getNow().plusSeconds(ttl)
+                .getMillis());
+        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256),
+                cs);
+        try {
+            signedJWT.sign(signer);
+        }
+        catch (JOSEException e) {
+            return null;
+        }
+        return signedJWT;
+    }
+
+
+    /**
+     * @param username
+     * @param json
+     * @return
+     */
+    public SignedJWT signContent (String username, String userclient,
+            String json, int ttl) {
+        JWTClaimsSet cs = new JWTClaimsSet();
+        cs.setSubjectClaim(username);
+        if (!json.isEmpty())
+            cs.setCustomClaim("data", json);
+        cs.setExpirationTimeClaim(TimeUtils.getNow().plusSeconds(ttl)
+                .getMillis());
+        cs.setIssuerClaim(this.issuer.toString());
+
+        if (!userclient.isEmpty())
+            cs.setCustomClaim("userip", userclient);
+
+        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256),
+                cs);
+        try {
+            signedJWT.sign(signer);
+        }
+        catch (JOSEException e) {
+            return null;
+        }
+        return signedJWT;
+    }
+
+
+    public SignedJWT signContent (String username, String userclient,
+            String json) {
+        return signContent(username, userclient, json, defaultttl);
+    }
+
+
+    public SignedJWT createSignedToken (String username) {
+        return createSignedToken(username, defaultttl);
+    }
+
+
+    // add client info
+    public SignedJWT createSignedToken (String username, int ttl) {
+        return signContent(username, "", "", ttl);
+    }
+
+
+    public SignedJWT verifyToken (String token) throws KustvaktException {
+        SignedJWT client;
+        try {
+            client = SignedJWT.parse(token);
+            if (!client.verify(verifier))
+                throw new KustvaktException(StatusCodes.REQUEST_INVALID);
+
+            if (!new DateTime(client.getJWTClaimsSet().getExpirationTimeClaim())
+                    .isAfterNow())
+                throw new KustvaktException(StatusCodes.EXPIRED,
+                        "Authentication token is expired", token);
+        }
+        catch (ParseException | JOSEException e) {
+            //todo: message or entity, how to treat??!
+            throw new KustvaktException(StatusCodes.ILLEGAL_ARGUMENT,
+                    "Token could not be verified", token);
+        }
+        return client;
+    }
+
+
+    // does not care about expiration times
+    public String retrieveContent (String signedContent)
+            throws KustvaktException {
+        SignedJWT jwt;
+        try {
+            jwt = SignedJWT.parse(signedContent);
+            if (!jwt.verify(verifier))
+                throw new KustvaktException(StatusCodes.REQUEST_INVALID,
+                        "token invalid", signedContent);
+            return (String) jwt.getJWTClaimsSet().getCustomClaim("data");
+        }
+        catch (ParseException | JOSEException e) {
+            return null;
+        }
+    }
+
+
+    public TokenContext getTokenContext (String idtoken) throws ParseException,
+            JOSEException, KustvaktException {
+        SignedJWT signedJWT = verifyToken(idtoken);
+
+        TokenContext c = new TokenContext();
+        c.setUsername(signedJWT.getJWTClaimsSet().getSubjectClaim());
+        if (signedJWT.getJWTClaimsSet().getAudienceClaim() != null)
+            c.addContextParameter(Attributes.CLIENT_ID, signedJWT
+                    .getJWTClaimsSet().getAudienceClaim()[0]);
+        c.setExpirationTime(signedJWT.getJWTClaimsSet()
+                .getExpirationTimeClaim());
+        c.setToken(idtoken);
+        c.addParams(signedJWT.getJWTClaimsSet().getCustomClaims());
+        return c;
+    }
+
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/AuthenticationMethod.java b/full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationMethod.java
similarity index 87%
rename from full/src/main/java/de/ids_mannheim/korap/config/AuthenticationMethod.java
rename to full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationMethod.java
index b44d0a0..1beec64 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/AuthenticationMethod.java
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationMethod.java
@@ -1,4 +1,4 @@
-package de.ids_mannheim.korap.config;
+package de.ids_mannheim.korap.constant;
 
 /** Lists possible actual authentication methods. Multiple 
  *  {@link AuthenticationScheme} may use an identical 
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/AuthenticationScheme.java b/full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationScheme.java
similarity index 90%
rename from full/src/main/java/de/ids_mannheim/korap/config/AuthenticationScheme.java
rename to full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationScheme.java
index 4459e56..42f296c 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/AuthenticationScheme.java
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/AuthenticationScheme.java
@@ -1,4 +1,4 @@
-package de.ids_mannheim.korap.config;
+package de.ids_mannheim.korap.constant;
 
 import org.apache.commons.lang.WordUtils;
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/constant/ClientType.java b/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2ClientType.java
similarity index 95%
rename from full/src/main/java/de/ids_mannheim/korap/constant/ClientType.java
rename to full/src/main/java/de/ids_mannheim/korap/constant/OAuth2ClientType.java
index eb78b40..1584aef 100644
--- a/full/src/main/java/de/ids_mannheim/korap/constant/ClientType.java
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2ClientType.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.constant;
 
-public enum ClientType {
+public enum OAuth2ClientType {
 
     // EM: from RFC 6749
         
diff --git a/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java b/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java
new file mode 100644
index 0000000..dce97fa
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java
@@ -0,0 +1,15 @@
+package de.ids_mannheim.korap.constant;
+
+public enum TokenType {
+    BASIC, API, SESSION, 
+    // openid token, e.g. within oauth2 response (json body)
+    ID_TOKEN,
+    // OAuth2 access_token, practically formulated identical as TokenType.API
+    BEARER,
+    // OAuth2 client
+    CLIENT; 
+
+    public String displayName () {
+        return name().toLowerCase();
+    }
+}
\ No newline at end of file
diff --git a/full/src/main/java/de/ids_mannheim/korap/dao/OAuth2ClientDao.java b/full/src/main/java/de/ids_mannheim/korap/dao/OAuth2ClientDao.java
index 09d801a..94ad319 100644
--- a/full/src/main/java/de/ids_mannheim/korap/dao/OAuth2ClientDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/dao/OAuth2ClientDao.java
@@ -1,15 +1,22 @@
 package de.ids_mannheim.korap.dao;
 
 import javax.persistence.EntityManager;
+import javax.persistence.NoResultException;
 import javax.persistence.PersistenceContext;
+import javax.persistence.Query;
 import javax.persistence.criteria.CriteriaBuilder;
+import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.Predicate;
+import javax.persistence.criteria.Root;
 
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
-import de.ids_mannheim.korap.constant.ClientType;
+import de.ids_mannheim.korap.constant.OAuth2ClientType;
 import de.ids_mannheim.korap.entity.OAuth2Client;
+import de.ids_mannheim.korap.entity.OAuth2Client_;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.utils.ParameterChecker;
 
 @Transactional
@@ -20,13 +27,14 @@
     private EntityManager entityManager;
 
     public void registerClient (String id, String secret, String name,
-            ClientType type, String url, String redirectURI)
-            throws KustvaktException {
+            OAuth2ClientType type, String url, String redirectURI,
+            String registeredBy) throws KustvaktException {
         ParameterChecker.checkStringValue(id, "client id");
         ParameterChecker.checkStringValue(name, "client name");
         ParameterChecker.checkObjectValue(type, "client type");
         ParameterChecker.checkStringValue(url, "client url");
         ParameterChecker.checkStringValue(redirectURI, "client redirect uri");
+        ParameterChecker.checkStringValue(registeredBy, "registeredBy");
 
         OAuth2Client client = new OAuth2Client();
         client.setId(id);
@@ -35,9 +43,31 @@
         client.setType(type);
         client.setUrl(url);
         client.setRedirectURI(redirectURI);
+        client.setRegisteredBy(registeredBy);
 
         entityManager.persist(client);
     }
 
+    public OAuth2Client retrieveClientById (String clientId)
+            throws KustvaktException {
+
+        CriteriaBuilder builder = entityManager.getCriteriaBuilder();
+        CriteriaQuery<OAuth2Client> query =
+                builder.createQuery(OAuth2Client.class);
+
+        Root<OAuth2Client> root = query.from(OAuth2Client.class);
+        query.select(root);
+        query.where(builder.equal(root.get(OAuth2Client_.id), clientId));
+
+        Query q = entityManager.createQuery(query);
+        try {
+            return (OAuth2Client) q.getSingleResult();
+        }
+        catch (NoResultException e) {
+            throw new KustvaktException(StatusCodes.CLIENT_NOT_FOUND,
+                    "Client with id " + clientId + "is not found");
+        }
+    }
+
 
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/dto/OAuth2ClientDto.java b/full/src/main/java/de/ids_mannheim/korap/dto/OAuth2ClientDto.java
new file mode 100644
index 0000000..1840fd3
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/dto/OAuth2ClientDto.java
@@ -0,0 +1,22 @@
+package de.ids_mannheim.korap.dto;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class OAuth2ClientDto {
+
+    private String client_id;
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    private String client_secret;
+
+    public OAuth2ClientDto () {}
+
+    public OAuth2ClientDto (String id, String secret) {
+        this.client_id = id;
+        this.client_secret = secret;
+    }
+}
\ No newline at end of file
diff --git a/full/src/main/java/de/ids_mannheim/korap/entity/OAuth2Client.java b/full/src/main/java/de/ids_mannheim/korap/entity/OAuth2Client.java
index c299a22..9d91d93 100644
--- a/full/src/main/java/de/ids_mannheim/korap/entity/OAuth2Client.java
+++ b/full/src/main/java/de/ids_mannheim/korap/entity/OAuth2Client.java
@@ -7,7 +7,7 @@
 import javax.persistence.Id;
 import javax.persistence.Table;
 
-import de.ids_mannheim.korap.constant.ClientType;
+import de.ids_mannheim.korap.constant.OAuth2ClientType;
 import lombok.Getter;
 import lombok.Setter;
 
@@ -23,17 +23,20 @@
 
     @Id
     private String id;
+    private String name;
     private String secret;
     @Enumerated(EnumType.STRING)
-    private ClientType type;
+    private OAuth2ClientType type;
+    private String url;
     @Column(name = "redirect_uri")
     private String redirectURI;
-    private String url;
-    private String name;
+    private String registeredBy;
+
 
     @Override
     public String toString () {
         return "id=" + id + ", secret=" + secret + ", type=" + type + ", name="
-                + name + ", url=" + url + ", redirectURI=" + redirectURI;
+                + name + ", url=" + url + ", redirectURI=" + redirectURI
+                + ", registeredBy=" + registeredBy;
     }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java b/full/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
index 35c7cbc..fd3c1e8 100644
--- a/full/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
@@ -1,6 +1,5 @@
 package de.ids_mannheim.korap.handlers;
 
-import de.ids_mannheim.korap.config.KustvaktBaseDaoInterface;
 import de.ids_mannheim.korap.config.ParamFields;
 import de.ids_mannheim.korap.config.URIParam;
 import de.ids_mannheim.korap.exceptions.EmptyResultException;
@@ -8,6 +7,7 @@
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.exceptions.DatabaseException;
 import de.ids_mannheim.korap.interfaces.EntityHandlerIface;
+import de.ids_mannheim.korap.interfaces.KustvaktBaseDaoInterface;
 import de.ids_mannheim.korap.interfaces.db.PersistenceClient;
 import de.ids_mannheim.korap.user.KorAPUser;
 import de.ids_mannheim.korap.user.ShibUser;
diff --git a/full/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java b/full/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
index 72d15cb..828d61e 100644
--- a/full/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
+++ b/full/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
@@ -1,13 +1,13 @@
 package de.ids_mannheim.korap.handlers;
 
 import de.ids_mannheim.korap.config.ClientInfo;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.exceptions.DatabaseException;
 import de.ids_mannheim.korap.interfaces.db.PersistenceClient;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.BooleanUtils;
 import de.ids_mannheim.korap.utils.TimeUtils;
diff --git a/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java b/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
index 8d715a7..140ef6b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
+++ b/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
@@ -2,9 +2,9 @@
 
 import java.util.Map;
 
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 
 public interface AuthenticationIface {
diff --git a/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java b/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
index cf37422..4f3fcc0 100644
--- a/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
+++ b/full/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
@@ -6,11 +6,11 @@
 
 import javax.ws.rs.core.HttpHeaders;
 
-import de.ids_mannheim.korap.config.AuthenticationMethod;
 import de.ids_mannheim.korap.config.KustvaktCacheable;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.AuthenticationMethod;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.Userdata;
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/security/context/KustvaktContext.java b/full/src/main/java/de/ids_mannheim/korap/security/context/KustvaktContext.java
new file mode 100644
index 0000000..6d36199
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/security/context/KustvaktContext.java
@@ -0,0 +1,46 @@
+package de.ids_mannheim.korap.security.context;
+
+import javax.ws.rs.core.SecurityContext;
+
+import java.security.Principal;
+
+/**
+ * @author hanl
+ * @date 13/05/2014
+ * 
+ *       wrapper for REST security context
+ * 
+ */
+public class KustvaktContext implements SecurityContext {
+
+    private TokenContext user;
+
+
+    public KustvaktContext (final TokenContext user) {
+        this.user = user;
+    }
+
+
+    @Override
+    public Principal getUserPrincipal () {
+        return this.user;
+    }
+
+
+    @Override
+    public boolean isUserInRole (String role) {
+        throw new UnsupportedOperationException();
+    }
+
+
+    @Override
+    public boolean isSecure () {
+        return false;
+    }
+
+
+    @Override
+    public String getAuthenticationScheme () {
+        return SecurityContext.BASIC_AUTH;
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/security/context/TokenContext.java b/full/src/main/java/de/ids_mannheim/korap/security/context/TokenContext.java
new file mode 100644
index 0000000..becdf9b
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/security/context/TokenContext.java
@@ -0,0 +1,158 @@
+package de.ids_mannheim.korap.security.context;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+import de.ids_mannheim.korap.config.Attributes;
+import de.ids_mannheim.korap.constant.TokenType;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.user.User;
+import de.ids_mannheim.korap.user.User.UserFactory;
+import de.ids_mannheim.korap.utils.JsonUtils;
+import de.ids_mannheim.korap.utils.TimeUtils;
+import lombok.AccessLevel;
+import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
+
+/**
+ * @author hanl
+ * @date 27/01/2014
+ */
+@Data
+public class TokenContext implements java.security.Principal, Serializable {
+
+    /**
+     * session relevant data. Are never persisted into a database
+     */
+    private String username;
+    private long expirationTime;
+    // either "session_token " / "api_token
+    private TokenType tokenType;
+    private String token;
+    private boolean secureRequired;
+
+    @Getter(AccessLevel.PRIVATE)
+    @Setter(AccessLevel.PRIVATE)
+    private Map<String, Object> parameters;
+    private String hostAddress;
+    private String userAgent;
+
+
+    public TokenContext () {
+        this.parameters = new HashMap<>();
+        this.setUsername("");
+        this.setToken("");
+        this.setSecureRequired(false);
+        this.setExpirationTime(-1);
+    }
+
+
+    private Map statusMap () {
+        Map m = new HashMap();
+        if (username != null && !username.isEmpty())
+            m.put(Attributes.USERNAME, username);
+        m.put(Attributes.TOKEN_EXPIRATION,
+                TimeUtils.format(this.expirationTime));
+        m.put(Attributes.TOKEN, this.token);
+        m.put(Attributes.TOKEN_TYPE, this.tokenType);
+        return m;
+    }
+
+
+    public Map<String, Object> params () {
+        return new HashMap<>(parameters);
+    }
+
+
+    public boolean match (TokenContext other) {
+        if (other.getToken().equals(this.token))
+            if (this.getHostAddress().equals(this.hostAddress))
+                // user agent should be irrelvant -- what about os system version?
+                //                if (other.getUserAgent().equals(this.userAgent))
+                return true;
+        return false;
+    }
+
+
+    public void addContextParameter (String key, String value) {
+        this.parameters.put(key, value);
+    }
+
+
+    public void addParams (Map<String, Object> map) {
+        for (Map.Entry<String, Object> e : map.entrySet())
+            this.parameters.put(e.getKey(), String.valueOf(e.getValue()));
+    }
+
+
+    public void removeContextParameter (String key) {
+        this.parameters.remove(key);
+    }
+
+
+    public void setExpirationTime (long date) {
+        this.expirationTime = date;
+    }
+
+
+    //todo: complete
+    public static TokenContext fromJSON (String s) throws KustvaktException {
+        JsonNode node = JsonUtils.readTree(s);
+        TokenContext c = new TokenContext();
+        if (node != null) {
+            c.setUsername(node.path(Attributes.USERNAME).asText());
+            c.setToken(node.path(Attributes.TOKEN).asText());
+        }
+        return c;
+    }
+
+
+    public static TokenContext fromOAuth2 (String s) throws KustvaktException {
+        JsonNode node = JsonUtils.readTree(s);
+        TokenContext c = new TokenContext();
+        if (node != null) {
+            c.setToken(node.path("token").asText());
+            c.setTokenType(TokenType.valueOf(
+                    node.path("token_type").asText()));
+            c.setExpirationTime(node.path("expires_in").asLong());
+            c.addContextParameter("refresh_token", node.path("refresh_token")
+                    .asText());
+
+        }
+        return c;
+    }
+
+
+    public boolean isValid () {
+        return (this.username != null && !this.username.isEmpty())
+                && (this.token != null && !this.token.isEmpty())
+                && (this.tokenType != null);
+    }
+
+
+    public String getToken () {
+        return token;
+    }
+
+
+    public String toJson() throws KustvaktException {
+        return JsonUtils.toJSON(this.statusMap());
+    }
+
+
+    public boolean isDemo() {
+        return User.UserFactory.isDemo(this.username);
+    }
+
+
+
+    @Override
+    public String getName () {
+        return this.getUsername();
+    }
+
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/service/OAuth2ClientService.java
index dbfdc2e..ec146fd 100644
--- a/full/src/main/java/de/ids_mannheim/korap/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/service/OAuth2ClientService.java
@@ -1,14 +1,21 @@
 package de.ids_mannheim.korap.service;
 
 import org.apache.commons.validator.routines.UrlValidator;
+import org.apache.oltu.oauth2.common.message.types.GrantType;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
-import de.ids_mannheim.korap.constant.ClientType;
+import de.ids_mannheim.korap.authentication.http.AuthorizationData;
+import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
+import de.ids_mannheim.korap.constant.OAuth2ClientType;
 import de.ids_mannheim.korap.dao.OAuth2ClientDao;
+import de.ids_mannheim.korap.dto.OAuth2ClientDto;
+import de.ids_mannheim.korap.entity.OAuth2Client;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.web.input.OAuth2ClientJson;
 
 @Service
@@ -20,10 +27,11 @@
     private UrlValidator urlValidator;
     @Autowired
     private EncryptionIface encryption;
+    @Autowired
+    private HttpAuthorizationHandler authorizationHandler;
 
-
-    public void registerClient (OAuth2ClientJson clientJson)
-            throws KustvaktException {
+    public OAuth2ClientDto registerClient (OAuth2ClientJson clientJson,
+            String registeredBy) throws KustvaktException {
         if (!urlValidator.isValid(clientJson.getUrl())) {
             throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
                     clientJson.getUrl() + " is invalid.", clientJson.getUrl());
@@ -35,14 +43,83 @@
         }
 
         String secret = null;
-        if (clientJson.getType().equals(ClientType.CONFIDENTIAL)) {
+        if (clientJson.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {
             secret = encryption.createToken();
         }
 
         String id = encryption.createRandomNumber();
-        
+
         clientDao.registerClient(id, secret, clientJson.getName(),
                 clientJson.getType(), clientJson.getUrl(),
-                clientJson.getRedirectURI());
+                clientJson.getRedirectURI(), registeredBy);
+
+        return new OAuth2ClientDto(id, secret);
+    }
+
+
+    public OAuth2ClientDto deregisterClient (String clientId, String username) {
+
+
+        return null;
+    }
+
+
+    public TokenContext requestAccessTokenByClientCredentials (
+            String authorization, String grantType) throws KustvaktException {
+
+        return null;
+    }
+
+    /** According to RFC 6749, an authorization server MUST: 
+     * <ul>
+     * <li>
+     * require client authentication for confidential clients or for any
+     * client that was issued client credentials (or with other authentication 
+     * requirements),
+     * </li>
+     * 
+     * <li>authenticate the client if client authentication is included
+     * </li>
+     * </ul>
+     * 
+     * @param authorization
+     * @param grantType
+     * @param client_id
+     * @return
+     * @throws KustvaktException
+     */
+    public OAuth2Client authenticateClient (String authorization,
+            GrantType grantType, String client_id) throws KustvaktException {
+
+        OAuth2Client client = clientDao.retrieveClientById(client_id);
+
+        if (authorization == null || authorization.isEmpty()) {
+            if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)
+                    || grantType.equals(GrantType.CLIENT_CREDENTIALS)) {
+                new KustvaktException(StatusCodes.CLIENT_AUTHENTICATION_FAILED,
+                        "Authorization header is not found.");
+            }
+            // OAuth2 does not require client authentication
+        }
+        else {
+            AuthorizationData authData = authorizationHandler
+                    .parseAuthorizationHeaderValue(authorization);
+            if (authData.getAuthenticationScheme()
+                    .equals(AuthenticationScheme.BASIC)) {
+                if (!client.getSecret().equals(authData.getPassword())) {
+                    new KustvaktException(
+                            StatusCodes.CLIENT_AUTHENTICATION_FAILED,
+                            "Client credentials are incorrect.");
+                }
+            }
+            else {
+                throw new KustvaktException(
+                        StatusCodes.UNSUPPORTED_AUTHENTICATION_SCHEME,
+                        authData.getAuthenticationScheme().displayName()
+                                + "is unsupported for client authentication.",
+                        authData.getAuthenticationScheme().displayName());
+            }
+        }
+        return client;
     }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/service/OAuth2Service.java b/full/src/main/java/de/ids_mannheim/korap/service/OAuth2Service.java
new file mode 100644
index 0000000..aee6b13
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/service/OAuth2Service.java
@@ -0,0 +1,57 @@
+package de.ids_mannheim.korap.service;
+
+import org.apache.oltu.oauth2.common.message.types.GrantType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import de.ids_mannheim.korap.entity.OAuth2Client;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.exceptions.StatusCodes;
+
+@Service
+public class OAuth2Service {
+
+    @Autowired
+    private OAuth2ClientService clientService;
+
+    /** 
+     *  RFC 6749:
+     *  
+     *  If the client type is confidential or the client was issued client
+     *  credentials, the client MUST authenticate with the authorization server.
+     *  
+     * @param authorization
+     * @param grantType
+     * @param scope 
+     * @param password 
+     * @param username 
+     * @param client_id 
+     * @param redirectURI 
+     * @param authorizationCode 
+     * @throws KustvaktException
+     */
+    public void requestAccessToken (String authorization, GrantType grantType,
+            String authorizationCode, String redirectURI, String client_id,
+            String username, String password, String scope)
+            throws KustvaktException {
+
+        OAuth2Client client = clientService.authenticateClient(authorization,
+                grantType, client_id);
+
+        if (grantType.equals(GrantType.AUTHORIZATION_CODE)) {
+
+        }
+        else if (grantType.equals(GrantType.PASSWORD)) {
+
+        }
+        else if (grantType.equals(GrantType.CLIENT_CREDENTIALS)) {
+
+        }
+        else {
+            throw new KustvaktException(StatusCodes.UNSUPPORTED_GRANT_TYPE,
+                    "Grant type " + grantType.name() + " is unsupported.",
+                    grantType.name());
+        }
+
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/AnnotationController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/AnnotationController.java
index a49c276..09cebff 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/AnnotationController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/AnnotationController.java
@@ -9,16 +9,15 @@
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.sun.jersey.spi.container.ResourceFilters;
 
+import de.ids_mannheim.korap.dto.FoundryDto;
+import de.ids_mannheim.korap.dto.LayerDto;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.service.AnnotationService;
@@ -35,13 +34,13 @@
  */
 @Controller
 @Path("annotation/")
-@ResourceFilters({DemoUserFilter.class, PiwikFilter.class })
+@ResourceFilters({ DemoUserFilter.class, PiwikFilter.class })
 @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
 public class AnnotationController {
 
     @Autowired
     CoreResponseHandler responseHandler;
-    
+
     @Autowired
     private AnnotationService annotationService;
 
@@ -52,13 +51,8 @@
      */
     @GET
     @Path("layers")
-    public Response getLayers () {
-        try {
-            return Response.ok(JsonUtils.toJSON(annotationService.getLayerDtos())).build();
-        }
-        catch (KustvaktException e) {
-            throw responseHandler.throwit(e);
-        }
+    public List<LayerDto> getLayers () {
+        return annotationService.getLayerDtos();
     }
 
 
@@ -75,13 +69,13 @@
     @POST
     @Path("description")
     @Consumes(MediaType.APPLICATION_JSON)
-    public Response getFoundryDescriptions (String json) {
+    public List<FoundryDto> getFoundryDescriptions (String json) {
         if (json == null || json.isEmpty()) {
             throw responseHandler
                     .throwit(new KustvaktException(StatusCodes.MISSING_ARGUMENT,
                             "Missing a json string.", ""));
         }
-        
+
         JsonNode node;
         try {
             node = JsonUtils.readTree(json);
@@ -125,16 +119,12 @@
                             "No result found.", "codes:[]"));
         }
 
-        String result;
         try {
-            result = JsonUtils
-                    .toJSON(annotationService.getFoundryDtos(codes, language));
+            return annotationService.getFoundryDtos(codes, language);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
-
 }
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/AuthenticationController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/AuthenticationController.java
index d5d6a5b..1e783c2 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/AuthenticationController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/AuthenticationController.java
@@ -31,15 +31,15 @@
 import de.ids_mannheim.korap.authentication.http.AuthorizationData;
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.AuthenticationMethod;
-import de.ids_mannheim.korap.config.AuthenticationScheme;
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.BeansFactory;
+import de.ids_mannheim.korap.constant.AuthenticationMethod;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.KorAPUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
new file mode 100644
index 0000000..7cd3311
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -0,0 +1,61 @@
+package de.ids_mannheim.korap.web.controller;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
+
+import org.apache.oltu.oauth2.common.message.types.GrantType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.service.OAuth2Service;
+import de.ids_mannheim.korap.web.FullResponseHandler;
+
+@Controller
+@Path("/oauth2")
+public class OAuth2Controller {
+
+    @Autowired
+    private FullResponseHandler responseHandler;
+    @Autowired
+    private OAuth2Service oauth2Service;
+
+    @POST
+    @Path("token")
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public Response requestAccessToken (
+            @Context SecurityContext securityContext,
+            @HeaderParam("Authorization") String authorization,
+            // required for all grants
+            @FormParam("grant_type") GrantType grantType,
+            // required for Authorization Code Grant
+            @FormParam("code") String authorizationCode,
+            @FormParam("redirect_uri") String redirectURI,
+            @FormParam("client_id") String client_id,
+            // required for Resource Owner Password Credentials Grant
+            @FormParam("username") String username,
+            @FormParam("password") String password,
+            // optional for Resource Owner Password and Client Credentials Grants
+            @FormParam("scope") String scope) {
+
+        try {
+            oauth2Service.requestAccessToken(authorization, grantType,
+                    authorizationCode, redirectURI, client_id, username,
+                    password, scope);
+
+            return Response.ok().build();
+        }
+        catch (KustvaktException e) {
+            throw responseHandler.throwit(e);
+        }
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index b0b88e4..d766537 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -6,7 +6,6 @@
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
 import org.springframework.beans.factory.annotation.Autowired;
@@ -14,7 +13,9 @@
 
 import com.sun.jersey.spi.container.ResourceFilters;
 
+import de.ids_mannheim.korap.dto.OAuth2ClientDto;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.service.OAuth2ClientService;
 import de.ids_mannheim.korap.web.FullResponseHandler;
 import de.ids_mannheim.korap.web.filter.AuthenticationFilter;
@@ -23,9 +24,7 @@
 
 
 @Controller
-@Path("/client")
-//@Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-//@ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
+@Path("/oauth2/client")
 public class OAuthClientController {
 
     @Autowired
@@ -33,27 +32,77 @@
     @Autowired
     private FullResponseHandler responseHandler;
 
-    /** EM: who can register a client?
+    /** Registers a client application. Before starting an OAuth process, 
+     * client applications have to be registered first. Only registered
+     * users are allowed to register client applications.
      * 
+     * From RFC 6749:
      * The authorization server SHOULD document the size of any identifier 
      * it issues.
      * 
      * @param context
-     * @param clientJson
-     * @return
+     * @param clientJson a JSON object describing the client
+     * @return client id and secret if the client type is confidential
      */
     @POST
     @Path("register")
     @Consumes(MediaType.APPLICATION_JSON)
-    public Response registerClient (@Context SecurityContext context,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
+    public OAuth2ClientDto registerClient (
+            @Context SecurityContext securityContext,
             OAuth2ClientJson clientJson) {
+        TokenContext context =
+                (TokenContext) securityContext.getUserPrincipal();
         try {
-            clientService.registerClient(clientJson);
+            return clientService.registerClient(clientJson,
+                    context.getUsername());
         }
         catch (KustvaktException e) {
-            responseHandler.throwit(e);
+            throw responseHandler.throwit(e);
         }
-        return Response.ok().build();
     }
 
+
+    //    /** Deregisters a client via owner authentication. 
+    //     * 
+    //     * EM: who can deregister clients? The user registered the clients or the client itself?
+    //     * 
+    //     * @param securityContext
+    //     * @param clientId
+    //     * @return HTTP Response OK if successful.
+    //     */
+    //    @POST
+    //    @Path("deregister")
+    //    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    //    @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
+    //    public OAuth2ClientDto deregisterClient (
+    //            @Context SecurityContext securityContext,
+    //            @FormParam("client_id") String clientId) {
+    //        TokenContext context =
+    //                (TokenContext) securityContext.getUserPrincipal();
+    //        try {
+    //            return clientService.deregisterClient(clientId,
+    //                    context.getUsername());
+    //        }
+    //        catch (KustvaktException e) {
+    //            throw responseHandler.throwit(e);
+    //        }
+    //    }
+    //
+    //    @POST
+    //    @Path("deregister")
+    //    @ResourceFilters({ OAuth2ClientAuthenticationFilter.class,
+    //            BlockingFilter.class })
+    //    public OAuth2ClientDto deregisterClient (
+    //            @Context SecurityContext securityContext) {
+    //        TokenContext context =
+    //                (TokenContext) securityContext.getUserPrincipal();
+    //        try {
+    //            return clientService.deregisterClient();
+    //        }
+    //        catch (KustvaktException e) {
+    //            throw responseHandler.throwit(e);
+    //        }
+    //    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthController.java
index fdc2046..47e5968 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthController.java
@@ -43,18 +43,18 @@
 
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.AuthCodeInfo;
-import de.ids_mannheim.korap.config.AuthenticationMethod;
 import de.ids_mannheim.korap.config.BeansFactory;
 import de.ids_mannheim.korap.config.ClientInfo;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
 import de.ids_mannheim.korap.config.Scopes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.AuthenticationMethod;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.handlers.OAuth2Handler;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.UserDetails;
 import de.ids_mannheim.korap.user.Userdata;
@@ -73,7 +73,7 @@
  */
 //todo: only allow oauth2 access_token requests GET methods?
 //todo: allow refresh tokens
-@Path("/oauth2")
+//@Path("/oauth2")
 public class OAuthController {
 
     @Autowired
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/ResourceController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/ResourceController.java
index d64e5bd..a603489 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/ResourceController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/ResourceController.java
@@ -1,5 +1,7 @@
 package de.ids_mannheim.korap.web.controller;
 
+import java.util.List;
+
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -11,6 +13,7 @@
 
 import com.sun.jersey.spi.container.ResourceFilters;
 
+import de.ids_mannheim.korap.dto.ResourceDto;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.service.ResourceService;
 import de.ids_mannheim.korap.utils.JsonUtils;
@@ -40,15 +43,7 @@
      */
     @GET
     @Path("info")
-    public Response getAllResourceInfo () {
-        String result = "";
-        try {
-            result = JsonUtils.toJSON(resourceService.getResourceDtos());
-        }
-        catch (KustvaktException e) {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-        }
-        return Response.ok(result).build();
+    public List<ResourceDto> getAllResourceInfo () {
+        return resourceService.getResourceDtos();
     }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
index 27b17e1..d97052b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
@@ -49,7 +49,7 @@
 import de.ids_mannheim.korap.resources.ResourceFactory;
 import de.ids_mannheim.korap.resources.VirtualCollection;
 import de.ids_mannheim.korap.rewrite.FullRewriteHandler;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.User.CorpusAccess;
 import de.ids_mannheim.korap.utils.JsonUtils;
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserController.java
index a0b2923..670840b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserController.java
@@ -42,8 +42,8 @@
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.KorAPUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.UserDetails;
 import de.ids_mannheim.korap.user.UserQuery;
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
index e96ec0a..5781520 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
@@ -24,9 +24,8 @@
 import de.ids_mannheim.korap.constant.UserGroupStatus;
 import de.ids_mannheim.korap.dto.UserGroupDto;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.service.UserGroupService;
-import de.ids_mannheim.korap.user.TokenContext;
-import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FullResponseHandler;
 import de.ids_mannheim.korap.web.filter.AuthenticationFilter;
 import de.ids_mannheim.korap.web.filter.BlockingFilter;
@@ -46,7 +45,6 @@
  */
 @Controller
 @Path("group")
-@Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
 @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class,
         PiwikFilter.class })
 public class UserGroupController {
@@ -66,14 +64,13 @@
      */
     @GET
     @Path("list")
-    public Response getUserGroup (@Context SecurityContext securityContext) {
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<UserGroupDto> getUserGroup (
+            @Context SecurityContext securityContext) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            List<UserGroupDto> dtos =
-                    service.retrieveUserGroup(context.getUsername());
-            String result = JsonUtils.toJSON(dtos);
-            return Response.ok(result).build();
+            return service.retrieveUserGroup(context.getUsername());
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
@@ -92,17 +89,16 @@
      */
     @GET
     @Path("list/system-admin")
-    public Response getUserGroupBySystemAdmin (
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<UserGroupDto> getUserGroupBySystemAdmin (
             @Context SecurityContext securityContext,
             @QueryParam("username") String username,
             @QueryParam("status") UserGroupStatus status) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            List<UserGroupDto> dtos = service.retrieveUserGroupByStatus(
-                    username, context.getUsername(), status);
-            String result = JsonUtils.toJSON(dtos);
-            return Response.ok(result).build();
+            return service.retrieveUserGroupByStatus(username,
+                    context.getUsername(), status);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
@@ -117,20 +113,19 @@
      */
     @GET
     @Path("{groupId}")
-    public Response searchUserGroup (@Context SecurityContext securityContext,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public UserGroupDto searchUserGroup (
+            @Context SecurityContext securityContext,
             @PathParam("groupId") int groupId) {
-        String result;
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            UserGroupDto dto =
-                    service.searchById(context.getUsername(), groupId);
-            result = JsonUtils.toJSON(dto);
+            return service.searchById(context.getUsername(), groupId);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
+
     }
 
     /** Creates a user group where the user in token context is the 
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
index a0f937f..b68ab2d 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
@@ -16,8 +16,6 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 
@@ -28,9 +26,8 @@
 import de.ids_mannheim.korap.dto.VirtualCorpusAccessDto;
 import de.ids_mannheim.korap.dto.VirtualCorpusDto;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.service.VirtualCorpusService;
-import de.ids_mannheim.korap.user.TokenContext;
-import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FullResponseHandler;
 import de.ids_mannheim.korap.web.filter.AuthenticationFilter;
 import de.ids_mannheim.korap.web.filter.BlockingFilter;
@@ -53,14 +50,10 @@
  */
 @Controller
 @Path("vc")
-@Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
 @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class,
         PiwikFilter.class })
 public class VirtualCorpusController {
 
-    private static Logger jlog =
-            LoggerFactory.getLogger(VirtualCorpusController.class);
-
     @Autowired
     private FullResponseHandler responseHandler;
     @Autowired
@@ -81,8 +74,6 @@
     public Response createVC (@Context SecurityContext securityContext,
             VirtualCorpusJson vc) {
         try {
-            jlog.debug(vc.toString());
-
             // get user info
             TokenContext context =
                     (TokenContext) securityContext.getUserPrincipal();
@@ -131,20 +122,17 @@
      */
     @GET
     @Path("search/{vcId}")
-    public Response searchVC (@Context SecurityContext securityContext,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public VirtualCorpusDto searchVC (@Context SecurityContext securityContext,
             @PathParam("vcId") int vcId) {
-        String result;
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            VirtualCorpusDto dto =
-                    service.searchVCById(context.getUsername(), vcId);
-            result = JsonUtils.toJSON(dto);
+            return service.searchVCById(context.getUsername(), vcId);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 
     /** Lists not only private virtual corpora but all virtual corpora 
@@ -160,20 +148,18 @@
      */
     @GET
     @Path("list")
-    public Response listVCByUser (@Context SecurityContext securityContext,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<VirtualCorpusDto> listVCByUser (
+            @Context SecurityContext securityContext,
             @QueryParam("createdBy") String createdBy) {
-        String result;
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            List<VirtualCorpusDto> dtos =
-                    service.listVCByUser(context.getUsername(), createdBy);
-            result = JsonUtils.toJSON(dtos);
+            return service.listVCByUser(context.getUsername(), createdBy);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 
     /** Lists all virtual corpora created by a user
@@ -184,19 +170,17 @@
      */
     @GET
     @Path("list/user")
-    public Response listUserVC (@Context SecurityContext securityContext) {
-        String result;
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<VirtualCorpusDto> listUserVC (
+            @Context SecurityContext securityContext) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            List<VirtualCorpusDto> dtos =
-                    service.listOwnerVC(context.getUsername());
-            result = JsonUtils.toJSON(dtos);
+            return service.listOwnerVC(context.getUsername());
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 
     /** Lists virtual corpora by creator and type. This is a controller for 
@@ -213,21 +197,19 @@
      */
     @GET
     @Path("list/system-admin")
-    public Response listVCByStatus (@Context SecurityContext securityContext,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<VirtualCorpusDto> listVCByStatus (
+            @Context SecurityContext securityContext,
             @QueryParam("createdBy") String createdBy,
             @QueryParam("type") VirtualCorpusType type) {
-        String result;
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            List<VirtualCorpusDto> dtos = service
-                    .listVCByType(context.getUsername(), createdBy, type);
-            result = JsonUtils.toJSON(dtos);
+            return service.listVCByType(context.getUsername(), createdBy, type);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 
     /** Only the VC owner and system admins can delete VC. VCA admins 
@@ -312,20 +294,18 @@
      */
     @GET
     @Path("access/list")
-    public Response listVCAccess (@Context SecurityContext securityContext,
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<VirtualCorpusAccessDto> listVCAccess (
+            @Context SecurityContext securityContext,
             @QueryParam("vcId") int vcId) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
-        String result;
         try {
-            List<VirtualCorpusAccessDto> dtos =
-                    service.listVCAccessByVC(context.getUsername(), vcId);
-            result = JsonUtils.toJSON(dtos);
+            return service.listVCAccessByVC(context.getUsername(), vcId);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 
     /** Lists active VC-accesses available for a user-group. 
@@ -338,20 +318,17 @@
      */
     @GET
     @Path("access/list/byGroup")
-    public Response listVCAccessByGroup (
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<VirtualCorpusAccessDto> listVCAccessByGroup (
             @Context SecurityContext securityContext,
             @QueryParam("groupId") int groupId) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
-        String result;
         try {
-            List<VirtualCorpusAccessDto> dtos =
-                    service.listVCAccessByGroup(context.getUsername(), groupId);
-            result = JsonUtils.toJSON(dtos);
+            return service.listVCAccessByGroup(context.getUsername(), groupId);
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
         }
-        return Response.ok(result).build();
     }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
index 5b3d68a..aa3b0ad 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
@@ -18,16 +18,16 @@
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.authentication.http.TransferEncoding;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.AuthenticationMethod;
+import de.ids_mannheim.korap.constant.AuthenticationMethod;
 import de.ids_mannheim.korap.dao.AdminDao;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.KustvaktContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.StringUtils;
 import de.ids_mannheim.korap.web.FullResponseHandler;
-import de.ids_mannheim.korap.web.utils.KustvaktContext;
 
 /**
  * @author hanl, margaretha
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/AuthenticationFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/AuthenticationFilter.java
index 75ef3cc..118f780 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/AuthenticationFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/AuthenticationFilter.java
@@ -12,14 +12,14 @@
 
 import de.ids_mannheim.korap.authentication.http.AuthorizationData;
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.KustvaktContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.utils.TimeUtils;
 import de.ids_mannheim.korap.web.FullResponseHandler;
-import de.ids_mannheim.korap.web.utils.KustvaktContext;
 
 /**
  * @author hanl, margaretha
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/BlockingFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/BlockingFilter.java
index 4cc7f99..107d102 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/BlockingFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/BlockingFilter.java
@@ -12,7 +12,7 @@
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.web.FullResponseHandler;
 
 /**
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoFilter.java
index d3f2cd9..321417d 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoFilter.java
@@ -11,10 +11,10 @@
 import com.sun.jersey.spi.container.ResourceFilter;
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.user.TokenContext;
-import de.ids_mannheim.korap.web.utils.KustvaktContext;
+import de.ids_mannheim.korap.security.context.KustvaktContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 
 /**
  * @author hanl
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoUserFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoUserFilter.java
index 106c180..78138bb 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoUserFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/DemoUserFilter.java
@@ -6,11 +6,11 @@
 import com.sun.jersey.spi.container.ResourceFilter;
 import de.ids_mannheim.korap.config.BeansFactory;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.KustvaktContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.TimeUtils;
 import de.ids_mannheim.korap.web.CoreResponseHandler;
-import de.ids_mannheim.korap.web.utils.KustvaktContext;
 
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.UriInfo;
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/NonDemoBlockingFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/NonDemoBlockingFilter.java
index 3efa619..d47e1da 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/NonDemoBlockingFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/NonDemoBlockingFilter.java
@@ -12,7 +12,7 @@
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.web.FullResponseHandler;
 
 /**
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/PiwikFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/PiwikFilter.java
index ee8ee15..abf2eb9 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/PiwikFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/PiwikFilter.java
@@ -14,6 +14,7 @@
 import de.ids_mannheim.korap.config.BeansFactory;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.*;
 import net.minidev.json.JSONArray;
 import org.slf4j.Logger;
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
index 28a2a6a..80c5fba 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.web.input;
 
-import de.ids_mannheim.korap.constant.ClientType;
+import de.ids_mannheim.korap.constant.OAuth2ClientType;
 import lombok.Getter;
 import lombok.Setter;
 
@@ -10,7 +10,7 @@
     
     // all required for registration
     private String name;
-    private ClientType type;
+    private OAuth2ClientType type;
     private String url;
     private String redirectURI;
 }
diff --git a/full/src/main/resources/db/new-mysql/V1.4__oauth2_tables.sql b/full/src/main/resources/db/new-mysql/V1.4__oauth2_tables.sql
index e36b0f9..c228c08 100644
--- a/full/src/main/resources/db/new-mysql/V1.4__oauth2_tables.sql
+++ b/full/src/main/resources/db/new-mysql/V1.4__oauth2_tables.sql
@@ -3,12 +3,13 @@
 -- oauth2 db tables
 create table if not exists oauth2_client (
 	id VARCHAR(100) UNIQUE PRIMARY KEY,
+	name VARCHAR(200) NOT NULL,
 	secret VARCHAR(200),
 	type VARCHAR(200) NOT NULL,
+	url TEXT UNIQUE NOT NULL,
 	redirect_uri TEXT NOT NULL,
 --is_confidential BOOLEAN DEFAULT FALSE,
-	url TEXT UNIQUE NOT NULL,
-	name VARCHAR(200) NOT NULL
+	registeredBy VARCHAR(100) NOT NULL
 );
 
 
diff --git a/full/src/main/resources/db/new-sqlite/V1.4__oauth2_tables.sql b/full/src/main/resources/db/new-sqlite/V1.4__oauth2_tables.sql
index ecf7a24..fe0391f 100644
--- a/full/src/main/resources/db/new-sqlite/V1.4__oauth2_tables.sql
+++ b/full/src/main/resources/db/new-sqlite/V1.4__oauth2_tables.sql
@@ -3,9 +3,10 @@
 -- oauth2 db tables
 create table IF NOT EXISTS oauth2_client (
 	id VARCHAR(100) NOT NULL,
+	name VARCHAR(200) NOT NULL,
 	secret VARCHAR(200) NOT NULL,
 	type VARCHAR(200) NOT NULL,
-	redirect_uri TEXT NOT NULL,
 	url TEXT UNIQUE NOT NULL,
-	name VARCHAR(200) NOT NULL
+	redirect_uri TEXT NOT NULL,
+	registeredBy VARCHAR(100) NOT NULL
 );
diff --git a/full/src/main/resources/default-config.xml b/full/src/main/resources/default-config.xml
index 2844538..b3bf566 100644
--- a/full/src/main/resources/default-config.xml
+++ b/full/src/main/resources/default-config.xml
@@ -1,11 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:util="http://www.springframework.org/schema/util"
-	xmlns:aop="http://www.springframework.org/schema/aop" 
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns="http://www.springframework.org/schema/beans" 
-	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
+	xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
 	xmlns:cache="http://www.springframework.org/schema/cache"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
@@ -21,9 +18,8 @@
 	<context:component-scan base-package="de.ids_mannheim.korap" />
 	<context:annotation-config />
 
-	<!-- <bean id="test" class="de.ids_mannheim.korap.web.Test">
-		<property name="config" ref="kustvakt_config" />
-	</bean> -->
+	<!-- <bean id="test" class="de.ids_mannheim.korap.web.Test"> <property name="config" 
+		ref="kustvakt_config" /> </bean> -->
 
 	<bean id="props"
 		class="org.springframework.beans.factory.config.PropertiesFactoryBean">
@@ -46,7 +42,7 @@
 				<value>classpath:properties/mail.properties</value>
 				<value>file:./mail.properties</value>
 				<value>classpath:properties/hibernate.properties</value>
-				
+
 				<value>classpath:kustvakt.conf</value>
 				<value>file:./kustvakt.conf</value>
 			</array>
@@ -91,11 +87,11 @@
 		<property name="username" value="${jdbc.username}" />
 		<property name="password" value="${jdbc.password}" />
 		<property name="connectionProperties">
-            <props>
-                <prop key="date_string_format">yyyy-MM-dd HH:mm:ss</prop>
-            </props>
-        </property>
-        
+			<props>
+				<prop key="date_string_format">yyyy-MM-dd HH:mm:ss</prop>
+			</props>
+		</property>
+
 		<!-- relevant for single connection datasource and sqlite -->
 		<property name="suppressClose">
 			<value>true</value>
@@ -113,8 +109,8 @@
 		<!-- <property name="dataSource" ref="dataSource" /> -->
 		<property name="dataSource" ref="sqliteDataSource" />
 	</bean>
-	
-	
+
+
 	<bean id="kustvakt_db" class="de.ids_mannheim.korap.handlers.JDBCClient">
 		<constructor-arg index="0" ref="dataSource" />
 		<!-- deprecated property -->
@@ -125,7 +121,7 @@
 		class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
 		<!-- <property name="dataSource" ref="dataSource" /> -->
 		<property name="dataSource" ref="sqliteDataSource" />
-		
+
 		<property name="packagesToScan" value="de.ids_mannheim.korap.entity" />
 		<property name="jpaVendorAdapter">
 			<bean id="jpaVendorAdapter"
@@ -150,7 +146,7 @@
 
 	<tx:annotation-driven proxy-target-class="true"
 		transaction-manager="transactionManager" />
-		
+
 	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
 		<property name="entityManagerFactory" ref="entityManagerFactory" />
 	</bean>
@@ -161,20 +157,20 @@
 	</bean>
 
 	<!-- Data access objects -->
-	<bean id="resourceDao" class="de.ids_mannheim.korap.dao.ResourceDao"/>
+	<bean id="resourceDao" class="de.ids_mannheim.korap.dao.ResourceDao" />
 	<!-- <bean id="annotationDao" class="de.ids_mannheim.korap.dao.AnnotationDao"/> -->
 
 	<!-- Krill -->
 	<bean id="search_krill" class="de.ids_mannheim.korap.web.SearchKrill">
-		<constructor-arg value="${krill.indexDir}"/>
+		<constructor-arg value="${krill.indexDir}" />
 	</bean>
 
 	<!-- URLValidator -->
 	<bean id="urlValidator" class="org.apache.commons.validator.routines.UrlValidator">
-		<constructor-arg value="http,https"/>
+		<constructor-arg value="http,https" />
 	</bean>
-	
-	
+
+
 	<bean id="kustvakt_rewrite" class="de.ids_mannheim.korap.rewrite.FullRewriteHandler">
 		<constructor-arg ref="kustvakt_config" />
 	</bean>
@@ -183,11 +179,10 @@
 		<constructor-arg ref="kustvakt_db" />
 	</bean>
 
-	<bean id="kustvakt_response"
-          class="de.ids_mannheim.korap.web.FullResponseHandler">
-          <constructor-arg index="0" name="iface" ref="kustvakt_auditing"/>
-    </bean>
-    
+	<bean id="kustvakt_response" class="de.ids_mannheim.korap.web.FullResponseHandler">
+		<constructor-arg index="0" name="iface" ref="kustvakt_auditing" />
+	</bean>
+
 	<bean id="kustvakt_userdb" class="de.ids_mannheim.korap.handlers.EntityDao">
 		<constructor-arg ref="kustvakt_db" />
 	</bean>
@@ -206,11 +201,13 @@
 	</bean>
 
 	<!-- authentication providers to use -->
-	<!-- <bean id="api_auth" class="de.ids_mannheim.korap.authentication.APIAuthentication">
-		<constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration"
-			ref="kustvakt_config" />
-	</bean> -->
-	
+	<!-- <bean id="api_auth" class="de.ids_mannheim.korap.authentication.APIAuthentication"> 
+		<constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration" 
+		ref="kustvakt_config" /> </bean> -->
+
+	<bean id="client_auth"
+		class="de.ids_mannheim.korap.authentication.OAuth2ClientAuthentication" />
+
 	<bean id="ldap_auth" class="de.ids_mannheim.korap.authentication.LdapAuth3">
 		<constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration"
 			ref="kustvakt_config" />
@@ -238,6 +235,7 @@
 		<ref bean="session_auth" />
 		<!-- <ref bean="api_auth" /> -->
 		<ref bean="openid_auth" />
+		<ref bean="client_auth" />
 	</util:list>
 
 
@@ -265,8 +263,8 @@
 	<!-- specify type for constructor argument -->
 	<bean id="kustvakt_authenticationmanager"
 		class="de.ids_mannheim.korap.authentication.KustvaktAuthenticationManager">
-		<constructor-arg
-			type="de.ids_mannheim.korap.interfaces.EntityHandlerIface" ref="kustvakt_userdb" />
+		<constructor-arg type="de.ids_mannheim.korap.interfaces.EntityHandlerIface"
+			ref="kustvakt_userdb" />
 		<constructor-arg type="de.ids_mannheim.korap.interfaces.EncryptionIface"
 			ref="kustvakt_encryption" />
 		<constructor-arg ref="kustvakt_config" />
@@ -305,11 +303,11 @@
 		<!-- <property name="dataSource" ref="dataSource" /> -->
 		<property name="dataSource" ref="sqliteDataSource" />
 	</bean>
-	
+
 	<!-- mail -->
-		<bean id="authenticator" class="de.ids_mannheim.korap.service.MailAuthenticator">
-		<constructor-arg index="0" value="${mail.username}"/>
-		<constructor-arg index="1" value="${mail.password}"/>
+	<bean id="authenticator" class="de.ids_mannheim.korap.service.MailAuthenticator">
+		<constructor-arg index="0" value="${mail.username}" />
+		<constructor-arg index="1" value="${mail.password}" />
 	</bean>
 	<bean id="smtpSession" class="javax.mail.Session" factory-method="getInstance">
 		<constructor-arg index="0">
@@ -322,18 +320,19 @@
 				<prop key="mail.smtp.connectiontimeout">${mail.connectiontimeout}</prop>
 			</props>
 		</constructor-arg>
-		<constructor-arg index="1" ref="authenticator"/>
+		<constructor-arg index="1" ref="authenticator" />
 	</bean>
 	<bean id="mailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl">
 		<property name="username" value="${mail.username}" />
-	    <property name="password" value="${mail.password}" />
+		<property name="password" value="${mail.password}" />
 		<property name="session" ref="smtpSession" />
 	</bean>
 	<bean id="velocityEngine" class="org.apache.velocity.app.VelocityEngine">
 		<constructor-arg index="0">
 			<props>
 				<prop key="resource.loader">class</prop>
-				<prop key="class.resource.loader.class">org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader</prop>
+				<prop key="class.resource.loader.class">org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
+				</prop>
 			</props>
 		</constructor-arg>
 	</bean>
diff --git a/full/src/test/java/de/ids_mannheim/korap/authentication/APIAuthenticationTest.java b/full/src/test/java/de/ids_mannheim/korap/authentication/APIAuthenticationTest.java
index b1d43fa..0fca0b8 100644
--- a/full/src/test/java/de/ids_mannheim/korap/authentication/APIAuthenticationTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/authentication/APIAuthenticationTest.java
@@ -12,10 +12,10 @@
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.KustvaktConfiguration;
 import de.ids_mannheim.korap.config.SpringJerseyTest;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.user.KorAPUser;
-import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 
 public class APIAuthenticationTest extends SpringJerseyTest {
diff --git a/full/src/test/java/de/ids_mannheim/korap/config/TestHelper.java b/full/src/test/java/de/ids_mannheim/korap/config/TestHelper.java
index a2b9d72..765e8f4 100644
--- a/full/src/test/java/de/ids_mannheim/korap/config/TestHelper.java
+++ b/full/src/test/java/de/ids_mannheim/korap/config/TestHelper.java
@@ -34,6 +34,7 @@
 import de.ids_mannheim.korap.handlers.ResourceDao;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
 import de.ids_mannheim.korap.interfaces.EntityHandlerIface;
+import de.ids_mannheim.korap.interfaces.KustvaktBaseDaoInterface;
 import de.ids_mannheim.korap.interfaces.db.PersistenceClient;
 import de.ids_mannheim.korap.resources.KustvaktResource;
 import de.ids_mannheim.korap.user.User;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/FilterTest.java b/full/src/test/java/de/ids_mannheim/korap/web/FilterTest.java
index 7dcfa32..64000cc 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/FilterTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/FilterTest.java
@@ -13,8 +13,8 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.TestHelper;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 
 /** EM: fix tests. new DB does not save users.
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/OAuth2HandlerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/OAuth2HandlerTest.java
index 52c266e..a8742fa 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/OAuth2HandlerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/OAuth2HandlerTest.java
@@ -15,7 +15,7 @@
 import de.ids_mannheim.korap.handlers.OAuth2Handler;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
 import de.ids_mannheim.korap.interfaces.db.PersistenceClient;
-import de.ids_mannheim.korap.user.TokenContext;
+import de.ids_mannheim.korap.security.context.TokenContext;
 
 /**
  * EM: To do: not implemented in the new DB yet
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/AuthenticationControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/AuthenticationControllerTest.java
index 79aa8fe..abdb3f3 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/AuthenticationControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/AuthenticationControllerTest.java
@@ -17,8 +17,8 @@
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.authentication.http.TransferEncoding;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.TestHelper;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.user.User;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 26a11bc..97cce38 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -1,34 +1,54 @@
 package de.ids_mannheim.korap.web.controller;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 
 import org.apache.http.entity.ContentType;
 import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import com.google.common.net.HttpHeaders;
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.ClientResponse.Status;
 
+import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
+import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.SpringJerseyTest;
-import de.ids_mannheim.korap.constant.ClientType;
+import de.ids_mannheim.korap.constant.OAuth2ClientType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.input.OAuth2ClientJson;
 
 public class OAuth2ClientControllerTest extends SpringJerseyTest {
 
+    @Autowired
+    private HttpAuthorizationHandler handler;
+    private String username = "OAuth2ClientControllerTest";
+    
     @Test
     public void testRegisterClient () throws KustvaktException {
 
         OAuth2ClientJson json = new OAuth2ClientJson();
-        json.setName("OAuth2ClientControllerTest");
-        json.setType(ClientType.CONFIDENTIAL);
+        json.setName("OAuth2ClientTest");
+        json.setType(OAuth2ClientType.CONFIDENTIAL);
         json.setUrl("http://example.client.com");
         json.setRedirectURI("http://example.client.com/redirect");
 
-        ClientResponse response = resource().path("client").path("register")
+        ClientResponse response = resource().path("oauth2").path("client")
+                .path("register")
+                .header(Attributes.AUTHORIZATION,
+                        handler.createBasicAuthorizationHeaderValue(username,
+                                "pass"))
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
                 .entity(json).post(ClientResponse.class);
 
+        String entity = response.getEntity(String.class);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
+        
+        JsonNode node = JsonUtils.readTree(entity);
+        assertNotNull(node.at("/client_id").asText());
+        assertNotNull(node.at("/client_secret").asText());
     }
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2EndpointTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2EndpointTest.java
index 4cf05dc..95d3d38 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2EndpointTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2EndpointTest.java
@@ -16,8 +16,8 @@
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.authentication.http.TransferEncoding;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
 import de.ids_mannheim.korap.config.TestHelper;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FastJerseyTest;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/QuerySerializationControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/QuerySerializationControllerTest.java
index 138ca08..abd743b 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/QuerySerializationControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/QuerySerializationControllerTest.java
@@ -21,7 +21,7 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FastJerseyTest;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceControllerTest.java
index ef47198..6a0bb64 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceControllerTest.java
@@ -19,7 +19,7 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.handlers.ResourceDao;
 import de.ids_mannheim.korap.resources.KustvaktResource;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
index 2a43ec4..e96e523 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
@@ -14,7 +14,7 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.TokenType;
+import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FastJerseyTest;
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
index 7ef7361..956ae6e 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
@@ -29,8 +29,8 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.AuthenticationScheme;
 import de.ids_mannheim.korap.config.SpringJerseyTest;
+import de.ids_mannheim.korap.constant.AuthenticationScheme;
 import de.ids_mannheim.korap.constant.VirtualCorpusType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;