diff --git a/config.example.ini b/config.example.ini
index 1f56856..cc7f57f 100644
--- a/config.example.ini
+++ b/config.example.ini
@@ -19,8 +19,15 @@ owner-email=sir@cmpwn.com
 # The source code for your fork of sr.ht
 source-url=https://git.sr.ht/~sircmpwn/srht
 #
-# A secret key to encrypt session cookies with
-secret-key=CHANGEME
+# A secret key to encrypt session cookies with. Use `srht-keygen service` to
+# generate this. This should be unique to each site, but shared among nodes of
+# that site. For example, git.sr.ht and hg.sr.ht have different keys, but
+# git1.sr.ht has the same key as git2.sr.ht.
+service-key=
+#
+# A secret key to encrypt internal messages with. Use `srht-keygen network` to
+# generate this. This should be consistent between all *.sr.ht sites and nodes.
+network-key=
 
 [mail]
 #
diff --git a/config.test.ini b/config.test.ini
index cb35fb7..32edbb2 100644
--- a/config.test.ini
+++ b/config.test.ini
@@ -4,6 +4,7 @@ owner-name=Drew DeVault
 owner-email=sir@cmpwn.com
 source-url=https://git.sr.ht/~sircmpwn/srht
 secret-key=
+network-key=
 
 [mail]
 smtp-host=
diff --git a/setup.py b/setup.py
index 80a53f3..da49f73 100755
--- a/setup.py
+++ b/setup.py
@@ -53,7 +53,6 @@ setup(
   url = 'https://todo.sr.ht/~sircmpwn/todo.sr.ht',
   install_requires = [
     'alembic',
-    'flask-login',
     'pystache',
     'redis',
     'srht',
diff --git a/todosrht/access.py b/todosrht/access.py
index a1ff981..3d5eadd 100644
--- a/todosrht/access.py
+++ b/todosrht/access.py
@@ -1,4 +1,4 @@
-from flask_login import current_user
+from srht.oauth import current_user
 from todosrht.types import User, Tracker, Ticket
 from todosrht.types import TicketAccess, UserAccess
 
diff --git a/todosrht/blueprints/html.py b/todosrht/blueprints/html.py
index 0a732bf..1c3784a 100644
--- a/todosrht/blueprints/html.py
+++ b/todosrht/blueprints/html.py
@@ -1,10 +1,10 @@
 from flask import Blueprint, render_template, request, abort
-from flask_login import current_user
 from todosrht.access import get_tracker, get_access
 from todosrht.tickets import get_participant_for_user
 from todosrht.types import Tracker, Ticket, Event, EventNotification, EventType
 from todosrht.types import User, Participant
 from srht.config import cfg
+from srht.oauth import current_user
 from srht.flask import paginate_query, session
 from sqlalchemy import and_, or_
 
diff --git a/todosrht/blueprints/settings.py b/todosrht/blueprints/settings.py
index 98ade74..f445ee1 100644
--- a/todosrht/blueprints/settings.py
+++ b/todosrht/blueprints/settings.py
@@ -3,12 +3,12 @@ import json
 import os
 from collections import OrderedDict
 from flask import Blueprint, render_template, request, url_for, abort, redirect
-from flask import send_file
-from flask_login import current_user
+from flask import current_app, send_file
 from srht.config import get_origin
 from srht.crypto import sign_payload
 from srht.database import db
-from srht.flask import date_handler, loginrequired, session
+from srht.oauth import current_user, loginrequired
+from srht.flask import date_handler, session
 from srht.validation import Validation
 from tempfile import NamedTemporaryFile
 from todosrht.access import get_tracker
@@ -141,7 +141,7 @@ def user_access_create_POST(owner, name):
         return render_tracker_access(tracker, **valid.kwargs), 400
 
     username = username.lstrip("~")
-    user = User.query.filter_by(username=username).one_or_none()
+    user = current_app.oauth_service.lookup_user(username)
     valid.expect(user, "User not found.", field="username")
     if not valid.ok:
         return render_tracker_access(tracker, **valid.kwargs), 400
diff --git a/todosrht/blueprints/ticket.py b/todosrht/blueprints/ticket.py
index 1a6ab0c..19a86d5 100644
--- a/todosrht/blueprints/ticket.py
+++ b/todosrht/blueprints/ticket.py
@@ -1,10 +1,9 @@
 import re
 from urllib.parse import quote
 from flask import Blueprint, render_template, request, abort, redirect
-from flask_login import current_user
 from srht.config import cfg
 from srht.database import db
-from srht.flask import loginrequired
+from srht.oauth import current_user, loginrequired
 from srht.validation import Validation
 from todosrht.access import get_tracker, get_ticket
 from todosrht.filters import invalidate_markup_cache
diff --git a/todosrht/blueprints/tracker.py b/todosrht/blueprints/tracker.py
index 2fbd047..637ec44 100644
--- a/todosrht/blueprints/tracker.py
+++ b/todosrht/blueprints/tracker.py
@@ -1,5 +1,4 @@
 from flask import Blueprint, render_template, request, url_for, abort, redirect
-from flask_login import current_user
 from todosrht.color import color_from_hex, color_to_hex, get_text_color
 from todosrht.color import valid_hex_color_code
 from todosrht.access import get_tracker
@@ -14,7 +13,8 @@ from todosrht.urls import tracker_url, ticket_url
 from todosrht.webhooks import TrackerWebhook, UserWebhook
 from srht.config import cfg
 from srht.database import db
-from srht.flask import paginate_query, loginrequired, session
+from srht.flask import paginate_query, session
+from srht.oauth import current_user, loginrequired
 from srht.validation import Validation
 from sqlalchemy.orm import subqueryload
 
diff --git a/todosrht/email.py b/todosrht/email.py
index 73e8c31..66e0fd1 100644
--- a/todosrht/email.py
+++ b/todosrht/email.py
@@ -2,9 +2,9 @@ import html.parser
 import os
 import pystache
 import textwrap
-from flask_login import current_user
 from srht.config import cfg, cfgi
 from srht.email import send_email, lookup_key
+from srht.oauth import current_user
 from todosrht.types import ParticipantType
 
 origin = cfg("todo.sr.ht", "origin")