diff --git a/Dockerfile b/Dockerfile
index 9839357..e725cb7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,3 +12,4 @@ COPY . /usr/src/app
 
 CMD [ "yarn", "start" ]
 EXPOSE 7777
+EXPOSE 9229
diff --git a/docker-compose.yml b/docker-compose.yml
index 2063214..608fa01 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,7 @@ services:
     env_file: .env
     ports:
      - "7777:7777"
+     - "9229:9229"
     volumes:
       - ".:/usr/src/app"
     command: "yarn run start:dev"
diff --git a/package.json b/package.json
index 52ffd51..23e4790 100644
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
     "dotenv": "^4.0.0",
     "express": "^4.14.0",
     "express-session": "^1.15.6",
+    "jsonwebtoken": "^8.1.0",
     "nodemon": "^1.11.0",
     "passport": "^0.4.0",
     "passport-google-oauth20": "^1.0.0",
@@ -50,7 +51,7 @@
   },
   "scripts": {
     "start": "node server.js",
-    "start:dev": "nodemon -V --ignore 'data/*' --ignore 'Profile' --ignore 'static/application.min.js'  server.js < /dev/null",
+    "start:dev": "nodemon -V --ignore 'data/*' --ignore 'Profile' --ignore 'static/application.min.js' --inspect=0.0.0.0:9229 server.js < /dev/null",
     "test": "mocha -r should spec/*"
   }
 }
diff --git a/server.js b/server.js
index 6894bbe..101ca76 100644
--- a/server.js
+++ b/server.js
@@ -12,6 +12,7 @@ var query = require('connect-query');
 var express = require('express')
 var connectEnsureLogin = require('connect-ensure-login');
 var session = require('express-session')
+var jwt = require('jsonwebtoken')
 
 require('dotenv').config();
 var DocumentHandler = require('./lib/document_handler');
@@ -23,6 +24,7 @@ config.host = process.env.HOST || config.host || 'localhost';
 config.secret = process.env.SECRET || '43rndsafdsakf;djsafkdsarf';
 config.scheme = process.env.SCHEME || config.scheme || 'https'
 config.origin = config.scheme + '://' + config.host + ":" +  config.port + "/";
+config.restrict_domain = process.env.RESTRICT_DOMAIN
 
 // Set up the loggergg
 if (config.logging) {
@@ -122,25 +124,33 @@ if (config.rateLimits) {
 
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
 
-var OAUTH_SCOPE = ['profile']
+var OAUTH_SCOPE = ['profile', 'email', 'openid']
 
 passport.serializeUser(function(user, cb) {
-  winston.info('serialize', user)
   cb(null, user);
 });
 
 passport.deserializeUser(function(obj, cb) {
-  winston.info('deserialize', obj)
   cb(null, obj);
 });
 
 passport.use(new GoogleStrategy({
     clientID: process.env.GOOGLE_CLIENT_ID,
     clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-    callbackURL:  config.origin  + 'auth/google/callback'
+    callbackURL:  config.origin  + 'auth/google/callback',
   },
-  function(accessToken, refreshToken, profile, cb) {
-    winston.info(profile);
+  //function(accessToken, refreshToken, profile, cb) {
+  function( accessToken, refreshToken, params, profile, cb){
+    if (! params.id_token ){
+      winston.error("no id_token in response")
+      return
+    }
+    var jwtObject = jwt.decode(params.id_token)
+    if(! (jwtObject && jwtObject.hd && matchDomain(jwtObject.hd)) ){
+      // domain doesn't validate
+      winston.info("domain does not validate")
+      return cb('Your domain is not permitted')
+    }
     return cb(null, profile);
   }
 ));
@@ -187,6 +197,10 @@ router.get('/users/me', ensureAuthenticatedAPI, function(req, res, next) {
   return res.json(req.user);
 });
 
+function matchDomain(domain){
+  var pattern = new RegExp(config.restrict_domain)
+  return pattern.test(domain)
+}
 function ensureAuthenticatedWeb(req, res, next) {
   if (req.isAuthenticated()) {
     return next();
diff --git a/yarn.lock b/yarn.lock
index 5270f7b..5ae7088 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -118,6 +118,10 @@ balanced-match@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
 
+base64url@2.0.0, base64url@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/base64url/-/base64url-2.0.0.tgz#eac16e03ea1438eff9423d69baa36262ed1f70bb"
+
 bcrypt-pbkdf@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.1.tgz#63bc5dcb61331b92bc05fd528953c33462a06f8d"
@@ -192,6 +196,10 @@ browser-stdout@1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/browser-stdout/-/browser-stdout-1.3.0.tgz#f351d32969d32fa5d7a5567154263d928ae3bd1f"
 
+buffer-equal-constant-time@1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz#f8e71132f7ffe6e01a5c9697a4c6f3e48d5cc819"
+
 busboy@0.2.14:
   version "0.2.14"
   resolved "https://registry.yarnpkg.com/busboy/-/busboy-0.2.14.tgz#6c2a622efcf47c57bbbe1e2a9c37ad36c7925453"
@@ -458,6 +466,13 @@ ecc-jsbn@~0.1.1:
   dependencies:
     jsbn "~0.1.0"
 
+ecdsa-sig-formatter@1.0.9:
+  version "1.0.9"
+  resolved "https://registry.yarnpkg.com/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.9.tgz#4bc926274ec3b5abb5016e7e1d60921ac262b2a1"
+  dependencies:
+    base64url "^2.0.0"
+    safe-buffer "^5.0.1"
+
 ee-first@1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/ee-first/-/ee-first-1.1.1.tgz#590c61156b0ae2f4f0255732a158b266bc56b21d"
@@ -999,6 +1014,21 @@ jsonify@~0.0.0:
   version "0.0.0"
   resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73"
 
+jsonwebtoken@^8.1.0:
+  version "8.1.0"
+  resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.1.0.tgz#c6397cd2e5fd583d65c007a83dc7bb78e6982b83"
+  dependencies:
+    jws "^3.1.4"
+    lodash.includes "^4.3.0"
+    lodash.isboolean "^3.0.3"
+    lodash.isinteger "^4.0.4"
+    lodash.isnumber "^3.0.3"
+    lodash.isplainobject "^4.0.6"
+    lodash.isstring "^4.0.1"
+    lodash.once "^4.0.0"
+    ms "^2.0.0"
+    xtend "^4.0.1"
+
 jsprim@^1.2.2:
   version "1.4.1"
   resolved "https://registry.yarnpkg.com/jsprim/-/jsprim-1.4.1.tgz#313e66bc1e5cc06e438bc1b7499c2e5c56acb6a2"
@@ -1008,6 +1038,23 @@ jsprim@^1.2.2:
     json-schema "0.2.3"
     verror "1.10.0"
 
+jwa@^1.1.4:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.1.5.tgz#a0552ce0220742cd52e153774a32905c30e756e5"
+  dependencies:
+    base64url "2.0.0"
+    buffer-equal-constant-time "1.0.1"
+    ecdsa-sig-formatter "1.0.9"
+    safe-buffer "^5.0.1"
+
+jws@^3.1.4:
+  version "3.1.4"
+  resolved "https://registry.yarnpkg.com/jws/-/jws-3.1.4.tgz#f9e8b9338e8a847277d6444b1464f61880e050a2"
+  dependencies:
+    base64url "^2.0.0"
+    jwa "^1.1.4"
+    safe-buffer "^5.0.1"
+
 kind-of@^3.0.2:
   version "3.2.2"
   resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64"
@@ -1072,6 +1119,10 @@ lodash.defaults@^3.1.2:
     lodash.assign "^3.0.0"
     lodash.restparam "^3.0.0"
 
+lodash.includes@^4.3.0:
+  version "4.3.0"
+  resolved "https://registry.yarnpkg.com/lodash.includes/-/lodash.includes-4.3.0.tgz#60bb98a87cb923c68ca1e51325483314849f553f"
+
 lodash.isarguments@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz#2f573d85c6a24289ff00663b491c1d338ff3458a"
@@ -1080,6 +1131,26 @@ lodash.isarray@^3.0.0:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/lodash.isarray/-/lodash.isarray-3.0.4.tgz#79e4eb88c36a8122af86f844aa9bcd851b5fbb55"
 
+lodash.isboolean@^3.0.3:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz#6c2e171db2a257cd96802fd43b01b20d5f5870f6"
+
+lodash.isinteger@^4.0.4:
+  version "4.0.4"
+  resolved "https://registry.yarnpkg.com/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz#619c0af3d03f8b04c31f5882840b77b11cd68343"
+
+lodash.isnumber@^3.0.3:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz#3ce76810c5928d03352301ac287317f11c0b1ffc"
+
+lodash.isplainobject@^4.0.6:
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb"
+
+lodash.isstring@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
+
 lodash.keys@^3.0.0:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/lodash.keys/-/lodash.keys-3.1.2.tgz#4dbc0472b156be50a0b286855d1bd0b0c656098a"
@@ -1088,6 +1159,10 @@ lodash.keys@^3.0.0:
     lodash.isarguments "^3.0.0"
     lodash.isarray "^3.0.0"
 
+lodash.once@^4.0.0:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
+
 lodash.restparam@^3.0.0:
   version "3.6.1"
   resolved "https://registry.yarnpkg.com/lodash.restparam/-/lodash.restparam-3.6.1.tgz#936a4e309ef330a7645ed4145986c85ae5b20805"
@@ -1192,7 +1267,7 @@ mocha@*:
     mkdirp "0.5.1"
     supports-color "4.4.0"
 
-ms@2.0.0:
+ms@2.0.0, ms@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8"
 
@@ -1999,6 +2074,10 @@ xdg-basedir@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4"
 
+xtend@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"
+
 yallist@^2.1.2:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/yallist/-/yallist-2.1.2.tgz#1c11f9218f076089a47dd512f93c6699a6a81d52"