diff --git a/app/handle-event.go b/app/handle-event.go
index 3c7852b..50f5d73 100644
--- a/app/handle-event.go
+++ b/app/handle-event.go
@@ -56,21 +56,13 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
 		}
 		return
 	}
-	// // send a challenge to the client to auth if an ACL is active and not authed
-	// if acl.Registry.Active.Load() != "none" && l.authedPubkey.Load() == nil {
-	// 	log.D.F("sending challenge to %s", l.remote)
-	// 	if err = authenvelope.NewChallengeWith(l.challenge.Load()).
-	// 		Write(l); chk.E(err) {
-	// 		// return
-	// 	}
-	// 	// ACL is enabled so return and wait for auth
-	// 	// return
-	// }
 	// check permissions of user
 	accessLevel := acl.Registry.GetAccessLevel(l.authedPubkey.Load())
 	switch accessLevel {
 	case "none":
-		log.D.F("handle event: sending CLOSED to %s", l.remote)
+		log.D.F(
+			"handle event: sending 'OK,false,auth-required...' to %s", l.remote,
+		)
 		if err = okenvelope.NewFrom(
 			env.Id(), false,
 			reason.AuthRequired.F("auth required for write access"),
@@ -84,17 +76,20 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
 		}
 		return
 	case "read":
-		log.D.F("handle event: sending CLOSED to %s", l.remote)
+		log.D.F(
+			"handle event: sending 'OK,false,auth-required:...' to %s",
+			l.remote,
+		)
 		if err = okenvelope.NewFrom(
 			env.Id(), false,
 			reason.AuthRequired.F("auth required for write access"),
 		).Write(l); chk.E(err) {
-			// return
+			return
 		}
 		log.D.F("handle event: sending challenge to %s", l.remote)
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).
 			Write(l); chk.E(err) {
-			// return
+			return
 		}
 		return
 	default:
diff --git a/app/handle-req.go b/app/handle-req.go
index 9f0f264..fdd1360 100644
--- a/app/handle-req.go
+++ b/app/handle-req.go
@@ -32,33 +32,11 @@ func (l *Listener) HandleReq(msg []byte) (
 	if len(rem) > 0 {
 		log.I.F("extra '%s'", rem)
 	}
-	// // send a challenge to the client to auth if an ACL is active and not authed
-	// if acl.Registry.Active.Load() != "none" && l.authedPubkey.Load() == nil {
-	// 	log.D.F("sending challenge to %s", l.remote)
-	// 	if err = authenvelope.NewChallengeWith(l.challenge.Load()).
-	// 		Write(l); chk.E(err) {
-	// 		// return
-	// 	}
-	// 	log.D.F("sending CLOSED to %s", l.remote)
-	// 	if err = closedenvelope.NewFrom(
-	// 		env.Subscription, reason.AuthRequired.F("auth required for access"),
-	// 	).Write(l); chk.E(err) {
-	// 		return
-	// 	}
-	// 	// ACL is enabled so return and wait for auth
-	// 	// return
-	// }
 	// send a challenge to the client to auth if an ACL is active
 	if acl.Registry.Active.Load() != "none" {
-		// log.D.F("sending CLOSED to %s", l.remote)
-		// if err = closedenvelope.NewFrom(
-		// 	env.Subscription, reason.AuthRequired.F("auth required for access"),
-		// ).Write(l); chk.E(err) {
-		// 	// return
-		// }
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).
 			Write(l); chk.E(err) {
-			// return
+			return
 		}
 	}
 	// check permissions of user