diff --git a/pkg/auth/session.go b/pkg/auth/session.go
index a5e9f12..301b182 100644
--- a/pkg/auth/session.go
+++ b/pkg/auth/session.go
@@ -34,6 +34,10 @@ type RefreshToken struct {
 	Version               *string             `json:"version"`
 }
 
+func (rt *RefreshToken) IsValid() bool {
+	return rt.JWTKey != ""
+}
+
 type AccessSessionStore struct {
 	s        map[AccessTokenID]*AccessToken
 	lastCull time.Time
diff --git a/pkg/auth/store.go b/pkg/auth/store.go
index 46d1513..2245072 100644
--- a/pkg/auth/store.go
+++ b/pkg/auth/store.go
@@ -69,6 +69,22 @@ func (a *Authenticator) newAuthStore(s storage.Store) (as *authStore, err error)
 		}
 	}
 
+	// remove invalid RefreshTokens
+	i := 0
+	for _, rt := range as.Refresh {
+		if rt.IsValid() {
+			as.Refresh[i] = rt
+			i++
+		}
+	}
+
+	// don't leak memory
+	for j := i; j < len(as.Refresh); j++ {
+		as.Refresh[j] = RefreshToken{}
+	}
+
+	as.Refresh = as.Refresh[:i]
+
 	return
 }
 
diff --git a/pkg/flow/flow.go b/pkg/flow/flow.go
index dd45b98..4877fc9 100644
--- a/pkg/flow/flow.go
+++ b/pkg/flow/flow.go
@@ -60,7 +60,7 @@ type (
 	}
 
 	Handler interface {
-		Base() FlowHandler
+		BaseHandler() FlowHandler
 		FlowID() FlowID
 
 		flowCtime() time.Time
@@ -105,7 +105,7 @@ type FlowHandler struct {
 
 func (f *FlowHandler) Step() Step { return f.curStep }
 
-func (f *FlowHandler) Base() FlowHandler { return *f }
+func (f *FlowHandler) BaseHandler() FlowHandler { return *f }
 
 func (f *FlowHandler) FlowID() FlowID {
 	return f.ID