diff --git a/cmd/dkl-local-server/auth.go b/cmd/dkl-local-server/auth.go
index 0ad4db9..d52d8cd 100644
--- a/cmd/dkl-local-server/auth.go
+++ b/cmd/dkl-local-server/auth.go
@@ -13,8 +13,7 @@ func authorizeAdmin(r *http.Request) bool {
 
 func authorizeToken(r *http.Request, token string) bool {
 	if token == "" {
-		// access is open
-		return true
+		return false
 	}
 
 	reqToken := r.Header.Get("Authorization")
@@ -30,9 +29,9 @@ func forbidden(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, "Forbidden", http.StatusForbidden)
 }
 
-func requireToken(token string, handler http.Handler) http.Handler {
+func requireToken(token *string, handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		if !authorizeToken(req, token) {
+		if !authorizeToken(req, *token) {
 			forbidden(w, req)
 			return
 		}
@@ -41,5 +40,5 @@ func requireToken(token string, handler http.Handler) http.Handler {
 }
 
 func requireAdmin(handler http.Handler) http.Handler {
-	return requireToken(adminToken, handler)
+	return requireToken(&adminToken, handler)
 }
diff --git a/html/ui/index.html b/html/ui/index.html
index 865568f..e4ae229 100644
--- a/html/ui/index.html
+++ b/html/ui/index.html
@@ -64,9 +64,9 @@
     <p v-if="!session.token">Not logged in.</p>
     <p v-else>Invalid token</p>
 
-    <form @submit="setToken">
-        <input type="password" v-model="forms.setToken" required placeholder="Token" />
-        <input type="submit" value="set token"/>
+    <form @submit="unlockStore">
+        <input type="password" v-model="forms.store.pass1" required placeholder="Passphrase" />
+        <input type="submit" value="log in"/>
     </form>
 </template>
 <template v-else>