diff --git a/modules/auth/graph/resolvers/apps.js b/modules/auth/graph/resolvers/apps.js
index 082e6a389..3ea8535d7 100644
--- a/modules/auth/graph/resolvers/apps.js
+++ b/modules/auth/graph/resolvers/apps.js
@@ -3,26 +3,41 @@ const appRoot = require( 'app-root-path' )
 const { getApp } = require( '../../services/apps' )
 
 const { createAppToken } = require( `${appRoot}/modules/core/services/tokens` )
-const { createAuthorizationCode, exchangeAuthorizationCodeForToken } = require( `../../services/apps` )
+const { createApp, updateApp, deleteApp, createAuthorizationCode, exchangeAuthorizationCodeForToken } = require( `../../services/apps` )
 const { validateServerRole, validateScopes, authorizeResolver } = require( `${appRoot}/modules/shared` )
 const { authStrategies } = require( '../../index' )
 
 module.exports = {
   Query: {
+
     async app( parent, args, context, info ) {
-      // TODO: check authorization
-      // If user === owner, return full app, otherwise delete the secret!
+
       let app = await getApp( { id: args.id } )
       return app
+
+    },
+
+    async apps( parent, args, context, info ) {
+
+      // TODO: Get all public server apps
+
     }
+
   },
+
   ServerApp: {
+
     secret( parent, args, context, info ) {
-      if ( parent.author.id === context.user.id )
+
+      if ( context.auth && parent.author && parent.author.id && parent.author.id === context.userId )
         return parent.secret
-      return 'App secrets are only revealed to their author.'
+
+      return 'App secrets are only revealed to their author 😉'
+
     }
+
   },
+
   User: {
     async authorizedApps( parent, args, context, info ) {
       // TODO
@@ -32,12 +47,18 @@ module.exports = {
     }
   },
   Mutation: {
+
     async appCreate( parent, args, context, info ) {
 
+      let { id } = await createApp( { ...args.app, authorId: context.userId } )
+      return id
+
     },
+
     async appUpdate( parent, args, context, info ) {
       // restrict to owner
     },
+
     async appDelete( parent, args, context, info ) {
       // TODO
       // restrict to owner
diff --git a/modules/auth/services/apps.js b/modules/auth/services/apps.js
index 69831148a..08ec4b712 100644
--- a/modules/auth/services/apps.js
+++ b/modules/auth/services/apps.js
@@ -18,18 +18,21 @@ const RefreshTokens = ( ) => knex( 'refresh_tokens' )
 let allScopes = null
 
 module.exports = {
+
   async getApp( { id } ) {
+
     if ( allScopes === null ) allScopes = await Scopes( ).select( '*' )
 
     let app = await ServerApps( ).select( '*' ).where( { id: id } ).first( )
     let appScopeNames = ( await ServerAppsScopes( ).select( 'scopeName' ).where( { appId: id } ) ).map( s => s.scopeName )
     app.scopes = allScopes.filter( scope => appScopeNames.indexOf( scope.name ) !== -1 )
-
-    app.author = await Users( ).select( 'id', 'name' ).where( { id: app.authorId } )
+    app.author = await Users( ).select( 'id', 'name' ).where( { id: app.authorId } ).first( )
     return app
+
   },
 
   async createApp( app ) {
+
     app.id = crs( { length: 10 } )
     app.secret = crs( { length: 10 } )
 
@@ -45,6 +48,7 @@ module.exports = {
     await ServerApps( ).insert( app )
     await ServerAppsScopes( ).insert( scopes.map( s => ( { appId: app.id, scopeName: s } ) ) )
     return { id: app.id, secret: app.secret }
+
   },
 
   async updateApp( { app } ) {