diff --git a/web/backend/kioubit_verify.py b/web/backend/kioubit_verify.py
index 69a7a63..138f91b 100644
--- a/web/backend/kioubit_verify.py
+++ b/web/backend/kioubit_verify.py
@@ -43,12 +43,16 @@ class AuthVerifyer ():
             user_data = json.loads(base64.b64decode(params))
             if (time.time() - user_data["time"]) > 60:
                 return False, "Signature to old"
+            elif user_data["domain"] != self.domain:
+                return False, "invalid domain"
         except json.decoder.JSONDecodeError:
             # we shouldn't get here unless kioubit's service is misbehaving
             return False, "invalid JSON"
         except KeyError:
             return False, "value not found in JSON"
         logging.debug(user_data)
+        # use mnt[0] as mnt
+        user_data["mnt"] = user_data["mnt"][0]
         return True, user_data