diff --git a/src/commonMain/kotlin/net.sergeych.superlogin/api.kt b/src/commonMain/kotlin/net.sergeych.superlogin/api.kt
index d39f5c7..4bb2892 100644
--- a/src/commonMain/kotlin/net.sergeych.superlogin/api.kt
+++ b/src/commonMain/kotlin/net.sergeych.superlogin/api.kt
@@ -2,6 +2,7 @@ package net.sergeych.superlogin
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import net.sergeych.boss_serialization_mp.decodeBoss
 import net.sergeych.parsec3.CommandHost
 import net.sergeych.parsec3.WithAdapter
 import net.sergeych.unikrypto.PublicKey
@@ -16,7 +17,17 @@ data class RegistrationArgs(
     val restoreId: ByteArray,
     val packedACO: ByteArray,
     val extraData: ByteArray? = null
-)
+) {
+    fun toSuccess(loginToken: ByteArray,extraData: ByteArray? = this.extraData): AuthenticationResult.Success {
+        return AuthenticationResult.Success(
+            loginName, loginToken, extraData
+        )
+    }
+
+    inline fun <reified T>decodeOrNull(): T? = extraData?.let { it.decodeBoss() }
+    inline fun <reified T>decodeOrThrow(): T = extraData?.let { it.decodeBoss() }
+        ?: throw IllegalArgumentException("missing require extra data of type ${T::class.simpleName}")
+}
 
 @Serializable
 sealed class AuthenticationResult {
@@ -61,14 +72,15 @@ class LoginByPasswordPayload(
 @Serializable
 class ChangePasswordArgs(
     val loginName: String,
-    val packedSignedRecord: ByteArray
+    val packedSignedRecord: ByteArray,
 )
 
 @Serializable
 class ChangePasswordPayload(
     val packedACO: ByteArray,
     val passwordDerivationParams: PasswordDerivationParams,
-    val newLoginKey: PublicKey
+    val newLoginKey: PublicKey,
+    val newLoginId: ByteArray
 )
 
 
diff --git a/src/commonMain/kotlin/net.sergeych.superlogin/client/SuperloginClient.kt b/src/commonMain/kotlin/net.sergeych.superlogin/client/SuperloginClient.kt
index bc9c373..5e84450 100644
--- a/src/commonMain/kotlin/net.sergeych.superlogin/client/SuperloginClient.kt
+++ b/src/commonMain/kotlin/net.sergeych.superlogin/client/SuperloginClient.kt
@@ -310,7 +310,7 @@ class SuperloginClient<D, S : WithAdapter>(
                 serverApi.slChangePasswordAndLogin, ChangePasswordArgs(
                     aco.payload.login,
                     SignedRecord.pack(aco.payload.loginPrivateKey,
-                        ChangePasswordPayload(newAco.packed,params,newLoginKey.await().publicKey),
+                        ChangePasswordPayload(newAco.packed,params,newLoginKey.await().publicKey,keys.loginId),
                         deferredNonce.await())
                 )
             )
diff --git a/src/jvmMain/kotlin/net/sergeych/superlogin/server/SLServerSession.kt b/src/jvmMain/kotlin/net/sergeych/superlogin/server/SLServerSession.kt
index 3da5200..0f888eb 100644
--- a/src/jvmMain/kotlin/net/sergeych/superlogin/server/SLServerSession.kt
+++ b/src/jvmMain/kotlin/net/sergeych/superlogin/server/SLServerSession.kt
@@ -94,9 +94,10 @@ abstract class SLServerSession<T> : WithAdapter() {
      */
     abstract suspend fun updateAccessControlData(
         loginName: String,
-        packedData: ByteArray,
+        packedACO: ByteArray,
         passwordDerivationParams: PasswordDerivationParams,
-        newLoginKey: PublicKey
+        newLoginKey: PublicKey,
+        newLoginId: ByteArray
     )
 }
 
diff --git a/src/jvmMain/kotlin/net/sergeych/superlogin/server/SuperloginServer.kt b/src/jvmMain/kotlin/net/sergeych/superlogin/server/SuperloginServer.kt
index 377ee1e..a17a34a 100644
--- a/src/jvmMain/kotlin/net/sergeych/superlogin/server/SuperloginServer.kt
+++ b/src/jvmMain/kotlin/net/sergeych/superlogin/server/SuperloginServer.kt
@@ -156,7 +156,8 @@ inline fun <reified D, T : SLServerSession<D>, H : CommandHost<T>> AdapterBuilde
                     args.loginName,
                     payload.packedACO,
                     payload.passwordDerivationParams,
-                    payload.newLoginKey
+                    payload.newLoginKey,
+                    payload.newLoginId
                 )
                 println(">> ${loginResult.loginToken} -- !")
             }
diff --git a/src/jvmTest/kotlin/net/sergeych/WsServerKtTest.kt b/src/jvmTest/kotlin/net/sergeych/WsServerKtTest.kt
index b555203..9c90144 100644
--- a/src/jvmTest/kotlin/net/sergeych/WsServerKtTest.kt
+++ b/src/jvmTest/kotlin/net/sergeych/WsServerKtTest.kt
@@ -72,18 +72,22 @@ data class TestSession(var buzz: String = "BuZZ") : SLServerSession<TestData>()
 
     override suspend fun updateAccessControlData(
         loginName: String,
-        packedData: ByteArray,
+        packedACO: ByteArray,
         passwordDerivationParams: PasswordDerivationParams,
         newLoginKey: PublicKey,
+        newLoginId: ByteArray
     ) {
-        val r = byLogin[loginName]?.copy(
-            packedACO = packedData,
+        val r = byLogin[loginName]?.also {
+           byLoginId.remove(it.loginId.toList())
+        }?.copy(
+            packedACO = packedACO,
             derivationParams = passwordDerivationParams,
-            loginPublicKey = newLoginKey
+            loginPublicKey = newLoginKey,
+            loginId = newLoginId
         )
             ?: throw RuntimeException("login not found")
         byLogin[loginName] = r
-        byLoginId[r.loginId.toList()] = r
+        byLoginId[newLoginId.toList()] = r
         byToken[currentLoginToken!!.toList()] = r
         byRestoreId[r.restoreId.toList()] = r
     }