diff --git a/app/controllers/api/v1/registrant/domains_controller.rb b/app/controllers/api/v1/registrant/domains_controller.rb
new file mode 100644
index 000000000..744692d80
--- /dev/null
+++ b/app/controllers/api/v1/registrant/domains_controller.rb
@@ -0,0 +1,41 @@
+require 'rails5_api_controller_backport'
+require 'auth_token/auth_token_decryptor'
+
+module Api
+  module V1
+    module Registrant
+      class DomainsController < ActionController::API
+        before_filter :authenticate
+
+        def index
+          registrant = ::Registrant.find_by(ident: current_user.registrant_ident)
+          unless registrant
+            render json: Domain.all
+          else
+            domains = Domain.where(registrant_id: registrant.id)
+            render json: domains
+          end
+        end
+
+        private
+
+        def bearer_token
+          pattern = /^Bearer /
+          header  = request.headers['Authorization']
+          header.gsub(pattern, '') if header && header.match(pattern)
+        end
+
+        def authenticate
+          decryptor = AuthTokenDecryptor.create_with_defaults(bearer_token)
+          decryptor.decrypt_token
+
+          if decryptor.valid?
+            sign_in decryptor.user
+          else
+            render json: { error: "Not authorized" }, status: 403
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 2bc965a0f..3ae18a7cd 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -22,7 +22,8 @@ Rails.application.routes.draw do
     namespace :v1 do
       namespace :registrant do
         post 'auth/eid', to: 'auth#eid'
-        post 'auth/username', to: 'auth#username'
+
+        resources :domains, only: [:index]
       end
     end
   end
diff --git a/lib/auth_token/auth_token_creator.rb b/lib/auth_token/auth_token_creator.rb
index 2272a3650..0597e0489 100644
--- a/lib/auth_token/auth_token_creator.rb
+++ b/lib/auth_token/auth_token_creator.rb
@@ -28,7 +28,7 @@ class AuthTokenCreator
     encryptor.encrypt
     encryptor.key = key
     encrypted_bytes = encryptor.update(hashable) + encryptor.final
-    Base64.encode64(encrypted_bytes)
+    Base64.urlsafe_encode64(encrypted_bytes)
   end
 
   def token_in_hash
diff --git a/lib/auth_token/auth_token_decryptor.rb b/lib/auth_token/auth_token_decryptor.rb
index 1f513bece..2af4be0a9 100644
--- a/lib/auth_token/auth_token_decryptor.rb
+++ b/lib/auth_token/auth_token_decryptor.rb
@@ -18,11 +18,11 @@ class AuthTokenDecryptor
     decipher.decrypt
     decipher.key = key
 
-    base64_decoded = Base64.decode64(token)
+    base64_decoded = Base64.urlsafe_decode64(token)
     plain = decipher.update(base64_decoded) + decipher.final
 
     @decrypted_data = JSON.parse(plain, symbolize_names: true)
-  rescue OpenSSL::Cipher::CipherError
+  rescue OpenSSL::Cipher::CipherError, ArgumentError
     false
   end
 
diff --git a/test/lib/auth_token/auth_token_creator_test.rb b/test/lib/auth_token/auth_token_creator_test.rb
index 4fab724c1..9d4cdd2c6 100644
--- a/test/lib/auth_token/auth_token_creator_test.rb
+++ b/test/lib/auth_token/auth_token_creator_test.rb
@@ -15,6 +15,7 @@ class AuthTokenCreatorTest < ActiveSupport::TestCase
   def test_hashable_is_constructed_as_expected
     expected_hashable = { user_ident: 'US-1234', user_username: 'Registrant User',
                           expires_at: '2010-07-05 00:30:00 UTC' }.to_json
+
     assert_equal(expected_hashable, @token_creator.hashable)
   end
 
@@ -23,7 +24,7 @@ class AuthTokenCreatorTest < ActiveSupport::TestCase
     encryptor.decrypt
     encryptor.key = @random_bytes
 
-    base64_decoded = Base64.decode64(@token_creator.encrypted_token)
+    base64_decoded = Base64.urlsafe_decode64(@token_creator.encrypted_token)
     result = encryptor.update(base64_decoded) + encryptor.final
 
     hashable = { user_ident: 'US-1234', user_username: 'Registrant User',
diff --git a/test/lib/auth_token/auth_token_decryptor_test.rb b/test/lib/auth_token/auth_token_decryptor_test.rb
index d83de7990..fbb18d6d3 100644
--- a/test/lib/auth_token/auth_token_decryptor_test.rb
+++ b/test/lib/auth_token/auth_token_decryptor_test.rb
@@ -15,7 +15,7 @@ class AuthTokenDecryptorTest < ActiveSupport::TestCase
 
     # this token corresponds to:
     # {:user_ident=>"US-1234", :user_username=>"Registrant User", :expires_at=>"2010-07-05 02:15:00 UTC"}
-    @access_token = "q27NWIsKD5snWj9vZzJ0RcOYvgocEyu7H9yCaDjfmGi54sogovpBeALMPWTZ\nHMcdFQzSiq6b4cI0p5tO0/5UEOHic2jRzNW7mkhi+bn+Y2W9l9TJV0IdiTj9\nbaf+JvlbyaJh6+/eXIm0tuV5E8Ra9Q==\n"
+    @access_token = "q27NWIsKD5snWj9vZzJ0RcOYvgocEyu7H9yCaDjfmGi54sogovpBeALMPWTZHMcdFQzSiq6b4cI0p5tO0_5UEOHic2jRzNW7mkhi-bn-Y2Wlnw7jhMpxw6VwJR8QEoDzjkcNxnKBN6OKF4nssa60ZQ=="
   end
 
   def teardown
@@ -61,7 +61,7 @@ class AuthTokenDecryptorTest < ActiveSupport::TestCase
   def test_returns_false_for_non_existing_user
     # This token was created from an admin user and @key. Decrypted, it corresponds to:
     # {:user_ident=>nil, :user_username=>"test", :expires_at=>"2010-07-05 00:15:00 UTC"}
-    other_token = "rMkjgpyRcj2xOnHVwvvQ5RAS0yQepUSrw3XM5BrwM4TMH+h+TBeLve9InC/z\naPneMMnCs0NHQHt1EpH95A2YhX5P3HsyYITRErDmtlzUf21e185q/CUkW5NG\nWa4rar+6\n"
+    other_token = "rMkjgpyRcj2xOnHVwvvQ5RAS0yQepUSrw3XM5BrwM4TMH-h-TBeLve9InC_zaPneMMnCs0NHQHt1EpH95A2Yhdk6Ge6HQ-4gN5L0THDywCO2vHKGucPxbd6g6wOSaOnR"
 
     decryptor = AuthTokenDecryptor.new(other_token, @key)
     decryptor.decrypt_token