diff --git a/warden3/warden_server/README b/warden3/warden_server/README
index 104fb61a2b92d27b569cea520e95dffed51d987c..8438d1381eaa19d8a0d108ec191a320058ba335c 100644
--- a/warden3/warden_server/README
+++ b/warden3/warden_server/README
@@ -214,7 +214,8 @@ warden_server.py register [--help] -n NAME -h HOSTNAME -r REQUESTOR
      -r REQUESTOR, --requestor REQUESTOR
                            requestor email
      -s SECRET, --secret SECRET
-                           authentication token
+                           authentication token (use explicit empty string to
+                           disable)
      --note NOTE           client freetext description
      --valid               valid client (default)
      --novalid
diff --git a/warden3/warden_server/warden_server.py b/warden3/warden_server/warden_server.py
index 654d4fbe8406b8e293e181d85aab13685a37b702..204790eb8949ccfce7f33f95f6297320bb6beb26 100755
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -394,7 +394,7 @@ class X509MixMatchAuthenticator(PlainAuthenticator):
     def __init__(self, req, log, db):
         PlainAuthenticator.__init__(self, req, log, db)
         self.hostname_auth = X509Authenticator(req, log, db)
-        self.name_auth = X509Authenticator(req, log, db)
+        self.name_auth = X509NameAuthenticator(req, log, db)
 
 
     def authenticate(self, env, args):
@@ -421,7 +421,8 @@ class X509MixMatchAuthenticator(PlainAuthenticator):
         else:
             auth = self.hostname_auth
 
-        return auth.authenticate(self, env, args)
+        self.log.info("MixMatch is choosing %s" % type(auth).__name__)
+        return auth.authenticate(env, args)
 
 
 class NoValidator(ObjectBase):
@@ -601,6 +602,8 @@ class MySQL(ObjectBase):
         for attr in set(Client._fields) - set(["id", "registered"]):
             val = kwargs.get(attr, None)
             if val is not None:
+                if attr == "secret" and val == "":  # disable secret
+                    val = None
                 uquery.append("`%s` = %%s" % attr)
                 params.append(val)
         if not uquery:
@@ -1243,6 +1246,11 @@ param_def = {
         "log": {"type": "obj", "default": "log"},
         "db": {"type": "obj", "default": "db"}
     },
+    X509MixMatchAuthenticator: {
+        "req": {"type": "obj", "default": "req"},
+        "log": {"type": "obj", "default": "log"},
+        "db": {"type": "obj", "default": "db"}
+    },
     NoValidator: {
         "req": {"type": "obj", "default": "req"},
         "log": {"type": "obj", "default": "log"},
@@ -1511,7 +1519,7 @@ def add_client_args(subargp, mod=False):
     subargp.add_argument("-r", "--requestor", required=not mod,
         help="requestor email")
     subargp.add_argument("-s", "--secret",
-        help="authentication token")
+        help="authentication token (use explicit empty string to disable)")
     subargp.add_argument("--note",
         help="client freetext description")