diff --git a/lib/app/index.js b/lib/app/index.js
index 8da33689df..f3544c2c65 100644
--- a/lib/app/index.js
+++ b/lib/app/index.js
@@ -23,10 +23,10 @@ helpers.viewHelpers(view);
 
 _ = require('lodash');
 
-get('/:uidParam?', function(page, model, _arg, next) {
-  var req, sess, uidParam;
-  uidParam = _arg.uidParam;
-  if ((uidParam === 'privacy' || uidParam === 'terms' || uidParam === 'auth')) {
+get('/:uid?', function(page, model, _arg, next) {
+  var req, sess, uid;
+  uid = _arg.uid;
+  if (uid && !(require('guid').isGuid(uid))) {
     return next();
   }
   req = page._res.req;
diff --git a/lib/server/auth.js b/lib/server/auth.js
index 23a8bcb932..e07174c6c5 100644
--- a/lib/server/auth.js
+++ b/lib/server/auth.js
@@ -22,7 +22,7 @@ module.exports.newUserAndPurl = function() {
     sess.userId = derby.uuid();
     model.set("users." + sess.userId, schema.newUserObject());
   }
-  acceptableUid = require('guid').isGuid(uidParam) || (uidParam === '3');
+  acceptableUid = require('guid').isGuid(uidParam);
   if (acceptableUid && sess.userId !== uidParam && !(sess.habitRpgAuth && sess.habitRpgAuth.facebook)) {
     return sess.userId = uidParam;
   }
diff --git a/src/app/index.coffee b/src/app/index.coffee
index 5abcbc528e..27b1ab741b 100644
--- a/src/app/index.coffee
+++ b/src/app/index.coffee
@@ -15,9 +15,11 @@ _ = require 'lodash'
 
 # ========== ROUTES ==========
 
-get '/:uidParam?', (page, model, {uidParam}, next) ->
-  #FIXME figure out a better way to do this
-  return next() if (uidParam in ['privacy','terms','auth'])
+get '/:uid?', (page, model, {uid}, next) ->
+  # delegate to other routes. FIXME how to define express routes first?
+  if uid && !(require('guid').isGuid(uid))
+    return next() 
+    
   # Force SSL
   req = page._res.req
   if req.headers['x-forwarded-proto']!='https' and process.env.NODE_ENV=='production'
diff --git a/src/server/auth.coffee b/src/server/auth.coffee
index 03a9ef1555..68f42aae94 100644
--- a/src/server/auth.coffee
+++ b/src/server/auth.coffee
@@ -21,7 +21,7 @@ module.exports.newUserAndPurl = ->
   ## -------- (2) PURL --------
   # eg, http://localhost/{guid}), legacy - will be removed eventually
   # tests if UUID was used (bookmarked private url), and restores that session
-  acceptableUid = require('guid').isGuid(uidParam) or (uidParam == '3')
+  acceptableUid = require('guid').isGuid(uidParam)
   if acceptableUid && sess.userId!=uidParam && !(sess.habitRpgAuth && sess.habitRpgAuth.facebook)
     # TODO check if in database - issue with accessControl which is on current uid?
     sess.userId = uidParam