diff --git a/README.md b/README.md
index 0ef565f..582bfa7 100644
--- a/README.md
+++ b/README.md
@@ -13,12 +13,17 @@ All API calls take a JSON payload of an email address. E.g.:
       email: bob@example.com
     }
 
+or, for GET requests: `?email=bob@example.com`.
+
 Eventuall, they might take an assertion:
 
     {
       assertion: <persona generated assertion>
     }
 
+### NULL security model
+Clients can safely ignore `version` and `deviceId` in API responses. These are intended for key revocation, but they won't be used in early prototypes.
+
 ### POST /user
 Creates a new user account and generates a class A key.
 
@@ -43,8 +48,8 @@ Registers a new device with the user account.
       deviceId: <newly generated deviceId>
     }
 
-### GET /user/{deviceId}
-Fetches the user's current key.
+### GET /user/[deviceId]
+Fetches the user's current key. `deviceId` is not required.
 
 *Returns*
 
@@ -55,6 +60,8 @@ Fetches the user's current key.
     }
 
 ### POST /user/bump/{deviceId}
+**Not used in NULL authentication model**
+
 This creates a new class A key for the user and bumps the version number.
 All devices besides the device that initiated the call will be marked as having
 an outdated key.
diff --git a/routes/user.js b/routes/user.js
index f8a965e..bb204b2 100644
--- a/routes/user.js
+++ b/routes/user.js
@@ -22,7 +22,7 @@ exports.routes = [
       validate: {
         schema: {
           assertion: Str(),
-          email: Str()
+          email: Str().required()
         }
       },
       response: {
@@ -37,7 +37,7 @@ exports.routes = [
   },
   {
     method: 'GET',
-    path: '/user/{deviceId}',
+    path: '/user/{deviceId?}',
     handler: get,
     config: {
       description: 'get user meta data',
@@ -45,7 +45,7 @@ exports.routes = [
       validate: {
         query: {
           assertion: Str(),
-          email: Str()
+          email: Str().required()
         }
       },
       response: {
@@ -100,6 +100,15 @@ function create(request) {
 function get(request) {
   var pre = request.pre;
 
+  // For NULL auth, deviceId is not required
+  if (! request.params.deviceId) {
+    return request.reply({
+      success: true,
+      kA: pre.user.kA,
+      version: pre.user.kA_version
+    });
+  }
+
   // update the device's last kA request time
   users.updateDevice(pre.userId, request.params.deviceId, function(err) {
     if (err) return request.reply(Hapi.Error.badRequest(err));
diff --git a/test/integration/user.js b/test/integration/user.js
index a8ab030..54dc171 100644
--- a/test/integration/user.js
+++ b/test/integration/user.js
@@ -6,7 +6,7 @@ var server = helpers.server;
 var makeRequest = helpers.makeRequest.bind(server);
 
 var TEST_AUDIENCE = config.get('public_url');
-var TEST_EMAIL;
+var TEST_EMAIL = 'foo@example.com';
 var TEST_ASSERTION;
 
 /*describe('get user', function() {*/
@@ -70,6 +70,17 @@ describe('user', function() {
     });
   });
 
+  it('should get user info without supplying a device ID', function(done) {
+    makeRequest('GET', '/user/?email=' + TEST_EMAIL
+    , function(res) {
+      assert.equal(res.statusCode, 200);
+      assert.equal(kA, res.result.kA);
+      assert.equal(res.result.version, 1);
+
+      done();
+    });
+  });
+
   it('should bump version', function(done) {
     makeRequest('POST', '/user/bump/' + deviceId, {
       //payload: { assertion: TEST_ASSERTION }
@@ -82,5 +93,6 @@ describe('user', function() {
       done();
     });
   });
+
 });