diff --git a/hub/api/api.go b/hub/api/api.go
index 8551803..844e59e 100644
--- a/hub/api/api.go
+++ b/hub/api/api.go
@@ -89,7 +89,7 @@ func (a *API) Session_Delete(sessionID string) {
 }
 
 const (
-	sessionTTLSecs    = 24 * 21 * time.Hour // sessions expire 21 days after last use
+	sessionTTL        = 24 * 21 * time.Hour // sessions expire 21 days after last use
 	sessionSweepEvery = time.Hour           // cadence of expired-session eviction
 )
 
@@ -108,7 +108,7 @@ func (a *API) Session_Get(sessionID string) Session {
 		return Session{}
 	}
 
-	if time.Since(s.LastSeenAt) > sessionTTLSecs {
+	if time.Since(s.LastSeenAt) > sessionTTL {
 		delete(a.sessions, sessionID)
 		return Session{}
 	}
@@ -160,7 +160,7 @@ func (a *API) sweepSessions() {
 	for range time.Tick(sessionSweepEvery) {
 		a.sessionsMu.Lock()
 		for id, s := range a.sessions {
-			if time.Since(s.LastSeenAt) > sessionTTLSecs {
+			if time.Since(s.LastSeenAt) > sessionTTL {
 				delete(a.sessions, id)
 			}
 		}
diff --git a/hub/handler.go b/hub/handler.go
index 50013cf..cfae8ba 100644
--- a/hub/handler.go
+++ b/hub/handler.go
@@ -1,7 +1,6 @@
 package hub
 
 import (
-	"crypto/subtle"
 	"errors"
 	"log"
 	"net/http"
@@ -64,8 +63,9 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
 			return
 		}
 
+		// Not doing constant time compare because index lookup time dominates.
 		peer, err := app.api.Peer_GetByAPIKey(apiKey)
-		if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 {
+		if err != nil {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}
diff --git a/peer/app.go b/peer/app.go
index ea60a90..d0ddd5e 100644
--- a/peer/app.go
+++ b/peer/app.go
@@ -44,7 +44,6 @@ type App struct {
 	vpnNet      netip.Prefix
 	privKey     wgtypes.Key
 	pubKey      wgtypes.Key
-	isRelay     bool
 	isPublic    bool
 	localDomain string
 
diff --git a/peer/app_test.go b/peer/app_test.go
index 6564ef9..aae3a9c 100644
--- a/peer/app_test.go
+++ b/peer/app_test.go
@@ -32,7 +32,7 @@ func addRelayPeer(t *testing.T, a *App, vpnIP string, ep netip.AddrPort) *Peer {
 // newTestApp returns a minimal App wired to a fakeWGDevice and fakeControlConn.
 // vpnIP is the local VPN address (e.g. "10.0.0.1").
 // isPublic / isRelay describe the local node's role.
-func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fakeWGDevice, *fakeControlConn) {
+func newTestApp(t *testing.T, vpnIP string, isPublic bool) (*App, *fakeWGDevice, *fakeControlConn) {
 	t.Helper()
 	privKey, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
@@ -47,7 +47,6 @@ func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fake
 		privKey:     privKey,
 		pubKey:      privKey.PublicKey(),
 		isPublic:    isPublic,
-		isRelay:     isRelay,
 		dev:         dev,
 		controlConn: cc,
 		peersByKey:  make(map[wgtypes.Key]*Peer),
diff --git a/peer/new.go b/peer/new.go
index 3c008bb..eb8e279 100644
--- a/peer/new.go
+++ b/peer/new.go
@@ -89,7 +89,6 @@ func New(
 		vpnNet:      state.VPNNet,
 		privKey:     state.PrivKey,
 		pubKey:      state.PrivKey.PublicKey(),
-		isRelay:     state.IsRelay,
 		isPublic:    state.IsPublic,
 		localDomain: localDomain,
 
diff --git a/peer/on_hub_test.go b/peer/on_hub_test.go
index 230aa93..2523282 100644
--- a/peer/on_hub_test.go
+++ b/peer/on_hub_test.go
@@ -85,7 +85,7 @@ func TestOnAddPeer(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
+			a, dev, _ := newTestApp(t, "10.0.0.1", false)
 			key := mustKey(t)
 			if tc.setup != nil {
 				tc.setup(a, key)
@@ -192,7 +192,7 @@ func TestOnRemovePeer(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
+			a, dev, _ := newTestApp(t, "10.0.0.1", false)
 			key := tc.setup(t, a)
 			dev.Calls = nil
 			a.onRemovePeer(key)
@@ -289,7 +289,7 @@ func TestSwitchActiveRelay(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
+			a, dev, _ := newTestApp(t, "10.0.0.1", false)
 			tc.setup(t, a)
 			dev.Calls = nil
 			a.switchActiveRelay()
diff --git a/peer/wginterface/manage.go b/peer/wginterface/manage.go
index 4f8f9fe..77c146f 100644
--- a/peer/wginterface/manage.go
+++ b/peer/wginterface/manage.go
@@ -112,7 +112,7 @@ func (d *Device) SetRelay(pubKey wgtypes.Key, endpoint netip.AddrPort, network n
 	})
 }
 
-// AddProbe adds a peer with no AllowedIPs and a 5s keepalive. WireGuard will
+// AddProbe adds a peer with no AllowedIPs and an 8s keepalive. WireGuard will
 // attempt handshakes without routing any traffic through this peer yet.
 func (d *Device) AddProbe(pubKey wgtypes.Key, endpoint netip.AddrPort) error {
 	keepalive := ProbeKeepalive