diff --git a/src/web.rs b/src/web.rs
index bbec733..5d008fe 100644
--- a/src/web.rs
+++ b/src/web.rs
@@ -126,7 +126,8 @@ pub async fn serve(
 }
 
 async fn hello(ConnectInfo(_): ConnectInfo<SocketAddr>) -> impl IntoResponse {
-    "idCoop. TODO landing page"
+    // TODO(v0.0.2): landing page
+    "idCoop is running!"
 }
 
 fn make_login_redirect(then_uri: Uri) -> Response {
diff --git a/src/web/oauth_openid.rs b/src/web/oauth_openid.rs
index 2d12d2d..2b4f56f 100644
--- a/src/web/oauth_openid.rs
+++ b/src/web/oauth_openid.rs
@@ -127,11 +127,9 @@ pub async fn oidc_discovery_configuration(
         response_types_supported: vec!["code".to_owned()],
         response_modes_supported: vec!["query".to_owned()],
         // TODO should we support 'implicit'?
-        // TODO should we support 'refresh_token'
+        // TODO(refresh) should we support 'refresh_token'
         grant_types_supported: vec!["authorization_code".to_owned()],
-        // TODO this is currently a lie
         subject_types_supported: vec!["public".to_owned()],
-        // TODO this is currently a lie
         // TODO we should support other types?
         id_token_signing_alg_values_supported: vec!["RS256".to_owned()],
     })
diff --git a/src/web/oauth_openid/authorisation.rs b/src/web/oauth_openid/authorisation.rs
index 45e1b75..38ff0ea 100644
--- a/src/web/oauth_openid/authorisation.rs
+++ b/src/web/oauth_openid/authorisation.rs
@@ -70,7 +70,7 @@ pub async fn oidc_authorisation(
     let Query(query) = match query {
         Ok(query) => query,
         Err(err) => {
-            // TODO this should be a pretty page
+            // TODO(ui) this should be a pretty page
             return (
                 StatusCode::BAD_REQUEST,
                 format!("TODO bad authorisation request: {err:?}"),
@@ -182,12 +182,12 @@ fn validate_authorisation_basics<'a>(
     config: &'a Configuration,
 ) -> Result<(String, &'a OidcClientConfiguration), Response> {
     let Some(client_config) = config.oidc.clients.get(&query.client_id) else {
-        // TODO format as pretty page
+        // TODO(ui) format as pretty page
         return Err((StatusCode::BAD_REQUEST, "TODO bad client_id").into_response());
     };
 
     if !client_config.redirect_uris.contains(&query.redirect_uri) {
-        // TODO format as pretty page
+        // TODO(ui) format as pretty page
         return Err((StatusCode::BAD_REQUEST, "TODO bad redirect_uri").into_response());
     }
 
diff --git a/src/web/oauth_openid/ext_codes.rs b/src/web/oauth_openid/ext_codes.rs
index c71d5b8..a2df9c3 100644
--- a/src/web/oauth_openid/ext_codes.rs
+++ b/src/web/oauth_openid/ext_codes.rs
@@ -218,7 +218,7 @@ pub enum CodeRedemption {
     Valid { binding: AuthCodeBinding },
     /// That auth code had already been redeemed: please invalidate the given access token and reject this redemption.
     Conflicted {
-        // TODO what if the token was refreshed since?
+        // TODO(refresh) what if the token was refreshed since?
         access_token_to_invalidate: AccessTokenHash,
         refresh_token_to_invalidate: RefreshTokenHash,
     },
diff --git a/src/web/oauth_openid/token.rs b/src/web/oauth_openid/token.rs
index 1a49a44..4beb2c1 100644
--- a/src/web/oauth_openid/token.rs
+++ b/src/web/oauth_openid/token.rs
@@ -128,7 +128,7 @@ pub async fn oidc_token(
     // now we have checked that the client is who they say they are...
     let _client_config = unverified_client_config;
 
-    // TODO support other grant types, e.g. refresh tokens
+    // TODO(refresh) support other grant types, e.g. refresh tokens
     if form.grant_type != "authorization_code" {
         return (
             StatusCode::BAD_REQUEST,
@@ -304,7 +304,7 @@ pub async fn oidc_token(
                 txn.issue_access_token(
                     &access_token_hash,
                     session_id,
-                    // TODO Support custom expiry, not 100 years
+                    // TODO(expiry) Support custom expiry, not 100 years
                     Utc::now() + Duration::days(365 * 100),
                 )
                 .await
@@ -312,7 +312,7 @@ pub async fn oidc_token(
                 txn.issue_refresh_token(
                     &refresh_token_hash,
                     session_id,
-                    // TODO Support custom expiry, not 100 years
+                    // TODO(expiry) Support custom expiry, not 100 years
                     Utc::now() + Duration::days(365 * 100),
                 )
                 .await
@@ -345,7 +345,7 @@ pub async fn oidc_token(
         .duration_since(UNIX_EPOCH)
         .expect("Before unix epoch?")
         .as_secs();
-    // TODO Support custom expiry times (not just 100 years)
+    // TODO(expiry) Support custom expiry times (not just 100 years)
     let exp = now + 100 * 365 * 86400;
     let sub = binding.user_id.hyphenated().to_string();
     let id_token = IdToken {
@@ -372,7 +372,7 @@ pub async fn oidc_token(
             access_token: access_token_b64,
             token_type: "Bearer".to_owned(),
             refresh_token: refresh_token_b64,
-            expires_in: 86400 * 365, // TODO
+            expires_in: 86400 * 365, // TODO(expiry)
             // This assumes that we only support the OpenID scope at present.
             scope: "openid".to_owned(),
             id_token,