diff --git a/.ignore b/.ignore
new file mode 100644
index 0000000..ddb3cdd
--- /dev/null
+++ b/.ignore
@@ -0,0 +1,2 @@
+prefactor
+.well-known
diff --git a/oauth3.core.js b/oauth3.core.js
index 8c445d9..8d178d7 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -535,7 +535,7 @@
           var providerUri = oldSession.provider_uri;
           var clientUri = oldSession.client_uri;
 
-          Object.keys(['access_token', 'token', 'client_uri', 'refresh', 'refresh_token', 'expires_in', 'provider_uri', 'scope', 'token_type']).forEach(function (key) {
+          ['access_token', 'token', 'client_uri', 'refresh', 'refresh_token', 'expires_in', 'provider_uri', 'scope', 'token_type'].forEach(function (key) {
             oldSession[key] = undefined;
           });
           Object.keys(newSession).forEach(function (key) {
@@ -821,7 +821,7 @@
       var logoutReq = OAUTH3.urls.logout(
         directives
       , { client_id: (opts.client_id || opts.client_uri || OAUTH3.clientUri(OAUTH3._browser.window.location))
-        , windowType: 'popup' // we'll figure out background later
+        , windowType: 'popup' // TODO: figure out background later
         , broker: opts.broker
         //, state: opts._state
         , debug: opts.debug
@@ -932,15 +932,14 @@
             xhr = new XMLHttpRequest();
           }
           xhr.onreadystatechange = function () {
-            var data;
             if (xhr.readyState !== XMLHttpRequest.DONE) {
               // nothing to do here
               return;
             }
 
+            var data, err;
             if (xhr.status !== 200) {
-              reject(new Error('bad status code: ' + xhr.status));
-              return;
+              err = new Error('bad status code: ' + xhr.status);
             }
 
             try {
@@ -949,6 +948,18 @@
               data = xhr.responseText;
             }
 
+            if (data.error) {
+              err = new Error(data.error.message || data.error_description || JSON.stringify(data.error));
+              Object.assign(err, data.error);
+            }
+            if (err) {
+              err._request = xhr;
+              err.status = xhr.status;
+              err.data = data;
+              reject(err);
+              return;
+            }
+
             resolve({
               _request: xhr
             , headers: null // TODO
@@ -956,6 +967,11 @@
             , status: xhr.status
             });
           };
+          xhr.ontimeout = function () {
+            var err = new Error('ETIMEDOUT');
+            err.code = 'ETIMEDOUT';
+            reject(err);
+          };
 
           if (preq.progress) {
             xhr.upload.onprogress = function (ev) {
@@ -973,6 +989,9 @@
           // For assets.example.com/assets
           xhr.withCredentials = true;
 
+          if (preq.timeout) {
+            xhr.timeout = preq.timeout;
+          }
           if (preq.data) {
             headers['Content-Type'] = 'application/json'; // TODO XXX TODO utf8
           }
@@ -1306,7 +1325,7 @@
           }
         }
       }
-    , _initClient: function (location/*, opts*/) {
+    , _initClient: function () {
         var me = this;
         return OAUTH3.discover(me._clientUri, { client_id: me._clientUri }).then(function (clientDirectives) {
           me._clientDirectives = clientDirectives;
diff --git a/oauth3.node.js b/oauth3.node.js
index 97fecd1..efa25c6 100644
--- a/oauth3.node.js
+++ b/oauth3.node.js
@@ -44,6 +44,7 @@ OAUTH3._node.request = function(preq/*, _sys*/) {
     method: preq.method
   , url: preq.url || preq.uri
   , headers: preq.headers
+  , timeout: preq.timeout || undefined
   , json: preq.data || preq.body || preq.json || undefined // TODO which to use?
   , formData: preq.formData || undefined
   };
@@ -60,10 +61,7 @@ OAUTH3._node._parseJson = function (resp) {
 
   // TODO toCamelCase
   if (!(resp.statusCode >= 200 && resp.statusCode < 400)) {
-    // console.log('[A3] DEBUG', resp.body);
     err = new Error("bad response code: " + resp.statusCode);
-    err.result = resp.body;
-    return PromiseA.reject(err);
   }
 
   //console.log('resp.body', typeof resp.body);
@@ -71,15 +69,16 @@ OAUTH3._node._parseJson = function (resp) {
     try {
       json = JSON.parse(json);
     } catch(e) {
-      err = new Error('response not parsable:' + resp.body);
-      err.result = resp.body;
-      return PromiseA.reject(err);
+      err = err || (new Error('response not parsable: ' + resp.body));
     }
   }
 
   // handle both Oauth2- and node-style errors
-  if (json.error) {
-    err = new Error(json.error && json.error.message || json.error_description || json.error);
+  if (json && json.error) {
+    err = new Error(json.error.message || json.error_description || JSON.stringify(json.error));
+  }
+
+  if (err) {
     err.result = json;
     return PromiseA.reject(err);
   }
diff --git a/package.json b/package.json
index 606658b..47cec23 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "oauth3.js",
-  "version": "1.0.10",
+  "version": "1.2.2",
   "description": "The world's smallest, fastest, and most secure OAuth3 (and OAuth2) JavaScript implementation.",
   "main": "oauth3.node.js",
   "scripts": {