diff --git a/src/main/java/edu/iu/terracotta/config/WebSecurityConfig.java b/src/main/java/edu/iu/terracotta/config/WebSecurityConfig.java
index 9af9ff519..2cd995b72 100644
--- a/src/main/java/edu/iu/terracotta/config/WebSecurityConfig.java
+++ b/src/main/java/edu/iu/terracotta/config/WebSecurityConfig.java
@@ -156,6 +156,7 @@ protected void configure(HttpSecurity http) throws Exception {
                     .antMatchers("/api/**")
                     .and()
                     .addFilterBefore(new CorsFilter(new CorsConfigurationSourceImpl()), BasicAuthenticationFilter.class)
+                    //TODO IMPORTANT. Enable this line for production
                     //.addFilterBefore(apioAuthProviderProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                     .authorizeRequests().anyRequest().permitAll().and().csrf().disable().headers().frameOptions().disable();
         }
diff --git a/src/main/java/edu/iu/terracotta/utils/lti/LTI3Request.java b/src/main/java/edu/iu/terracotta/utils/lti/LTI3Request.java
index f7652fcb9..f2f167f89 100644
--- a/src/main/java/edu/iu/terracotta/utils/lti/LTI3Request.java
+++ b/src/main/java/edu/iu/terracotta/utils/lti/LTI3Request.java
@@ -308,7 +308,7 @@ public Key resolveSigningKey(JwsHeader header, Claims claims) {
         // We update the database in case we have new values. (New users, new resources...etc)
         if (isLTI3Request.equals(LtiStrings.LTI_MESSAGE_TYPE_RESOURCE_LINK) || isLTI3Request.equals(LtiStrings.LTI_MESSAGE_TYPE_DEEP_LINKING)) {
             //Load data from DB related with this request and update it if needed with the new values.
-            PlatformDeployment platformDeployment = ltiDataService.getRepos().platformDeploymentRepository.findByClientId(this.aud).get(0);
+            PlatformDeployment platformDeployment = ltiDataService.getRepos().platformDeploymentRepository.findByIssAndClientIdAndDeploymentId(this.iss, this.aud, ltiDeploymentId).get(0);
             ltiDataService.loadLTIDataFromDB(this, linkId);
             if (update) {
                 if (isLTI3Request.equals(LtiStrings.LTI_MESSAGE_TYPE_RESOURCE_LINK)) {
@@ -442,7 +442,7 @@ public String processRequestParameters(HttpServletRequest request, Jws<Claims> j
         session.setAttribute(LtiStrings.LTI_SESSION_CONTEXT_ID, ltiContextId);
         session.setAttribute(LtiStrings.LTI_SESSION_CONTEXT_ID, ltiContextId);
         try {
-            session.setAttribute(LtiStrings.LTI_SESSION_DEPLOYMENT_KEY, ltiDataService.getRepos().platformDeploymentRepository.findByDeploymentId(ltiDeploymentId).get(0).getKeyId());
+            session.setAttribute(LtiStrings.LTI_SESSION_DEPLOYMENT_KEY, ltiDataService.getRepos().platformDeploymentRepository.findByIssAndClientIdAndDeploymentId(iss, aud, ltiDeploymentId).get(0).getKeyId());
         } catch (Exception e) {
             log.error("No deployment found");
         }