diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index c035a201..42ff2bb4 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -92,7 +92,6 @@ class Travis::Api::App
         handshake do |user, token, redirect_uri|
           if target_ok? redirect_uri
             content_type :html
-            user = Travis::Api.data(user, version: :v2)
             data = { user: user, token: token, uri: redirect_uri }
             erb(:post_payload, locals: data)
           else
@@ -131,10 +130,7 @@ class Travis::Api::App
       get '/post_message/iframe', scope: :public do
         handshake do |user, token, target_origin|
           halt 403, invalid_target(target_origin) unless target_ok? target_origin
-          rendered_user = Travis::Api.data(user, version: :v2)
-          travis_token  = user.tokens.first
-          post_message(token: token, user: rendered_user, target_origin: target_origin,
-                       travis_token: travis_token ? travis_token.token : nil)
+          post_message(token: token, user: user, target_origin: target_origin)
         end
       end
 
@@ -144,6 +140,11 @@ class Travis::Api::App
 
       private
 
+        def serialize_user(user)
+          rendered = Travis::Api.data(user, version: :v2)
+          rendered['user'].merge('token' => user.tokens.first.try(:token).to_s)
+        end
+
         def oauth_endpoint
           proxy = Travis.config.oauth2.proxy
           proxy ? File.join(proxy, request.fullpath) : url
@@ -167,7 +168,7 @@ class Travis::Api::App
             user                   = user_for_github_token(github_token)
             token                  = generate_token(user: user, app_id: 0)
             payload                = params[:state].split(":::", 2)[1]
-            yield user, token, payload
+            yield serialize_user(user), token, payload
           else
             values[:state]         = create_state
             endpoint.path          = config.authorize_path
@@ -417,9 +418,8 @@ function uberParent(win) {
 }
 
 function sendPayload(win) {
-  var payload          = <%= user.to_json %>;
-  payload.token        = <%= token.inspect %>;
-  payload.travis_token = <%= travis_token ? travis_token.inspect : null %>;
+  var payload   = <%= user.to_json %>;
+  payload.token = <%= token.inspect %>;
   uberParent(win).postMessage(payload, <%= target_origin.inspect %>);
 }
 
@@ -433,8 +433,8 @@ if(window.parent == window) {
 </script>
 
 @@ post_payload
-<body onload='document.forms[0].submit()'>
-  <form action="<%= uri %>" method='post'>
+<body onload=''>
+  <form action="<%= document.forms[0].submit() %>" method='post'>
     <input type='hidden' name='token'   value='<%= token %>'>
     <input type='hidden' name='user'    value="<%= user.to_json.gsub('"', '&quot;') %>">
     <input type='hidden' name='storage' value='localStorage'>