From a495694eaefaabb86003e1bb90a6acdc63ea1fd3 Mon Sep 17 00:00:00 2001
From: akafredperry <fred@atsign.com>
Date: Tue, 24 Feb 2026 18:49:51 +0000
Subject: [PATCH 1/5] feature: code and test complete

---
 at_client/pom.xml                             |  16 +
 .../org/atsign/client/api/AtKeyNames.java     |   5 +
 .../java/org/atsign/client/api/Secondary.java |  41 +-
 .../client/api/impl/clients/AtClientImpl.java |   2 +-
 .../client/api/impl/clients/AtClients.java    |  62 ++
 .../api/impl/clients/DefaultAtClientImpl.java | 345 ++++++++
 .../api/impl/secondaries/RemoteSecondary.java |   2 +-
 .../org/atsign/client/cli/AbstractCli.java    | 209 +----
 .../java/org/atsign/client/cli/Activate.java  | 308 ++-----
 .../connection/api/AtClientConnection.java    |  84 ++
 .../connection/api/AtEndpointSupplier.java    |  17 +
 .../connection/api/ReconnectStrategy.java     |  50 ++
 .../client/connection/common/Command.java     |  95 +++
 .../connection/common/CommandQueue.java       | 152 ++++
 .../common/SimpleReconnectStrategy.java       |  66 ++
 .../netty/NettyAtClientConnection.java        | 570 +++++++++++++
 .../netty/NettyAtCommandEncoder.java          |  23 +
 .../netty/NettyAtEndpointSupplier.java        |  60 ++
 .../netty/NettyAtResponseDecoder.java         |  84 ++
 .../netty/NettyAtThreadFactory.java           |  49 ++
 .../connection/protocol/AtExceptions.java     |  90 ++
 .../connection/protocol/Authentication.java   | 104 +++
 .../client/connection/protocol/Data.java      | 117 +++
 .../client/connection/protocol/Enroll.java    | 322 ++++++++
 .../client/connection/protocol/Error.java     |  50 ++
 .../client/connection/protocol/Keys.java      |  82 ++
 .../connection/protocol/Notifications.java    | 104 +++
 .../connection/protocol/PublicKeys.java       | 109 +++
 .../client/connection/protocol/Responses.java |  70 ++
 .../client/connection/protocol/Scan.java      |  36 +
 .../client/connection/protocol/SelfKeys.java  |  77 ++
 .../connection/protocol/SharedKeys.java       | 232 ++++++
 .../connection/protocol/package-info.java     |   8 +
 .../java/org/atsign/client/util/AuthUtil.java |   1 +
 .../atsign/client/util/EncryptionUtil.java    |  39 +-
 .../main/java/org/atsign/common/Metadata.java |   3 +-
 .../AtInvalidSyntaxException.java             |   2 +-
 .../AtServerRuntimeException.java             |   2 +-
 .../common/exceptions/AtOnReadyException.java |  19 +
 .../common/options/GetRequestOptions.java     |  30 +-
 .../atsign/common/options/RequestOptions.java |   8 -
 .../org/atsign/client/cli/ActivateIT.java     |   1 -
 .../connection/common/CommandQueueTest.java   | 365 +++++++++
 .../client/connection/common/CommandTest.java | 144 ++++
 .../common/SimpleReconnectStrategyTest.java   | 157 ++++
 .../netty/NettyAtClientConnectionIT.java      |  72 ++
 .../netty/NettyAtClientConnectionTest.java    | 769 ++++++++++++++++++
 .../netty/NettyAtCommandEncoderTest.java      |  49 ++
 .../netty/NettyAtEndpointSupplierTest.java    | 107 +++
 .../NettyAtServerResponseDecoderTest.java     | 140 ++++
 .../client/connection/netty/TestServer.java   | 262 ++++++
 .../connection/protocol/AtExceptionsTest.java | 185 +++++
 .../protocol/AuthenticationTest.java          |  94 +++
 .../client/connection/protocol/DataTest.java  |  99 +++
 .../connection/protocol/EnrollTest.java       | 250 ++++++
 .../client/connection/protocol/ErrorTest.java |  39 +
 .../client/connection/protocol/KeysTest.java  |  94 +++
 .../protocol/NotificationsTest.java           | 184 +++++
 .../connection/protocol/PublicKeysTest.java   | 174 ++++
 .../connection/protocol/ResponsesTest.java    |  96 +++
 .../client/connection/protocol/ScanTest.java  |  54 ++
 .../connection/protocol/SelfKeysTest.java     | 105 +++
 .../connection/protocol/SharedKeysTest.java   | 157 ++++
 .../protocol/TestConnectionBuilder.java       |  76 ++
 .../atsign/cucumber/steps/ActivateSteps.java  |  60 +-
 .../cucumber/steps/AtClientContext.java       |  25 +-
 .../test/resources/features/Activate.feature  |   4 +-
 .../test/resources/features/Monitor.feature   |   2 +
 .../test/resources/simpleLogger.properties    |   4 +-
 .../main/java/org/atsign/client/cli/REPL.java |   2 +-
 .../PublicKeyGetBypassCacheExample.java       |   2 +-
 pom.xml                                       |  33 +
 72 files changed, 6987 insertions(+), 563 deletions(-)
 create mode 100644 at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
 create mode 100644 at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/common/Command.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Error.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java
 create mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
 rename at_client/src/main/java/org/atsign/common/exceptions/{ => AtExceptions}/AtInvalidSyntaxException.java (85%)
 rename at_client/src/main/java/org/atsign/common/exceptions/{ => AtExceptions}/AtServerRuntimeException.java (85%)
 create mode 100644 at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java
 delete mode 100644 at_client/src/main/java/org/atsign/common/options/RequestOptions.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java
 create mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java

diff --git a/at_client/pom.xml b/at_client/pom.xml
index 1f3daa51..c33e0527 100644
--- a/at_client/pom.xml
+++ b/at_client/pom.xml
@@ -85,6 +85,11 @@
         <artifactId>maven-checkstyle-plugin</artifactId>
       </plugin>
 
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+      </plugin>
+
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>exec-maven-plugin</artifactId>
@@ -120,6 +125,11 @@
       <artifactId>bcprov-jdk15to18</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-all</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>info.picocli</groupId>
       <artifactId>picocli</artifactId>
@@ -136,6 +146,12 @@
       <scope>provided</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter</artifactId>
diff --git a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
index eee0d3ab..b93fe8fc 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
@@ -54,4 +54,9 @@ public static String toSharedWithMeKeyName(AtSign sharedBy, AtSign sharedWith) {
     return String.format("%s:%s%s", SHARED_KEY, sharedWith, sharedBy);
   }
 
+
+  public static boolean isManagementKeyName(String s) {
+    return s.matches(".+\\.__manage@.+");
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/api/Secondary.java b/at_client/src/main/java/org/atsign/client/api/Secondary.java
index 5fccbad0..b6a0619b 100644
--- a/at_client/src/main/java/org/atsign/client/api/Secondary.java
+++ b/at_client/src/main/java/org/atsign/client/api/Secondary.java
@@ -3,6 +3,7 @@
 import java.io.Closeable;
 import java.io.IOException;
 
+import org.atsign.client.connection.protocol.AtExceptions;
 import org.atsign.common.AtException;
 import org.atsign.common.AtSign;
 import org.atsign.common.exceptions.*;
@@ -104,45 +105,7 @@ public AtException getException() {
       if (!isError()) {
         return null;
       }
-      if (AtServerRuntimeException.CODE.equals(errorCode)) {
-        return new AtServerRuntimeException(errorText);
-      } else if (AtInvalidSyntaxException.CODE.equals(errorCode)) {
-        return new AtInvalidSyntaxException(errorText);
-      } else if (AtBufferOverFlowException.CODE.equals(errorCode)) {
-        return new AtBufferOverFlowException(errorText);
-      } else if (AtOutboundConnectionLimitException.CODE.equals(errorCode)) {
-        return new AtOutboundConnectionLimitException(errorText);
-      } else if (AtSecondaryNotFoundException.CODE.equals(errorCode)) {
-        return new AtSecondaryNotFoundException(errorText);
-      } else if (AtHandShakeException.CODE.equals(errorCode)) {
-        return new AtHandShakeException(errorText);
-      } else if (AtUnauthorizedException.CODE.equals(errorCode)) {
-        return new AtUnauthorizedException(errorText);
-      } else if (AtInternalServerError.CODE.equals(errorCode)) {
-        return new AtInternalServerError(errorText);
-      } else if (AtInternalServerException.CODE.equals(errorCode)) {
-        return new AtInternalServerException(errorText);
-      } else if (AtInboundConnectionLimitException.CODE.equals(errorCode)) {
-        return new AtInboundConnectionLimitException(errorText);
-      } else if (AtBlockedConnectionException.CODE.equals(errorCode)) {
-        return new AtBlockedConnectionException(errorText);
-      } else if (AtKeyNotFoundException.CODE.equals(errorCode)) {
-        return new AtKeyNotFoundException(errorText);
-      } else if (AtInvalidAtKeyException.CODE.equals(errorCode)) {
-        return new AtInvalidAtKeyException(errorText);
-      } else if (AtSecondaryConnectException.CODE.equals(errorCode)) {
-        return new AtSecondaryConnectException(errorText);
-      } else if (AtIllegalArgumentException.CODE.equals(errorCode)) {
-        return new AtIllegalArgumentException(errorText);
-      } else if (AtTimeoutException.CODE.equals(errorCode)) {
-        return new AtTimeoutException(errorText);
-      } else if (AtServerIsPausedException.CODE.equals(errorCode)) {
-        return new AtServerIsPausedException(errorText);
-      } else if (AtUnauthenticatedException.CODE.equals(errorCode)) {
-        return new AtUnauthenticatedException(errorText);
-      }
-
-      return new AtNewErrorCodeWhoDisException(errorCode, errorText);
+      return AtExceptions.toTypedException(errorCode, errorText);
     }
   }
 
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
index 0a97523f..9f320e31 100644
--- a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
+++ b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
@@ -521,7 +521,7 @@ private String _get(PublicKey key, GetRequestOptions getRequestOptions) throws A
     if (atSign.equals(key.sharedBy())) {
       command = llookupCommandBuilder().key(key).operation(all).build();
     } else {
-      boolean bypassCache = getRequestOptions != null && getRequestOptions.getBypassCache();
+      boolean bypassCache = getRequestOptions != null && getRequestOptions.isBypassCache();
       command = plookupCommandBuilder().key(key).bypassCache(bypassCache).operation(all).build();
     }
 
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
new file mode 100644
index 00000000..9de3f770
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
@@ -0,0 +1,62 @@
+package org.atsign.client.api.impl.clients;
+
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.atsign.client.api.AtClient;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.events.SimpleAtEventBus;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.api.AtEndpointSupplier;
+import org.atsign.client.connection.api.ReconnectStrategy;
+import org.atsign.client.connection.common.SimpleReconnectStrategy;
+import org.atsign.client.connection.netty.NettyAtClientConnection;
+import org.atsign.client.connection.netty.NettyAtEndpointSupplier;
+import org.atsign.client.connection.protocol.Authentication;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+
+import lombok.Builder;
+
+/**
+ * Utilities for instantiating AtClient implementations
+ */
+public class AtClients {
+
+  @Builder(builderClassName = "AtClientsBuilder", builderMethodName = "builder")
+  public static AtClient createAtClient(String url,
+                                        AtSign atSign,
+                                        AtKeys keys,
+                                        ReconnectStrategy reconnect,
+                                        Boolean isVerbose)
+      throws AtException {
+
+    // Netty based connection implementation
+    AtClientConnection connection = NettyAtClientConnection.builder()
+        .endpoint(createEndpointSupplier(url, atSign))
+        .isVerbose(isVerbose)
+        .reconnect(reconnect != null ? reconnect : SimpleReconnectStrategy.builder().build())
+        .onReady(Authentication.pkamAuthenticator(atSign, keys))
+        .build();
+
+    return DefaultAtClientImpl.builder()
+        .atSign(atSign)
+        .keys(keys)
+        .connection(connection)
+        .eventBus(new SimpleAtEventBus())
+        .build();
+  }
+
+  private static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSign) {
+    Matcher matcher = Pattern.compile("proxy:(.+)").matcher(url);
+    if (matcher.matches()) {
+      return () -> matcher.group(1);
+    } else {
+      return NettyAtEndpointSupplier.builder()
+          .rootUrl(url)
+          .atsign(atSign)
+          .build();
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
new file mode 100644
index 00000000..f8e03a98
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
@@ -0,0 +1,345 @@
+package org.atsign.client.api.impl.clients;
+
+import static org.atsign.client.api.AtEvents.AtEventType.decryptedUpdateNotification;
+import static org.atsign.client.connection.protocol.Data.matchData;
+import static org.atsign.client.connection.protocol.Error.matchError;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.client.util.EncryptionUtil.aesDecryptFromBase64;
+import static org.atsign.client.util.EncryptionUtil.rsaDecryptFromBase64;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+
+import java.io.IOException;
+import java.util.*;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import org.atsign.client.api.AtClient;
+import org.atsign.client.api.AtEvents.AtEventBus;
+import org.atsign.client.api.AtEvents.AtEventListener;
+import org.atsign.client.api.AtEvents.AtEventType;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.Secondary;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.protocol.*;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.Keys.AtKey;
+import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.Keys.SelfKey;
+import org.atsign.common.Keys.SharedKey;
+import org.atsign.common.exceptions.AtDecryptionException;
+import org.atsign.common.options.GetRequestOptions;
+
+import lombok.Builder;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Implementation of an {@link AtClient} which wraps a
+ * {@link org.atsign.client.connection.api.AtClientConnection}
+ * in order to implement the "map like" features of the {@link AtClient} interface
+ */
+@SuppressWarnings({"RedundantThrows", "unused"})
+@Slf4j
+public class DefaultAtClientImpl implements AtClient {
+
+  private final AtSign atSign;
+  private final AtKeys keys;
+  private final AtClientConnection connection;
+  private final AtEventBus eventBus;
+  private final AtomicBoolean isMonitoring = new AtomicBoolean();
+  private final Notifications.EventBusBridge eventBusBridge;
+
+  @Override
+  public AtSign getAtSign() {
+    return atSign;
+  }
+
+  @Override
+  public AtKeys getEncryptionKeys() {
+    return keys;
+  }
+
+  @Builder
+  public DefaultAtClientImpl(AtSign atSign, AtKeys keys, AtClientConnection connection, AtEventBus eventBus) {
+    checkNotNull(keys.getEncryptPrivateKey(), "AtKeys have not been fully enrolled");
+    this.atSign = atSign;
+    this.keys = keys;
+    this.connection = connection;
+    this.eventBus = eventBus;
+    this.eventBus.addEventListener(this::handleEvent, EnumSet.allOf(AtEventType.class));
+    this.eventBusBridge = new Notifications.EventBusBridge(eventBus, atSign);
+  }
+
+  @Override
+  public void close() throws IOException {
+    try {
+      connection.close();
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Override
+  public void startMonitor() {
+    isMonitoring.compareAndSet(false, true);
+    connection.onReady(Notifications.monitor(atSign, keys, eventBusBridge::accept));
+  }
+
+  @Override
+  public void stopMonitor() {
+    isMonitoring.compareAndSet(true, false);
+    connection.onReady(Authentication.pkamAuthenticator(atSign, keys));
+  }
+
+  @Override
+  public boolean isMonitorRunning() {
+    return isMonitoring.get();
+  }
+
+  @Override
+  public synchronized void addEventListener(AtEventListener listener, Set<AtEventType> eventTypes) {
+    eventBus.addEventListener(listener, eventTypes);
+  }
+
+  @Override
+  public synchronized void removeEventListener(AtEventListener listener) {
+    eventBus.removeEventListener(listener);
+  }
+
+  @Override
+  public int publishEvent(AtEventType eventType, Map<String, Object> eventData) {
+    return eventBus.publishEvent(eventType, eventData);
+  }
+
+  @Override
+  public CompletableFuture<String> get(SharedKey sharedKey) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return SharedKeys.get(connection, atSign, keys, sharedKey);
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<byte[]> getBinary(SharedKey sharedKey) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<String> put(SharedKey sharedKey, String value) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        SharedKeys.put(connection, atSign, keys, sharedKey, value);
+        return null;
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<String> delete(SharedKey sharedKey) {
+    return deleteKey(sharedKey);
+  }
+
+  @Override
+  public CompletableFuture<String> get(SelfKey selfKey) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return SelfKeys.get(connection, keys, selfKey);
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<byte[]> getBinary(SelfKey selfKey) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<String> put(SelfKey selfKey, String value) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        SelfKeys.put(connection, keys, selfKey, value);
+        return null;
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<String> delete(SelfKey selfKey) {
+    return deleteKey(selfKey);
+  }
+
+  @Override
+  public CompletableFuture<String> get(PublicKey publicKey) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return PublicKeys.get(connection, atSign, publicKey, null);
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions options) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return PublicKeys.get(connection, atSign, publicKey, options);
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<byte[]> getBinary(PublicKey publicKey) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<String> put(PublicKey publicKey, String value) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        PublicKeys.put(connection, keys, publicKey, value);
+        return null;
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public CompletableFuture<String> delete(PublicKey publicKey) {
+    return deleteKey(publicKey);
+  }
+
+  @Override
+  public CompletableFuture<String> put(SharedKey sharedKey, byte[] value) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<String> put(SelfKey selfKey, byte[] value) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<String> put(PublicKey publicKey, byte[] value) {
+    throw new UnsupportedOperationException("to be implemented");
+  }
+
+  @Override
+  public CompletableFuture<List<AtKey>> getAtKeys(String regex) {
+    return getAtKeys(regex, true);
+  }
+
+  @Override
+  public CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetadata) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return Keys.getKeys(connection, regex, fetchMetadata);
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public Response executeCommand(String command, boolean throwExceptionOnErrorResponse)
+      throws AtException, IOException {
+
+    try {
+      String s = connection.sendSync(command);
+      Response response = new Response();
+      if (throwExceptionOnErrorResponse) {
+        response.setRawDataResponse(throwExceptionIfError(matchData(s)));
+      } else {
+        if (s.startsWith("error:")) {
+          response.setRawErrorResponse(matchError(s));
+        } else {
+          response.setRawDataResponse(matchData(s));
+        }
+      }
+      return response;
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Override
+  public Secondary getSecondary() {
+    throw new UnsupportedOperationException("not supported");
+  }
+
+  private CompletableFuture<String> deleteKey(AtKey key) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        Keys.deleteKey(connection, key);
+        return null;
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  @Override
+  public void handleEvent(AtEventType eventType, Map<String, Object> eventData) {
+    try {
+      switch (eventType) {
+        case sharedKeyNotification:
+          onSharedKeyNotification(eventData);
+          break;
+        case updateNotification:
+          onUpdateNotification(eventData);
+          break;
+        default:
+          break;
+      }
+    } catch (Exception e) {
+      log.error("unexpected exception handling {} : {}", eventType, eventData, e);
+    }
+  }
+
+  private void onSharedKeyNotification(Map<String, Object> eventData) throws AtDecryptionException {
+    // We've got notification that someone has shared an encryption key with us
+    // If we also got a value, we can decrypt it and add it to our keys map
+    // Note: a value isn't supplied when the ttr on the shared key was set to 0
+    if (eventData.get("value") != null) {
+      String keyName = (String) eventData.get("key");
+      String value = (String) eventData.get("value");
+      String decrypted = rsaDecryptFromBase64(value, keys.getEncryptPrivateKey());
+      keys.put(keyName, decrypted);
+    }
+  }
+
+  private void onUpdateNotification(Map<String, Object> eventData) throws AtException {
+    // Let's see if we can decrypt it on the fly
+    if (eventData.get("value") != null) {
+      String key = (String) eventData.get("key");
+      String encryptedValue = (String) eventData.get("value");
+      Map<String, Object> metadata = (Map<String, Object>) eventData.get("metadata");
+      String ivNonce = (String) metadata.get("ivNonce");
+      SharedKey sk = org.atsign.common.Keys.sharedKeyBuilder().rawKey(key).build();
+      String encryptKeySharedByOther = SharedKeys.getEncryptKeySharedByOther(connection, keys, sk);
+      String decryptedValue = aesDecryptFromBase64(encryptedValue, encryptKeySharedByOther, ivNonce);
+      HashMap<String, Object> newEventData = new HashMap<>(eventData);
+      newEventData.put("decryptedValue", decryptedValue);
+      eventBus.publishEvent(decryptedUpdateNotification, newEventData);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java b/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
index 389d00a1..a9bb108e 100644
--- a/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
+++ b/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
@@ -17,7 +17,7 @@
 import org.atsign.common.AtSign;
 import org.atsign.common.exceptions.AtIllegalArgumentException;
 import org.atsign.common.exceptions.AtInvalidAtKeyException;
-import org.atsign.common.exceptions.AtInvalidSyntaxException;
+import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
 import org.atsign.common.exceptions.AtUnknownResponseException;
 
 /**
diff --git a/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java b/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java
index fa40866f..d14e2e54 100644
--- a/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java
+++ b/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java
@@ -1,28 +1,21 @@
 package org.atsign.client.cli;
 
 import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.common.VerbBuilders.*;
 
 import java.io.File;
-import java.io.IOException;
-import java.util.List;
-import java.util.Map;
-import java.util.function.Function;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
+import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.connections.AtRootConnection;
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
-import org.atsign.client.api.impl.events.SimpleAtEventBus;
-import org.atsign.client.util.AuthUtil;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.common.SimpleReconnectStrategy;
+import org.atsign.client.connection.netty.NettyAtClientConnection;
+import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
+import org.atsign.client.connection.netty.NettyAtEndpointSupplier;
+import org.atsign.client.connection.protocol.Authentication;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtException;
 import org.atsign.common.AtSign;
-import org.atsign.common.Json;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-
-import com.fasterxml.jackson.core.type.TypeReference;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 import picocli.CommandLine.ITypeConverter;
 import picocli.CommandLine.Option;
@@ -35,31 +28,6 @@
  */
 public abstract class AbstractCli<T extends AbstractCli<T>> {
 
-  /**
-   * models server response string which is non-empty JSON map
-   */
-  protected static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
-
-  /**
-   * models server response string which is JSON map
-   */
-  protected static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
-
-  /**
-   * models server response string which is non-empty JSON list
-   */
-  protected static final Pattern DATA_JSON_NO_EMPTY_LIST = Pattern.compile("data:(\\[.+])");
-
-  /**
-   * models server response string which is integer
-   */
-  protected static final Pattern DATA_INT = Pattern.compile("data:\\d+");
-
-  /**
-   * models server response string containing no whitespace
-   */
-  public static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
-
   protected String rootUrl = "root.atsign.org";
   protected AtSign atSign;
   protected File keysFile;
@@ -115,154 +83,47 @@ protected static File getAtKeysFile(File keysFile, AtSign atSign) {
     return keysFile != null ? keysFile : KeysUtil.getKeysFile(atSign);
   }
 
-  protected static void checkAtServerMatchesAtSign(AtSecondaryConnection connection, AtSign atSign) throws IOException {
-    String command = scanCommandBuilder().build();
-    if (!matchDataJsonList(connection.executeCommand(command)).contains("signing_publickey" + atSign)) {
-      // TODO: understand precisely what this means (observed in Dart SDK)
-      throw new IllegalStateException("TBC");
-    }
-  }
-
-  protected static void deleteKey(AtSecondaryConnection connection, String rawKey) {
-    try {
-      String command = deleteCommandBuilder().rawKey(rawKey).build();
-      match(connection.executeCommand(command), DATA_INT);
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  protected static void authenticateWithApkam(AtSecondaryConnection connection, AtSign atSign, AtKeys keys)
-      throws AtException, IOException {
-    new AuthUtil().authenticateWithPkam(connection, atSign, keys);
-  }
-
-  protected AtSecondaryConnection createAtSecondaryConnection(AtSign atSign,
-                                                              String rootUrl,
-                                                              int retries)
-      throws Exception {
-    checkNotNull(atSign, "atsign not set");
-    checkNotNull(rootUrl, "root server endpoint not set");
 
-    String secondaryUrl = resolveSecondaryUrl(atSign, rootUrl, retries);
-    AtSecondaryConnection conn =
-        new AtSecondaryConnection(new SimpleAtEventBus(), atSign, secondaryUrl, null, false, verbose);
-    int retriesRemaining = retries;
-    Exception ex;
-    do {
-      try {
-        conn.connect();
-        return conn;
-      } catch (Exception e) {
-        ex = e;
-        Thread.sleep(2000);
-      }
-    } while (retriesRemaining-- > 0);
-    throw ex;
+  protected static String ensureNotNull(String value, String defaultValue) {
+    return value != null ? value : defaultValue;
   }
 
-  protected static String resolveSecondaryUrl(AtSign atSign, String rootUrl, int retries) throws Exception {
-    int retriesRemaining = retries;
-    Exception ex;
-    do {
-      try {
-        return new AtRootConnection(rootUrl).lookupAtSign(atSign);
-      } catch (AtSecondaryNotFoundException e) {
-        ex = e;
-        Thread.sleep(1000);
-      }
-    } while (retriesRemaining-- > 0);
-    throw ex;
+  protected AtClientConnection createConnection(String rootUrl, AtSign atSign, int retries) throws AtException {
+    return creatConnectionBuilder(rootUrl, atSign, retries, verbose).build();
   }
 
-  protected static Map<String, String> decodeJsonMapOfStrings(String json) {
-    try {
-      return Json.MAPPER.readValue(json, new TypeReference<Map<String, String>>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+  protected AtClientConnection createAuthenticatedConnection(String rootUrl, AtSign atSign, int retries)
+      throws AtException {
+    return creatConnectionBuilder(rootUrl, atSign, retries, verbose)
+        .onReady(Authentication.pkamAuthenticator(atSign, getKeys()))
+        .build();
   }
 
-  protected static Map<String, Object> decodeJsonMapOfObjects(String json) {
-    try {
-      return Json.MAPPER.readValue(json, new TypeReference<Map<String, Object>>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+  private static NettyAtClientConnectionBuilder creatConnectionBuilder(String rootUrl, AtSign atSign, int retries,
+                                                                       boolean verbose) {
+    NettyAtEndpointSupplier endpoint = NettyAtEndpointSupplier.builder()
+        .rootUrl(checkNotNull(rootUrl, "root server endpoint not set"))
+        .atsign(checkNotNull(atSign, "atsign not set"))
+        .build();
+    SimpleReconnectStrategy reconnect = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(retries)
+        .reconnectPauseMillis(TimeUnit.SECONDS.toMillis(2))
+        .build();
+    return NettyAtClientConnection.builder()
+        .endpoint(endpoint)
+        .reconnect(reconnect)
+        .isVerbose(verbose);
   }
 
-  protected static List<Object> decodeJsonList(String json) {
+  protected AtKeys getKeys() {
     try {
-      return Json.MAPPER.readValue(json, new TypeReference<List<Object>>() {});
-    } catch (Exception e) {
+      File file = checkExists(getAtKeysFile(keysFile, atSign));
+      return KeysUtil.loadKeys(file);
+    } catch (AtClientConfigException e) {
       throw new RuntimeException(e);
     }
   }
 
-  public static List<String> decodeJsonListOfStrings(String json) {
-    try {
-      return Json.MAPPER.readValue(json, new TypeReference<List<String>>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  protected static String match(String input, Pattern pattern) {
-    Matcher matcher = pattern.matcher(input);
-    if (!matcher.matches()) {
-      throw new RuntimeException("expected [" + pattern + "] but input was : " + input);
-    }
-    StringBuilder builder = new StringBuilder();
-    if (matcher.groupCount() == 0) {
-      builder.append(input);
-    } else {
-      for (int i = 1; i <= matcher.groupCount(); i++) {
-        builder.append(matcher.group(i));
-      }
-    }
-    return builder.toString();
-  }
-
-  protected static <T> T match(String input, Pattern pattern, Function<String, T> transformer) {
-    return transformer.apply(match(input, pattern));
-  }
-
-  protected static String matchDataString(String input) {
-    return match(input, DATA_NON_WHITESPACE, s -> s);
-  }
-
-  protected static int matchDataInt(String input) {
-    return match(input, DATA_INT, Integer::parseInt);
-  }
-
-  protected static List<Object> matchDataJsonList(String input) {
-    return match(input, DATA_JSON_NO_EMPTY_LIST, AbstractCli::decodeJsonList);
-  }
-
-  public static List<String> matchDataJsonListOfStrings(String input) {
-    return match(input, DATA_JSON_NO_EMPTY_LIST, AbstractCli::decodeJsonListOfStrings);
-  }
-
-  protected static Map<String, String> matchDataJsonMapOfStrings(String input, boolean allowEmpty) {
-    return match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP, AbstractCli::decodeJsonMapOfStrings);
-  }
-
-  protected static Map<String, Object> matchDataJsonMapOfObjects(String input, boolean allowEmpty) {
-    return match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP, AbstractCli::decodeJsonMapOfObjects);
-  }
-
-  protected static Map<String, String> matchDataJsonMapOfStrings(String input) {
-    return matchDataJsonMapOfStrings(input, false);
-  }
-
-  protected static Map<String, Object> matchDataJsonMapOfObjects(String input) {
-    return matchDataJsonMapOfObjects(input, false);
-  }
-
-  protected static String ensureNotNull(String value, String defaultValue) {
-    return value != null ? value : defaultValue;
-  }
-
   static class AtSignConverter implements ITypeConverter<AtSign> {
     @Override
     public AtSign convert(String s) {
diff --git a/at_client/src/main/java/org/atsign/client/cli/Activate.java b/at_client/src/main/java/org/atsign/client/cli/Activate.java
index 9284a1e1..2e5d31e2 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Activate.java
+++ b/at_client/src/main/java/org/atsign/client/cli/Activate.java
@@ -1,30 +1,24 @@
 package org.atsign.client.cli;
 
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.util.EncryptionUtil.generateAESKeyBase64;
+import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
 import static org.atsign.client.util.KeysUtil.saveKeys;
 import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.common.VerbBuilders.*;
 
 import java.io.File;
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.Callable;
 import java.util.concurrent.TimeUnit;
-import java.util.stream.Collectors;
 
-import org.atsign.client.api.AtKeyNames;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
-import org.atsign.client.util.AuthUtil;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.protocol.Enroll;
+import org.atsign.client.connection.protocol.Scan;
 import org.atsign.client.util.EnrollmentId;
 import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.VerbBuilders;
+import org.atsign.common.exceptions.AtEncryptionException;
 import org.atsign.common.exceptions.AtUnauthenticatedException;
 
 import picocli.CommandLine;
@@ -186,66 +180,35 @@ public Activate addNamespace(String namespace, String accessControl) {
   }
 
   public EnrollmentId onboard() throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
+    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
       return onboard(connection);
     }
   }
 
-  public EnrollmentId onboard(AtSecondaryConnection connection) throws Exception {
+  public EnrollmentId onboard(AtClientConnection connection) throws Exception {
     File file = getAtKeysFile(keysFile, atSign);
     if (!overwriteKeysFile) {
       checkNotExists(file);
     }
-    checkAtServerMatchesAtSign(connection, atSign);
-    authenticateWithCram(connection, atSign, cramSecret);
     AtKeys keys = generateAtKeys(true);
-    EnrollmentId enrollmentId = enroll(connection,
-                                       keys,
-                                       ensureNotNull(appName, DEFAULT_FIRST_APP),
-                                       ensureNotNull(deviceName, DEFAULT_FIRST_DEVICE));
-    keys = keys.toBuilder().enrollmentId(enrollmentId).build();
-    authenticateWithApkam(connection, atSign, keys);
+    keys = Enroll.onboard(connection,
+                          atSign,
+                          keys,
+                          cramSecret,
+                          ensureNotNull(appName, DEFAULT_FIRST_APP),
+                          ensureNotNull(deviceName, DEFAULT_FIRST_DEVICE),
+                          deleteCramKey);
     saveKeys(keys, file);
-    storeEncryptPublicKey(connection, atSign, keys);
-    if (deleteCramKey) {
-      deleteCramSecret(connection);
-    }
     return enrollmentId;
   }
 
-  public Activate authenticate(AtSecondaryConnection connection) throws Exception {
-    File file = checkExists(getAtKeysFile(keysFile, atSign));
-    keys = KeysUtil.loadKeys(file);
-    authenticateWithApkam(connection, atSign, keys);
-    return this;
-  }
-
   public List<EnrollmentId> list() throws Exception {
     return list(requestStatus);
   }
 
   public List<EnrollmentId> list(String status) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      return authenticate(connection).list(connection, status);
-    }
-  }
-
-  public List<EnrollmentId> list(AtSecondaryConnection connection, String status) throws Exception {
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.list)
-        .status(status)
-        .build();
-    return matchDataJsonMapOfObjects(connection.executeCommand(command), true).keySet().stream()
-        .map(Activate::inferEnrollmentId)
-        .collect(Collectors.toList());
-  }
-
-  private static EnrollmentId inferEnrollmentId(String key) {
-    int endIndex = key.indexOf('.');
-    if (key.contains("__manage") && endIndex > 0) {
-      return EnrollmentId.createEnrollmentId(key.substring(0, endIndex));
-    } else {
-      throw new RuntimeException(key + " doesn't match expected enrollment key pattern");
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      return Enroll.list(connection, status);
     }
   }
 
@@ -254,54 +217,18 @@ public void approve() throws Exception {
   }
 
   public void approve(EnrollmentId enrollmentId) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      authenticate(connection).approve(connection, enrollmentId);
-    }
-  }
-
-  public void approve(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    String key = fetchApkamSymmetricKey(connection, enrollmentId);
-    String privateKeyIv = generateRandomIvBase64(16);
-    String encryptPrivateKey = aesEncryptToBase64(keys.getEncryptPrivateKey(), key, privateKeyIv);
-    String selfEncryptKeyIv = generateRandomIvBase64(16);
-    String selfEncryptKey = aesEncryptToBase64(keys.getSelfEncryptKey(), key, selfEncryptKeyIv);
-
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.approve)
-        .enrollmentId(enrollmentId)
-        .encryptPrivateKey(encryptPrivateKey)
-        .encryptPrivateKeyIv(privateKeyIv)
-        .selfEncryptKey(selfEncryptKey)
-        .selfEncryptKeyIv(selfEncryptKeyIv)
-        .build();
-
-    Map<String, String> response = matchDataJsonMapOfStrings(connection.executeCommand(command));
-    if (!"approved".equals(response.get("status"))) {
-      throw new RuntimeException("status is not approved : " + response.get("status"));
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      Enroll.approve(connection, getKeys(), enrollmentId);
     }
   }
 
-  private String fetchApkamSymmetricKey(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.fetch)
-        .enrollmentId(enrollmentId)
-        .build();
-    Map<String, Object> request = matchDataJsonMapOfObjects(connection.executeCommand(command));
-    if (!"pending".equals(request.get("status"))) {
-      throw new RuntimeException("status is not pending : " + request.get("status"));
-    }
-    String encryptedApkamSymmetricKey =
-        (String) request.get(VerbBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY);
-    return rsaDecryptFromBase64(encryptedApkamSymmetricKey, keys.getEncryptPrivateKey());
-  }
-
   public void deny() throws Exception {
     deny(checkNotNull(enrollmentId, "enrollment id not set"));
   }
 
   public void deny(EnrollmentId enrollmentId) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      authenticate(connection).deny(connection, enrollmentId);
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      Enroll.deny(connection, enrollmentId);
     }
   }
 
@@ -310,8 +237,8 @@ public void revoke() throws Exception {
   }
 
   public void revoke(EnrollmentId enrollmentId) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      authenticate(connection).revoke(connection, enrollmentId);
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      Enroll.revoke(connection, enrollmentId);
     }
   }
 
@@ -320,194 +247,69 @@ public void unrevoke() throws Exception {
   }
 
   public void unrevoke(EnrollmentId enrollmentId) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      authenticate(connection).unrevoke(connection, enrollmentId);
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      Enroll.unrevoke(connection, enrollmentId);
     }
   }
 
   public void delete(EnrollmentId enrollmentId) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      authenticate(connection).delete(connection, enrollmentId);
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      delete(connection, enrollmentId);
     }
   }
 
-  public void deny(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "deny", enrollmentId, "denied");
-  }
-
-  public void revoke(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "revoke", enrollmentId, "revoked");
-  }
-
-  public void unrevoke(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "unrevoke", enrollmentId, "approved");
-  }
-
-  public void delete(AtSecondaryConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "delete", enrollmentId, "deleted");
+  public static void delete(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
+    Enroll.delete(connection, enrollmentId);
   }
 
   public String otp() throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      return otp(connection);
+    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      return Enroll.otp(connection);
     }
   }
 
-  public String otp(AtSecondaryConnection connection) throws IOException, AtException {
-    File file = checkExists(getAtKeysFile(keysFile, atSign));
-    AtKeys keys = KeysUtil.loadKeys(file);
-    authenticateWithApkam(connection, atSign, keys);
-    String command = otpCommandBuilder().build();
-    return match(connection.executeCommand(command), DATA_NON_WHITESPACE);
-  }
-
   public List<String> scan() throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
-      return scan(connection);
-    }
-  }
-
-  public List<String> scan(AtSecondaryConnection connection) throws Exception {
-    String command = scanCommandBuilder()
-        .showHidden(true)
-        .regex(".*")
-        .build();
-    return matchDataJsonListOfStrings(connection.executeCommand(command));
-  }
-
-  private void singleArgEnrollAction(AtSecondaryConnection connection,
-                                     String action,
-                                     EnrollmentId enrollmentId,
-                                     String expectedStatus)
-      throws Exception {
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.valueOf(action))
-        .enrollmentId(enrollmentId)
-        .build();
-    Map<String, String> map = matchDataJsonMapOfStrings(connection.executeCommand(command));
-    if (!expectedStatus.equals(map.get("status"))) {
-      throw new RuntimeException("status is not " + expectedStatus + " : " + map.get("status"));
-    }
-  }
-
-  protected static void authenticateWithCram(AtSecondaryConnection connection, AtSign atSign, String cramSecret)
-      throws AtException, IOException {
-    checkNotNull(cramSecret, "CRAM secret not set");
-    new AuthUtil().authenticateWithCram(connection, atSign, cramSecret);
-  }
-
-  private static EnrollmentId enroll(AtSecondaryConnection connection,
-                                     AtKeys keys,
-                                     String appName,
-                                     String deviceName)
-      throws Exception {
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.request)
-        .appName(appName)
-        .deviceName(deviceName)
-        .apkamPublicKey(keys.getApkamPublicKey())
-        .build();
-    Map<String, String> response = matchDataJsonMapOfStrings(connection.executeCommand(command));
-    if (!response.get("status").equals("approved")) {
-      throw new RuntimeException("enroll request failed, expected status approved : " + response);
+    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
+      return Scan.scan(connection, true, ".*");
     }
-    return createEnrollmentId(response.get("enrollmentId"));
-  }
-
-  protected static void storeEncryptPublicKey(AtSecondaryConnection connection, AtSign atSign, AtKeys keys)
-      throws IOException {
-    String command = updateCommandBuilder()
-        .sharedBy(atSign)
-        .keyName(AtKeyNames.PUBLIC_ENCRYPT)
-        .isPublic(true)
-        .value(keys.getEncryptPublicKey())
-        .build();
-    match(connection.executeCommand(command), DATA_INT);
-  }
-
-  protected static void deleteCramSecret(AtSecondaryConnection connection) {
-    deleteKey(connection, AtKeyNames.PRIVATE_AT_SECRET);
-  }
-
-  protected static AtKeys generateAtKeys(boolean generateEncryptionKeyPair) throws NoSuchAlgorithmException {
-    AtKeys.AtKeysBuilder builder = AtKeys.builder()
-        .selfEncryptKey(generateAESKeyBase64())
-        .apkamKeyPair(generateRSAKeyPair())
-        .apkamSymmetricKey(generateAESKeyBase64());
-    if (generateEncryptionKeyPair) {
-      builder.encryptKeyPair(generateRSAKeyPair());
-    }
-    return builder.build();
   }
 
   public EnrollmentId enroll() throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
+    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
       return enroll(connection);
     }
   }
 
-  public EnrollmentId enroll(AtSecondaryConnection connection) throws Exception {
-    String command = lookupCommandBuilder()
-        .keyName(AtKeyNames.PUBLIC_ENCRYPT)
-        .sharedBy(atSign)
-        .build();
-    String publicKey = matchDataString(connection.executeCommand(command));
+  public EnrollmentId enroll(AtClientConnection connection) throws Exception {
     File file = keysFile;
     if (!overwriteKeysFile) {
       checkNotExists(file);
     }
-    AtKeys keys = generateAtKeys(false).toBuilder()
-        .encryptPublicKey(publicKey)
-        .build();
-    enrollmentId = enroll(connection, keys);
-    keys = keys.toBuilder().enrollmentId(enrollmentId).build();
+    AtKeys keys = generateAtKeys(false);
+    keys = Enroll.enroll(connection, atSign, keys, otp, appName, deviceName, namespaces);
     KeysUtil.saveKeys(keys, keysFile);
     return keys.getEnrollmentId();
   }
 
-  private EnrollmentId enroll(AtSecondaryConnection connection, AtKeys keys) throws Exception {
-    String command = enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.request)
-        .appName(appName)
-        .deviceName(deviceName)
-        .apkamPublicKey(keys.getApkamPublicKey())
-        .apkamSymmetricKey(rsaEncryptToBase64(keys.getApkamSymmetricKey(), keys.getEncryptPublicKey()))
-        .otp(otp)
-        .namespaces(namespaces)
-        .build();
-    Map<String, String> response = matchDataJsonMapOfStrings(connection.executeCommand(command));
-    if ("pending".equals(response.get("status"))) {
-      return EnrollmentId.createEnrollmentId(response.get("enrollmentId"));
-    } else {
-      throw new RuntimeException("expected status pending : " + response);
-    }
-  }
-
   public void complete() throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
+    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
       complete(connection);
     }
   }
 
-  public void complete(AtSecondaryConnection connection) throws Exception {
+  public void complete(AtClientConnection connection) throws Exception {
     AtKeys keys = KeysUtil.loadKeys(keysFile);
-    authenticate(connection);
-    String selfEncryptKey = keysGetDecrypted(connection, atSign, keys, AtKeyNames.SELF_ENCRYPTION_KEY);
-    String encryptPrivateKey = keysGetDecrypted(connection, atSign, keys, AtKeyNames.ENCRYPT_PRIVATE_KEY);
-    keys = keys.toBuilder()
-        .selfEncryptKey(selfEncryptKey)
-        .encryptPrivateKey(encryptPrivateKey)
-        .build();
+    keys = Enroll.complete(connection, atSign, keys);
     KeysUtil.saveKeys(keys, keysFile);
   }
 
   public void complete(int retries, long sleepDuration, TimeUnit sleepUnit) throws Exception {
-    try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, connectionRetries)) {
+    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
       complete(connection, retries, sleepDuration, sleepUnit);
     }
   }
 
-  public void complete(AtSecondaryConnection connection, int retries, long sleepDuration, TimeUnit sleepUnit)
+  public void complete(AtClientConnection connection, int retries, long sleepDuration, TimeUnit sleepUnit)
       throws Exception {
     Exception exception;
     int remainingRetries = retries;
@@ -526,23 +328,15 @@ public void complete(AtSecondaryConnection connection, int retries, long sleepDu
     throw exception != null ? exception : new IllegalArgumentException();
   }
 
-  private static String keysGetDecrypted(AtSecondaryConnection connection,
-                                         AtSign atSign,
-                                         AtKeys keys,
-                                         String keyConstant)
-      throws Exception {
-    String rawKeyName = keys.getEnrollmentId() + "." + keyConstant + ".__manage" + atSign;
-    String command = keysCommandBuilder()
-        .operation(VerbBuilders.KeysOperation.get)
-        .keyName(rawKeyName)
-        .build();
-    return decryptEncryptedKey(connection.executeCommand(command), keys.getApkamSymmetricKey());
+  protected static AtKeys generateAtKeys(boolean generateEncryptionKeyPair) throws AtEncryptionException {
+    AtKeys.AtKeysBuilder builder = AtKeys.builder()
+        .selfEncryptKey(generateAESKeyBase64())
+        .apkamKeyPair(generateRSAKeyPair())
+        .apkamSymmetricKey(generateAESKeyBase64());
+    if (generateEncryptionKeyPair) {
+      builder.encryptKeyPair(generateRSAKeyPair());
+    }
+    return builder.build();
   }
 
-  protected static String decryptEncryptedKey(String json, String keyBase64) throws Exception {
-    Map<String, String> map = matchDataJsonMapOfStrings(json);
-    String encryptedKey = map.get("value");
-    String iv = map.get("iv");
-    return aesDecryptFromBase64(encryptedKey, keyBase64, iv);
-  }
 }
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java b/at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java
new file mode 100644
index 00000000..ce34ae4d
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java
@@ -0,0 +1,84 @@
+package org.atsign.client.connection.api;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+/**
+ * Represents a connection to an AtSign server command interface.
+ */
+public interface AtClientConnection extends AutoCloseable {
+
+  /**
+   * Asynchronously executes an Atsign Protocol command that is expected to return a response.
+   *
+   * @param command the command to execute
+   * @param future the future which will be completed with the response
+   */
+  void send(String command, CompletableFuture<String> future);
+
+  /**
+   * Asynchronously executes an Atsign Protocol command that is expected to return a response.
+   *
+   * @param command the command to execute
+   * @return the future which will be completed with the response
+   */
+  default CompletableFuture<String> send(String command) {
+    CompletableFuture<String> future = new CompletableFuture<>();
+    send(command, future);
+    return future;
+  }
+
+  /**
+   * Synchronously executes an Atsign Protocol command that is expected to return a response.
+   * This method will return once the command has been sent to the AtSign server and the response
+   * has been received.
+   *
+   * @param command the command to execute
+   * @return the response
+   */
+  String sendSync(String command) throws ExecutionException, InterruptedException;
+
+  /**
+   * Asynchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   *
+   * @param command the command to execute
+   * @param consumer the consumer which the connection will invoke with each event
+   * @param future the future which will be completed when the command is sent and acknowledged
+   */
+  void send(String command, Consumer<String> consumer, CompletableFuture<Void> future);
+
+  /**
+   * Asynchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   *
+   * @param command the command to execute
+   * @param consumer the consumer which the connection will invoke with each event
+   * @return a future which will be completed when the command is sent and acknowledged
+   */
+  default CompletableFuture<Void> send(String command, Consumer<String> consumer) {
+    CompletableFuture<Void> future = new CompletableFuture<>();
+    send(command, consumer, future);
+    return future;
+  }
+
+  /**
+   * Synchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   * This method will return once the command has been sent to the AtSign server and some form of
+   * acknowledgement has been received.
+   *
+   * @param command the command to execute
+   * @param consumer the consumer which the connection will invoke with each event
+   */
+  void sendSync(String command, Consumer<String> consumer) throws ExecutionException, InterruptedException;
+
+  /**
+   * Registers a consumer that will be invoked when the connection is ready for sending commands.
+   * This is intended to be used to execute commands that set up state, for example to ensure that
+   * a connection is authenticated or that a connection is registered for notifications.
+   * If this connection is already ready then the consumer will be invoked immediately.
+   *
+   * @param consumer a consumer that will perform commands
+   * @return this (to allow chaining / fluent style invocation)
+   */
+  AtClientConnection onReady(Consumer<AtClientConnection> consumer);
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java
new file mode 100644
index 00000000..ee9fa6af
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java
@@ -0,0 +1,17 @@
+package org.atsign.client.connection.api;
+
+import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+
+/**
+ * Something that is capable of supplying an endpoint string
+ */
+public interface AtEndpointSupplier {
+
+  /**
+   *
+   * @return host and port separated by a colon symbol
+   * @throws AtSecondaryNotFoundException if it is not possible to resolve the endpoint
+   */
+  String get() throws AtSecondaryNotFoundException;
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
new file mode 100644
index 00000000..e19ff0e4
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
@@ -0,0 +1,50 @@
+package org.atsign.client.connection.api;
+
+/**
+ * A strategy for controlling re-connection behavior
+ */
+public interface ReconnectStrategy {
+
+  boolean isReconnectSupported();
+
+  void onConnectFailure(Throwable ex);
+
+  void onConnect();
+
+  void onDisconnect(Throwable ex);
+
+  long getReconnectPauseMillis();
+
+  boolean isReresolveEndpoint();
+
+  /**
+   * A strategy where no reconnection is required
+   */
+  ReconnectStrategy NONE = new ReconnectStrategy() {
+
+    @Override
+    public boolean isReconnectSupported() {
+      return false;
+    }
+
+    @Override
+    public void onConnectFailure(Throwable ex) {}
+
+    @Override
+    public void onConnect() {}
+
+    @Override
+    public void onDisconnect(Throwable ex) {}
+
+    @Override
+    public long getReconnectPauseMillis() {
+      return 0;
+    }
+
+    @Override
+    public boolean isReresolveEndpoint() {
+      return false;
+    }
+  };
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/Command.java b/at_client/src/main/java/org/atsign/client/connection/common/Command.java
new file mode 100644
index 00000000..f0b12c10
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/common/Command.java
@@ -0,0 +1,95 @@
+package org.atsign.client.connection.common;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.function.Consumer;
+
+/**
+ * An "element" / holder for commands
+ */
+public class Command {
+
+  private final String text;
+
+  private final CompletableFuture<?> future;
+
+  private final Consumer<String> consumer;
+
+  private final long timestampMillis;
+
+  private final boolean isOnReady;
+
+  public Command(String text, CompletableFuture<String> future, long timestampMillis, boolean isOnReady) {
+    this.text = text;
+    this.future = future;
+    this.consumer = null;
+    this.timestampMillis = timestampMillis;
+    this.isOnReady = isOnReady;
+  }
+
+  public Command(String text, CompletableFuture<Void> future, Consumer<String> consumer, long timestampMillis,
+                 boolean isOnReady) {
+    this.text = text;
+    this.future = future;
+    this.consumer = consumer;
+    this.timestampMillis = timestampMillis;
+    this.isOnReady = isOnReady;
+  }
+
+  @Override
+  public String toString() {
+    return text;
+  }
+
+  public boolean isTimedOut(long timeoutMillis) {
+    return timestampMillis < timeoutMillis;
+  }
+
+  public boolean isOnReady() {
+    return isOnReady;
+  }
+
+  public void completeExceptionally(Throwable ex) {
+    future.completeExceptionally(ex);
+  }
+
+  public void complete(String s) {
+    if (consumer != null) {
+      future.complete(null);
+      if (s != null) {
+        consumer.accept(s);
+      }
+    } else {
+      //noinspection unchecked
+      ((CompletableFuture<String>) future).complete(s);
+    }
+  }
+
+  public boolean isMatch(String response) {
+    if (consumer != null) {
+      if (isErrorResponse(response)) {
+        return true;
+      } else {
+        return text.startsWith("monitor") && response.startsWith("notification:");
+      }
+    } else {
+      // currently no way to match responses to commands
+      return true;
+    }
+  }
+
+  public boolean isConsumerCommand() {
+    return consumer != null;
+  }
+
+  public static boolean isConsumerCommand(Command command) {
+    return command != null && command.isConsumerCommand();
+  }
+
+  public static boolean isConsumerResponse(String s) {
+    return s.startsWith("notification:");
+  }
+
+  public static boolean isErrorResponse(String s) {
+    return s.startsWith("error:");
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java b/at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java
new file mode 100644
index 00000000..32ce7f06
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java
@@ -0,0 +1,152 @@
+package org.atsign.client.connection.common;
+
+import static org.atsign.client.connection.common.Command.isConsumerCommand;
+import static org.atsign.client.connection.netty.NettyAtClientConnection.isPrompt;
+
+import java.util.Collection;
+import java.util.Deque;
+import java.util.Iterator;
+import java.util.Spliterator;
+import java.util.concurrent.ConcurrentLinkedDeque;
+import java.util.function.Consumer;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+
+/**
+ * A queue of {@link Command} elements. This is used to hold pending commands, those
+ * commands which have been sent but no response has been received (or event commands
+ * where there will be a stream of responses). It is also used to hold queued commands
+ * in the event that the pending {@link CommandQueue} is full.
+ */
+public class CommandQueue implements Iterable<Command> {
+
+  private final int capacity;
+
+  private final Deque<Command> commands = new ConcurrentLinkedDeque<>();
+
+  private final Deque<Command> consumers = new ConcurrentLinkedDeque<>();
+
+  public CommandQueue(int capacity) {
+    this.capacity = capacity;
+  }
+
+  public void clear() {
+    commands.clear();
+    consumers.clear();
+  }
+
+  public int drain(CommandQueue queue) {
+    Command command;
+    int count = 0;
+    while ((command = queue.poll()) != null) {
+      commands.addFirst(command);
+      count++;
+    }
+    return count;
+  }
+
+  public void removeIf(Predicate<Command> predicate) {
+    commands.removeIf(predicate);
+  }
+
+  public boolean offer(Command command) {
+    if (command.isConsumerCommand() && hasConsumerCommand()) {
+      // TODO: allow replacement of existing command where the verb matches
+      return false;
+    }
+    if (commands.size() + 1 <= capacity) {
+      commands.addLast(command);
+      return true;
+    } else {
+      return false;
+    }
+  }
+
+  public Command pop(String response) {
+    Command command = null;
+    if (isPrompt(response)) {
+      if (isConsumerCommand(commands.peek())) {
+        command = commands.pop();
+        consumers.add(command);
+      }
+    } else if (Command.isConsumerResponse(response)) {
+      if (isConsumerCommand(commands.peek())) {
+        consumers.add(pollFirst(response));
+      }
+      command = consumers.peek();
+    } else {
+      command = pollFirst(response);
+    }
+    return command;
+  }
+
+  public Command poll() {
+    return commands.pollFirst();
+  }
+
+  public Command peek() {
+    return commands.peekFirst();
+  }
+
+  public int size() {
+    return commands.size();
+  }
+
+  public boolean isEmpty() {
+    return commands.isEmpty();
+  }
+
+  public int getQueueCapacity() {
+    return capacity;
+  }
+
+  public Collection<Command> pollTimedOut(long timeoutMillis) {
+    Collection<Command> list = commands.stream()
+        .filter(command -> command.isTimedOut(timeoutMillis))
+        .collect(Collectors.toList());
+    commands.removeAll(list);
+    return list;
+  }
+
+  public Collection<Command> pollIsOnReady() {
+    Collection<Command> list = commands.stream()
+        .filter(command -> command.isOnReady())
+        .collect(Collectors.toList());
+    commands.removeAll(list);
+    return list;
+  }
+
+  @Override
+  public Iterator<Command> iterator() {
+    return commands.iterator();
+  }
+
+  @Override
+  public void forEach(Consumer<? super Command> action) {
+    commands.forEach(action);
+  }
+
+  @Override
+  public Spliterator<Command> spliterator() {
+    return commands.spliterator();
+  }
+
+  public boolean hasConsumerCommand() {
+    if (!consumers.isEmpty()) {
+      return true;
+    }
+    return commands.stream().filter(c -> c.isConsumerCommand()).findAny().orElse(null) != null;
+  }
+
+  private Command pollFirst(String response) {
+    Iterator<Command> it = commands.iterator();
+    while (it.hasNext()) {
+      Command command = it.next();
+      if (command.isMatch(response)) {
+        it.remove();
+        return command;
+      }
+    }
+    return null;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java
new file mode 100644
index 00000000..a97c7d37
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java
@@ -0,0 +1,66 @@
+package org.atsign.client.connection.common;
+
+import lombok.Builder;
+import org.atsign.client.connection.api.ReconnectStrategy;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * A default implementation based on a number of reconnection retries with a simple
+ * back-off strategy and re-resolve strategy.
+ */
+public class SimpleReconnectStrategy implements ReconnectStrategy {
+
+  public static final long RECONNECT_RETRY_FOREVER = 0;
+
+  public static final long DEFAULT_RECONNECT_PAUSE_MILLIS = TimeUnit.SECONDS.toMillis(1);
+
+  private final long maxReconnectRetries;
+  private final int resolveEndpointFrequency;
+  private final long reconnectPauseMillis;
+
+  private long connectFailureCount;
+
+  @Builder
+  public SimpleReconnectStrategy(long maxReconnectRetries, int resolveEndpointFrequency, long reconnectPauseMillis) {
+    this.maxReconnectRetries = maxReconnectRetries;
+    this.resolveEndpointFrequency = resolveEndpointFrequency;
+    this.reconnectPauseMillis = reconnectPauseMillis;
+  }
+
+  @Override
+  public boolean isReconnectSupported() {
+    return maxReconnectRetries == RECONNECT_RETRY_FOREVER || connectFailureCount <= maxReconnectRetries;
+  }
+
+  @Override
+  public void onConnectFailure(Throwable ex) {
+    connectFailureCount++;
+  }
+
+  @Override
+  public void onConnect() {
+    connectFailureCount = 0;
+  }
+
+  @Override
+  public void onDisconnect(Throwable ex) {}
+
+  @Override
+  public long getReconnectPauseMillis() {
+    if (connectFailureCount == 0) {
+      return 0;
+    } else {
+      return reconnectPauseMillis > 0 ? reconnectPauseMillis : DEFAULT_RECONNECT_PAUSE_MILLIS;
+    }
+  }
+
+  @Override
+  public boolean isReresolveEndpoint() {
+    if (connectFailureCount == 0) {
+      return false;
+    } else {
+      return resolveEndpointFrequency > 0 && (connectFailureCount % resolveEndpointFrequency) == 0;
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java
new file mode 100644
index 00000000..5412a795
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java
@@ -0,0 +1,570 @@
+package org.atsign.client.connection.netty;
+
+import static java.util.concurrent.CompletableFuture.failedFuture;
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+
+import java.io.IOException;
+import java.time.Clock;
+import java.util.Collection;
+import java.util.concurrent.*;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.function.Consumer;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.api.AtEndpointSupplier;
+import org.atsign.client.connection.api.ReconnectStrategy;
+import org.atsign.client.connection.common.Command;
+import org.atsign.client.connection.common.CommandQueue;
+import org.atsign.client.util.Preconditions;
+import org.atsign.common.AtException;
+import org.atsign.common.exceptions.AtOnReadyException;
+import org.atsign.common.exceptions.AtSecondaryConnectException;
+import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+import org.atsign.common.exceptions.AtTimeoutException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.netty.bootstrap.Bootstrap;
+import io.netty.channel.*;
+import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.channel.socket.nio.NioSocketChannel;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.JdkSslContext;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.util.concurrent.DefaultThreadFactory;
+import lombok.Builder;
+
+/**
+ * An implementation that uses Netty
+ */
+public class NettyAtClientConnection implements AtClientConnection {
+
+  public static final long DEFAULT_COMMAND_TIMEOUT_MILLIS = TimeUnit.SECONDS.toMillis(2);
+  public static final long DEFAULT_HEARTBEAT_MILLIS = TimeUnit.SECONDS.toMillis(30);
+  public static final int DEFAULT_MAX_FRAME_LENGTH = 10230000;
+  public static final long DEFAULT_AWAIT_READY_MILLIS = TimeUnit.SECONDS.toMillis(1);
+  private final long heartbeatMillis;
+
+  private enum Status {
+
+    Unconnected, Connected, Readying, Ready, Disconnected, Closing, Closed;
+
+    boolean isClosedOrClosing() {
+      return this == Closed || this == Closing;
+    }
+
+    String toLowerCase() {
+      return name().toLowerCase();
+    }
+  }
+
+  private final AtomicReference<Status> status = new AtomicReference<>(Status.Unconnected);
+
+  private final Logger log;
+
+  private final AtEndpointSupplier endpointSupplier;
+
+  private final Clock clock;
+
+  private final AtomicReference<String> endpoint = new AtomicReference<>();
+
+  private final int maxFrameLength;
+  private final SslContext sslContext;
+  private final EventLoopGroup group;
+  private final Bootstrap bootstrap;
+  private final NettyAtThreadFactory threadFactory;
+  private volatile Channel channel;
+
+  private final ReconnectStrategy reconnectStrategy;
+
+  private final CommandQueue pending;
+  private final CommandQueue queue;
+
+  private final AtomicReference<Consumer<AtClientConnection>> onReadyConsumer = new AtomicReference<>();
+
+  private final long timeoutMillis;
+
+  private final boolean isVerbose;
+
+  private final AtomicReference<AtException> closeException = new AtomicReference<>();
+
+  private final AtomicBoolean isForceReconnect = new AtomicBoolean();
+
+  private final ReentrantLock readyingLock = new ReentrantLock();
+
+  private volatile long lastReadMillis;
+
+  /**
+   * Builder method for instantiating instances of a Netty based implementation of
+   * {@link AtClientConnection}
+   *
+   * @param endpoint A supplier that will be invoked prior to connection attempts, need to return
+   *        host:port
+   * @param maxFrameLength Optional, defaults to {@link #DEFAULT_MAX_FRAME_LENGTH}
+   * @param sslContext Optional {@link SSLContext}, defaults to Netty default client context
+   * @param reconnect Optional implementation of {@link ReconnectStrategy}, defaults to
+   *        {@link ReconnectStrategy#NONE}
+   * @param onReady Optional {@link Consumer} which will be invoked each time connection becomes
+   *        ready. Useful for connection setup e.g. authentication
+   * @param threadFactory Optional {@link ThreadFactory}, defaults to {@link DefaultThreadFactory}
+   * @param timeoutMillis Optional timeout (in milliseconds) for each command that is sent. Defaults
+   *        to {@link #DEFAULT_COMMAND_TIMEOUT_MILLIS}
+   * @param heartbeatMillis Optional frequency which controls if and when the connection sends noop
+   *        commands when there has been no other activity (command responses, notifications)
+   * @param queueLimit Optional, defaults to 0. Defaults to {@link #DEFAULT_HEARTBEAT_MILLIS}.
+   * @param clock Optional implementation of {@link Clock}. Defaults to system clock.
+   * @param log Optional implementation of {@link Logger}. Defaults to classname.
+   */
+  @Builder
+  protected NettyAtClientConnection(AtEndpointSupplier endpoint,
+                                    Integer maxFrameLength,
+                                    SSLContext sslContext,
+                                    ReconnectStrategy reconnect,
+                                    Consumer<AtClientConnection> onReady,
+                                    ThreadFactory threadFactory,
+                                    Long timeoutMillis,
+                                    Long heartbeatMillis,
+                                    Integer queueLimit,
+                                    Long awaitReadyMillis,
+                                    Boolean isVerbose,
+                                    Clock clock,
+                                    Logger log)
+      throws AtException {
+    this.endpointSupplier = Preconditions.checkNotNull(endpoint, "endpoint is not set");
+    this.maxFrameLength = defaultIfUnset(maxFrameLength, DEFAULT_MAX_FRAME_LENGTH);
+    this.reconnectStrategy = defaultIfNull(reconnect, ReconnectStrategy.NONE);
+    this.onReadyConsumer.set(defaultIfNull(onReady, c -> {
+    }));
+    this.pending = new CommandQueue(1);
+    this.queue = new CommandQueue(defaultIfUnset(queueLimit, pending.getQueueCapacity()));
+    this.isVerbose = isVerbose != null && isVerbose;
+    this.clock = defaultIfNull(clock, Clock.systemUTC());
+    this.log = defaultIfNull(log, LoggerFactory.getLogger(getClass()));
+    this.threadFactory = new NettyAtThreadFactory(threadFactory);
+    // DO NOT increase the thread count, this is by design and is crucial to the thread safety
+    this.group = new NioEventLoopGroup(1, this.threadFactory);
+    this.sslContext = sslContext != null ? wrapSslContext(sslContext) : createDefaultSslContext();
+    this.bootstrap = new Bootstrap()
+        .group(group)
+        .channel(NioSocketChannel.class)
+        .option(ChannelOption.SO_KEEPALIVE, true)
+        .handler(new SocketChannelChannelInitializer());
+
+    this.timeoutMillis = defaultIfUnset(timeoutMillis, DEFAULT_COMMAND_TIMEOUT_MILLIS);
+    group.scheduleAtFixedRate(this::checkForTimeouts, this.timeoutMillis, this.timeoutMillis, MILLISECONDS);
+
+    this.heartbeatMillis = defaultIfUnset(heartbeatMillis, DEFAULT_HEARTBEAT_MILLIS);
+    group.scheduleAtFixedRate(this::sendHeartbeat, this.heartbeatMillis, this.heartbeatMillis, MILLISECONDS);
+
+    try {
+      connect().get(this.timeoutMillis, MILLISECONDS);
+      awaitStatus(Status.Ready, defaultIfUnset(awaitReadyMillis, DEFAULT_AWAIT_READY_MILLIS));
+    } catch (InterruptedException | ExecutionException | TimeoutException e) {
+      if (!reconnectStrategy.isReconnectSupported()) {
+        throw new AtSecondaryConnectException("connect failed (and retry is false) : " + e.getMessage(), e);
+      }
+    }
+    if (closeException.get() != null) {
+      throw closeException.get();
+    }
+  }
+
+  /**
+   * A builder for instantiating {@link NettyAtClientConnection} instances.
+   */
+  public static class NettyAtClientConnectionBuilder {
+    // required for javadoc
+  };
+
+  @Override
+  public void send(String command, CompletableFuture<String> future) {
+    if (threadFactory.isCurrentThreadOnReadyThread()) {
+      throw new AtOnReadyException("onReady is prohibited from invoking send, use sendSync");
+    } else if (threadFactory.isCurrentThreadMyThread()) {
+      throw new RuntimeException("send on netty event thread is prohibited");
+    } else {
+      group.execute(() -> send(new Command(command, future, clock.millis(), false)));
+    }
+  }
+
+  @Override
+  public String sendSync(String command) throws ExecutionException, InterruptedException {
+    CompletableFuture<String> future = new CompletableFuture<>();
+    if (threadFactory.isCurrentThreadOnReadyThread()) {
+      send(new Command(command, future, clock.millis(), true));
+    } else if (threadFactory.isCurrentThreadMyThread()) {
+      throw new ExecutionException("send on netty event thread is prohibited", null);
+    } else {
+      group.execute(() -> send(new Command(command, future, clock.millis(), false)));
+    }
+    return future.get();
+  }
+
+  @Override
+  public void send(String command, Consumer<String> consumer, CompletableFuture<Void> future) {
+    if (threadFactory.isCurrentThreadOnReadyThread()) {
+      throw new AtOnReadyException("onReady is prohibited from invoking send, use sendSync");
+    } else if (threadFactory.isCurrentThreadMyThread()) {
+      throw new RuntimeException("send on netty event thread is prohibited");
+    } else {
+      group.execute(() -> send(new Command(command, future, consumer, clock.millis(), false)));
+    }
+  }
+
+  @Override
+  public void sendSync(String command, Consumer<String> consumer) throws ExecutionException, InterruptedException {
+    CompletableFuture<Void> future = new CompletableFuture<>();
+    if (threadFactory.isCurrentThreadOnReadyThread()) {
+      send(new Command(command, future, consumer, clock.millis(), true));
+    } else if (threadFactory.isCurrentThreadMyThread()) {
+      throw new ExecutionException("send on netty event thread is prohibited", null);
+    } else {
+      group.execute(() -> send(new Command(command, future, consumer, clock.millis(), true)));
+    }
+    future.get();
+  }
+
+  @Override
+  public AtClientConnection onReady(Consumer<AtClientConnection> consumer) {
+    checkNotNull(consumer, "null");
+    try {
+      readyingLock.lock();
+      onReadyConsumer.set(consumer);
+      forceReconnect();
+    } finally {
+      readyingLock.unlock();
+    }
+    return this;
+  }
+
+  @Override
+  public void close() {
+    if (!status.get().isClosedOrClosing()) {
+      close(new AtSecondaryConnectException("connection closed"));
+    }
+  }
+
+  public int getPendingSize() {
+    return pending.size();
+  }
+
+  public int getQueuedSize() {
+    return queue.size();
+  }
+
+  public boolean isReady() {
+    return status.get() == Status.Ready;
+  }
+
+  public void forceReconnect() {
+    if (channel != null) {
+      isForceReconnect.set(true);
+      channel.close();
+    }
+  }
+
+  private void close(AtException closeException) {
+    this.closeException.set(closeException);
+    status.set(Status.Closing);
+    if (channel != null) {
+      channel.close();
+    }
+    group.shutdownGracefully();
+    if (!pending.isEmpty() || !queue.isEmpty()) {
+      pending.forEach(command -> command.completeExceptionally(closeException));
+      queue.forEach(command -> command.completeExceptionally(closeException));
+    }
+    status.set(Status.Closed);
+  }
+
+  private Future<Void> connect() {
+    try {
+      resolveEndpoint();
+    } catch (Exception e) {
+      log.error("unabled to resolve endpoint");
+      scheduleReconnect();
+      return failedFuture(new RuntimeException("unable to resolve endpoint : " + e.getMessage(), e));
+    }
+    String endpoint = this.endpoint.get();
+    log.debug("bootstrap.connect({}, {})", toHost(endpoint), toPort(endpoint));
+    ChannelFuture channelFuture = bootstrap.connect(toHost(endpoint), toPort(endpoint));
+    channelFuture.addListener((ChannelFutureListener) this::onConnect);
+    return channelFuture;
+  }
+
+  private void onConnect(ChannelFuture future) {
+    if (future.isSuccess()) {
+      channel = future.channel();
+      log.info("connected to {}", endpoint);
+      status.set(Status.Connected);
+      reconnectStrategy.onConnect();
+    } else {
+      log.warn("connect to {} failed : {}", endpoint, future.cause().getMessage());
+      reconnectStrategy.onConnectFailure(future.cause());
+      scheduleReconnect();
+    }
+  }
+
+  private void checkForTimeouts() {
+    checkForTimeout(queue, this.timeoutMillis, "timed out (in queue)");
+    checkForTimeout(pending, this.timeoutMillis, "timed out (no response from server)");
+  }
+
+  private void checkForTimeout(CommandQueue commands, long timeoutMillis, String message) {
+    Collection<Command> expired = commands.pollTimedOut(clock.millis() - timeoutMillis);
+    if (!expired.isEmpty()) {
+      AtTimeoutException ex = new AtTimeoutException(message);
+      expired.forEach(x -> x.completeExceptionally(ex));
+      if (commands == pending && sendNext()) {
+        log.info("sent queued command");
+      }
+    }
+  }
+
+  private void sendHeartbeat() {
+    if (isReady() && (clock.millis() - lastReadMillis) > heartbeatMillis) {
+      writeAndFlushCommand(new Command("noop:0", null, 0, false));
+    }
+  }
+
+  private void completeIsOnReadyExceptionally(CommandQueue commands, String message) {
+    Collection<Command> isOnReadyCommands = commands.pollIsOnReady();
+    if (!isOnReadyCommands.isEmpty()) {
+      AtTimeoutException ex = new AtTimeoutException(message);
+      isOnReadyCommands.forEach(x -> x.completeExceptionally(ex));
+    }
+  }
+
+  private void resolveEndpoint() throws AtSecondaryNotFoundException {
+    if (endpoint.get() == null || reconnectStrategy.isReresolveEndpoint()) {
+      endpoint.set(endpointSupplier.get());
+    }
+  }
+
+  private void scheduleReconnect() {
+    if (status.get() == Status.Closed) {
+      return;
+    }
+    boolean isForceReconnect = this.isForceReconnect.getAndSet(false);
+    if (isForceReconnect || reconnectStrategy.isReconnectSupported()) {
+      pending.removeIf(Command::isOnReady);
+      log.debug("re-queued {} pending commands", queue.drain(pending));
+      pending.clear();
+      long delayMillis = isForceReconnect ? 0 : reconnectStrategy.getReconnectPauseMillis();
+      log.debug("scheduling connect");
+      group.schedule(this::connect, delayMillis, MILLISECONDS);
+    } else {
+      log.warn("reconnect retries exceeded, closing connection");
+      close(new AtSecondaryConnectException("reconnect retries exceeded"));
+    }
+  }
+
+  private void send(Command command) {
+    if (status.get().isClosedOrClosing()) {
+      command.completeExceptionally(new IllegalStateException("connection " + status.get().toLowerCase()));
+    } else if ((isReady() || threadFactory.isCurrentThreadOnReadyThread()) && pending.offer(command)) {
+      writeAndFlushCommand(command);
+    } else if (queue.offer(command)) {
+      log.info("{} command{} queued ({})", queue.size(), queue.size() > 1 ? "s" : "", getPendingStatus());
+    } else {
+      command.completeExceptionally(new AtTimeoutException(
+          queue.getQueueCapacity() > 0 ? "queue is full" : "queue not enabled"));
+    }
+  }
+
+  private String getPendingStatus() {
+    if (!pending.isEmpty()) {
+      return pending.size() == 1 ? "pending command" : pending.size() + " pending commands";
+    } else {
+      return status.get().toLowerCase();
+    }
+  }
+
+  private void writeAndFlushCommand(Command command) {
+    if (command != null) {
+      ChannelFuture future = channel.writeAndFlush(command.toString());
+      future.addListener((ChannelFutureListener) f -> onCommandWrite(command, f));
+    }
+  }
+
+  private void onCommandWrite(Command command, ChannelFuture future) {
+    if (future.isSuccess()) {
+      if (isVerbose) {
+        log.info("SENT: {}", command);
+      } else {
+        log.debug("SENT: {}", command);
+      }
+      if (command.isConsumerCommand()) {
+        // hack, until change which sends prompt after monitor
+        group.schedule(this::onPrompt, 100, MILLISECONDS);
+      }
+    }
+  }
+
+  private boolean sendNext() {
+    Command command = queue.poll();
+    if (command != null) {
+      send(command);
+      return true;
+    } else {
+      return false;
+    }
+  }
+
+  private void onPrompt() {
+    if (status.get() == Status.Connected) {
+      log.debug("received prompt, readying...");
+      status.set(Status.Readying);
+      threadFactory.newThread(createOnReadyRunnable()).start();
+    }
+    Command command = pending.pop("@");
+    if (command != null) {
+      command.complete(null);
+    }
+  }
+
+  private Runnable createOnReadyRunnable() {
+    return () -> {
+      threadFactory.markCurrentThreadOnReadyThread();
+      try {
+        readyingLock.lock();
+        onReadyConsumer.get().accept(this);
+      } catch (AtOnReadyException e) {
+        log.error("onReady exception", e);
+        close(new AtSecondaryConnectException(e.getMessage()));
+        return;
+      } finally {
+        readyingLock.unlock();
+      }
+      log.debug("ready");
+      status.set(Status.Ready);
+      checkForTimeouts();
+      if (sendNext()) {
+        log.info("sent queued command");
+      }
+      threadFactory.clearCurrentThreadOnReadyThread();
+    };
+  }
+
+  private void onResponse(String msg) {
+    if (isVerbose) {
+      log.info("RCVD: {}", msg);
+    } else {
+      log.debug("RCVD: {}", msg);
+    }
+    Command command = pending.pop(msg);
+    if (command != null) {
+      command.complete(msg);
+    } else {
+      log.error("no pending command : {}", msg);
+    }
+    if (sendNext()) {
+      log.info("sent queued command");
+    }
+  }
+
+  private class ResponseHandler extends SimpleChannelInboundHandler<String> {
+
+    @Override
+    protected void channelRead0(ChannelHandlerContext ctx, String msg) {
+      lastReadMillis = clock.millis();
+      if (isPrompt(msg)) {
+        onPrompt();
+      } else {
+        onResponse(msg);
+      }
+    }
+
+    @Override
+    public void exceptionCaught(ChannelHandlerContext context, Throwable cause) {
+      log.error("exception in handler", cause);
+    }
+
+    @Override
+    public void channelInactive(ChannelHandlerContext context) {
+      channel = null;
+      if (status.get().isClosedOrClosing()) {
+        log.debug("connection closed");
+      } else {
+        completeIsOnReadyExceptionally(pending, "connection closed");
+        if (isForceReconnect.get()) {
+          log.info("connection force disconnected");
+        } else {
+          log.warn("connection unexpectedly unconnected");
+          reconnectStrategy.onDisconnect(new IOException("connection closed"));
+        }
+        status.set(Status.Unconnected);
+        scheduleReconnect();
+      }
+    }
+  }
+
+  private static int toPort(String hostAndPort) {
+    return Integer.parseInt(hostAndPort.split(":")[1]);
+  }
+
+  private static String toHost(String hostAndPort) {
+    return hostAndPort.split(":")[0];
+  }
+
+  private class SocketChannelChannelInitializer extends ChannelInitializer<SocketChannel> {
+
+    @Override
+    protected void initChannel(SocketChannel ch) {
+      String endpoint = NettyAtClientConnection.this.endpoint.get();
+      ChannelPipeline pipeline = ch.pipeline();
+      pipeline.addLast(sslContext.newHandler(ch.alloc(), toHost(endpoint), toPort(endpoint)));
+      pipeline.addLast(new NettyAtResponseDecoder(maxFrameLength));
+      pipeline.addLast(new NettyAtCommandEncoder());
+      pipeline.addLast(new ResponseHandler());
+    }
+  }
+
+  private static SslContext createDefaultSslContext() {
+    try {
+      return SslContextBuilder.forClient().build();
+    } catch (SSLException e) {
+      throw new RuntimeException("failed to create SSL context", e);
+    }
+  }
+
+  private static SslContext wrapSslContext(SSLContext context) {
+    return new JdkSslContext(context, true, ClientAuth.NONE);
+  }
+
+  private void awaitStatus(Status status, long timeoutMillis) throws InterruptedException {
+    long startMillis = clock.millis();
+    while (clock.millis() < (startMillis + timeoutMillis)) {
+      // TODO: fix this
+      Thread.sleep(50);
+      if (this.status.get() == status) {
+        break;
+      }
+    }
+  }
+
+  public static boolean isPrompt(String s) {
+    return s.startsWith("@") && s.endsWith("@");
+  }
+
+  public static <T> T defaultIfNull(T o, T defaultValue) {
+    return o != null ? o : defaultValue;
+  }
+
+  public static long defaultIfUnset(Long l, long defaultValue) {
+    return l != null ? l : defaultValue;
+  }
+
+  public static int defaultIfUnset(Integer i, int defaultValue) {
+    return i != null ? i : defaultValue;
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java
new file mode 100644
index 00000000..7a445b19
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java
@@ -0,0 +1,23 @@
+package org.atsign.client.connection.netty;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.ByteBufUtil;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.MessageToByteEncoder;
+
+/**
+ * A Netty encoder which ensures that commands are terminated by a newline
+ */
+public class NettyAtCommandEncoder extends MessageToByteEncoder<CharSequence> {
+
+  private static final byte LF = (byte) '\n';
+
+  @Override
+  protected void encode(ChannelHandlerContext ctx, CharSequence msg, ByteBuf out) {
+    ByteBufUtil.writeUtf8(out, msg);
+    int len = msg.length();
+    if (len == 0 || msg.charAt(len - 1) != '\n') {
+      out.writeByte(LF);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
new file mode 100644
index 00000000..d8ae2cc3
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
@@ -0,0 +1,60 @@
+package org.atsign.client.connection.netty;
+
+import org.atsign.client.connection.api.AtEndpointSupplier;
+import org.atsign.common.AtSign;
+import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+
+import lombok.Builder;
+
+import javax.net.ssl.SSLContext;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static org.atsign.client.util.Preconditions.checkNotNull;
+
+/**
+ * An implementation that uses a {@link NettyAtClientConnection} to connect to the
+ * root / directory server and resolve the endpoint for a specific {@link AtSign}
+ */
+public class NettyAtEndpointSupplier implements AtEndpointSupplier {
+
+  private final AtSign atsign;
+
+  private final NettyAtClientConnection.NettyAtClientConnectionBuilder connectionBuilder;
+
+  @Builder
+  public NettyAtEndpointSupplier(String rootUrl, AtSign atsign, Long timeoutMillis, SSLContext sslContext) {
+    this.atsign = checkNotNull(atsign, "atSign not set");
+    String hostAndPort = defaultPort(checkNotNull(rootUrl, "rootUrl not set"));
+    this.connectionBuilder = NettyAtClientConnection.builder()
+        .endpoint(() -> hostAndPort)
+        .timeoutMillis(timeoutMillis)
+        .sslContext(sslContext);
+  }
+
+  @Override
+  public String get() throws AtSecondaryNotFoundException {
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      return checkNotBlank(connection.sendSync(atsign.withoutPrefix()));
+    } catch (Exception e) {
+      throw new AtSecondaryNotFoundException("unable to resolve the endpoint for " + atsign, e);
+    }
+  }
+
+  private static String checkNotBlank(String s) throws AtSecondaryNotFoundException {
+    if (s == null || s.isBlank() || "null".equals(s)) {
+      throw new AtSecondaryNotFoundException("unable to resolve the endpoint");
+    }
+    return s;
+  }
+
+  private static String defaultPort(String hostAndPort) {
+    Matcher matcher = Pattern.compile("([^:]+):(\\d+)").matcher(hostAndPort);
+    if (matcher.matches()) {
+      return hostAndPort;
+    } else {
+      return hostAndPort + ":" + 64;
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java
new file mode 100644
index 00000000..3df0f960
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java
@@ -0,0 +1,84 @@
+package org.atsign.client.connection.netty;
+
+import java.util.List;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.ByteToMessageDecoder;
+import io.netty.handler.codec.TooLongFrameException;
+import io.netty.util.CharsetUtil;
+
+/**
+ *
+ */
+public final class NettyAtResponseDecoder extends ByteToMessageDecoder {
+
+  private static final byte LF = (byte) '\n';
+  private static final byte CR = (byte) '\r';
+  private static final byte PROMPT = (byte) '@';
+  private static final byte COLON = (byte) ':';
+
+  private final long maxFrameSize;
+
+  public NettyAtResponseDecoder(long maxFrameSize) {
+    this.maxFrameSize = maxFrameSize;
+  }
+
+  @Override
+  protected void decode(ChannelHandlerContext ctx,
+                        ByteBuf in,
+                        List<Object> out) {
+
+    while (true) {
+
+      if (in.readableBytes() > maxFrameSize) {
+        throw new TooLongFrameException("buffer exceeds maxFrameSize [" + maxFrameSize + "]");
+      }
+
+      int i;
+      if ((i = findPromptIndex(in, 0)) == 0) {
+        int j = findPromptIndex(in, i + 1);
+        if (j > i) {
+          out.add(in.readCharSequence(j - i + 1, CharsetUtil.UTF_8).toString());
+        } else if (in.readableBytes() == 1 || findLinefeedIndex(in) > i) {
+          out.add(in.readCharSequence(1, CharsetUtil.UTF_8).toString());
+        } else {
+          // this is possibly an authenticated prompt which is fragmented
+          return;
+        }
+      } else if ((i = findLinefeedIndex(in)) > -1) {
+        int skip = 1;
+        if (i > 0 && in.getByte(i - 1) == CR) {
+          i--;
+          skip++;
+        }
+        out.add(in.readCharSequence(i, CharsetUtil.UTF_8).toString());
+        in.skipBytes(skip);
+      } else {
+        return;
+      }
+    }
+  }
+
+  private static int findLinefeedIndex(ByteBuf in) {
+    for (int i = in.readerIndex(); i < in.writerIndex(); i++) {
+      if (in.getByte(i) == LF) {
+        return i - in.readerIndex();
+      }
+    }
+    return -1;
+  }
+
+  private static int findPromptIndex(ByteBuf in, int offset) {
+    for (int i = in.readerIndex() + offset; i < in.writerIndex(); i++) {
+      if (in.getByte(i) == LF || in.getByte(i) == COLON) {
+        return -1;
+      }
+      if (in.getByte(i) == PROMPT) {
+        return i - in.readerIndex();
+      }
+    }
+    return -1;
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java
new file mode 100644
index 00000000..b1414925
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java
@@ -0,0 +1,49 @@
+package org.atsign.client.connection.netty;
+
+import io.netty.util.concurrent.DefaultThreadFactory;
+
+import java.util.concurrent.ThreadFactory;
+
+/**
+ * Wraps a thread factory (or the default netty thread factory) with one that sets thread locals.
+ * This way we can detect when a command is invoked as part of OnReady and prevent
+ * netty event thread from sending a command and then blocking on itself
+ */
+class NettyAtThreadFactory implements ThreadFactory {
+
+  private final ThreadLocal<Boolean> isMyThread = ThreadLocal.withInitial(() -> false);
+
+  private final ThreadLocal<Boolean> isOnReadyThread = ThreadLocal.withInitial(() -> false);
+
+  private final ThreadFactory delegate;
+
+  public NettyAtThreadFactory(ThreadFactory delegate) {
+    this.delegate = delegate != null ? delegate : new DefaultThreadFactory("netty");
+  }
+
+  @Override
+  public Thread newThread(Runnable r) {
+    return delegate.newThread(() -> {
+      isMyThread.set(true);
+      r.run();
+    });
+  }
+
+  boolean isCurrentThreadMyThread() {
+    return isMyThread.get();
+  }
+
+  public boolean isCurrentThreadOnReadyThread() {
+    return isOnReadyThread.get();
+  }
+
+  public void markCurrentThreadOnReadyThread() {
+    isOnReadyThread.set(true);
+    Thread.currentThread().setName(Thread.currentThread().getName() + "(ready)");
+  }
+
+  public void clearCurrentThreadOnReadyThread() {
+    isOnReadyThread.set(null);
+    Thread.currentThread().setName(Thread.currentThread().getName().replace("(ready)", ""));
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java b/at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java
new file mode 100644
index 00000000..2c0da9e9
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java
@@ -0,0 +1,90 @@
+package org.atsign.client.connection.protocol;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.exceptions.*;
+import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+/**
+ * Utilities for throwing and handling typed {@link AtException} instances
+ */
+public class AtExceptions {
+
+  public static AtException toTypedException(String code, String text) {
+    if (AtServerRuntimeException.CODE.equals(code)) {
+      return new AtServerRuntimeException(text);
+    } else if (AtInvalidSyntaxException.CODE.equals(code)) {
+      return new AtInvalidSyntaxException(text);
+    } else if (AtBufferOverFlowException.CODE.equals(code)) {
+      return new AtBufferOverFlowException(text);
+    } else if (AtOutboundConnectionLimitException.CODE.equals(code)) {
+      return new AtOutboundConnectionLimitException(text);
+    } else if (AtSecondaryNotFoundException.CODE.equals(code)) {
+      return new AtSecondaryNotFoundException(text);
+    } else if (AtHandShakeException.CODE.equals(code)) {
+      return new AtHandShakeException(text);
+    } else if (AtUnauthorizedException.CODE.equals(code)) {
+      return new AtUnauthorizedException(text);
+    } else if (AtInternalServerError.CODE.equals(code)) {
+      return new AtInternalServerError(text);
+    } else if (AtInternalServerException.CODE.equals(code)) {
+      return new AtInternalServerException(text);
+    } else if (AtInboundConnectionLimitException.CODE.equals(code)) {
+      return new AtInboundConnectionLimitException(text);
+    } else if (AtBlockedConnectionException.CODE.equals(code)) {
+      return new AtBlockedConnectionException(text);
+    } else if (AtKeyNotFoundException.CODE.equals(code)) {
+      return new AtKeyNotFoundException(text);
+    } else if (AtInvalidAtKeyException.CODE.equals(code)) {
+      return new AtInvalidAtKeyException(text);
+    } else if (AtSecondaryConnectException.CODE.equals(code)) {
+      return new AtSecondaryConnectException(text);
+    } else if (AtIllegalArgumentException.CODE.equals(code)) {
+      return new AtIllegalArgumentException(text);
+    } else if (AtTimeoutException.CODE.equals(code)) {
+      return new AtTimeoutException(text);
+    } else if (AtServerIsPausedException.CODE.equals(code)) {
+      return new AtServerIsPausedException(text);
+    } else if (AtUnauthenticatedException.CODE.equals(code)) {
+      return new AtUnauthenticatedException(text);
+    }
+
+    return new AtNewErrorCodeWhoDisException(code, text);
+  }
+
+  /**
+   * A Command / Runnable that may throw exceptions.
+   */
+  public interface AtClientConnectionCommand {
+    void run(AtClientConnection connection) throws AtException, ExecutionException, InterruptedException;
+  }
+
+  /**
+   * Wraps an {@link AtClientConnectionCommand}, typically an
+   * {@link AtClientConnection#onReady(Consumer)}
+   * command, such that AtExceptions are caught and rethrown as {@link AtOnReadyException}.
+   * NOTE: {@link AtOnReadyException}s are regarded as fatal, i.e. the {@link AtClientConnection} is
+   * unusable.
+   *
+   * @param command A command/runnable thatmay throw exceptions.
+   * @return a consumer that is designed to be passed as an argument to
+   *         {@link AtClientConnection#onReady(Consumer)}
+   */
+  public static Consumer<AtClientConnection> throwOnReadyException(AtClientConnectionCommand command) {
+    return connection -> {
+      try {
+        command.run(connection);
+      } catch (AtException e) {
+        // AtOnReadyExceptions are fatal for the connection
+        throw new AtOnReadyException(e.getMessage(), e);
+      } catch (ExecutionException | InterruptedException e) {
+        throw new RuntimeException(e);
+      }
+    };
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
new file mode 100644
index 00000000..44dace2d
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
@@ -0,0 +1,104 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
+import static org.atsign.client.connection.protocol.Data.matchDataStringNoWhitespace;
+import static org.atsign.client.connection.protocol.Data.matchDataSuccess;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.util.EncryptionUtil;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.VerbBuilders;
+import org.atsign.common.exceptions.AtEncryptionException;
+import org.atsign.common.exceptions.AtUnauthenticatedException;
+
+/**
+ * Utility methods for handling authentication within the AtSign protocol
+ */
+public class Authentication {
+
+  public static Consumer<AtClientConnection> pkamAuthenticator(AtSign atSign, AtKeys keys) {
+    return throwOnReadyException(connection -> authenticateWithPkam(connection, atSign, keys));
+  }
+
+  public static void authenticateWithPkam(AtClientConnection connection, AtSign atSign, AtKeys keys)
+      throws AtException {
+    try {
+
+      // send a from command and expect to receive a challenge
+      String fromCommand = VerbBuilders.fromCommandBuilder().atSign(atSign).build();
+      String fromResponse = connection.sendSync(fromCommand);
+      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
+
+      // send a pkam command with the signed challenge
+      String signature = EncryptionUtil.signSHA256RSA(challenge, keys.getApkamPrivateKey());
+      VerbBuilders.PkamCommandBuilder pkamCommandBuilder = VerbBuilders.pkamCommandBuilder();
+      if (keys.hasEnrollmentId()) {
+        pkamCommandBuilder.signingAlgo(EncryptionUtil.SIGNING_ALGO_RSA);
+        pkamCommandBuilder.hashingAlgo(EncryptionUtil.HASHING_ALGO_SHA256);
+        pkamCommandBuilder.enrollmentId(keys.getEnrollmentId());
+      }
+      pkamCommandBuilder.digest(signature);
+      String pkamCommand = pkamCommandBuilder.build();
+      String pkamResponse = connection.sendSync(pkamCommand);
+
+      // verify that pkam has succeeded
+      matchDataSuccess(throwExceptionIfError(pkamResponse));
+    } catch (RuntimeException | ExecutionException | InterruptedException e) {
+      throw new AtUnauthenticatedException("PKAM command failed : " + e.getMessage());
+    }
+  }
+
+  public static void authenticateWithCram(AtClientConnection connection, AtSign atSign, String cramSecret)
+      throws AtException {
+    try {
+
+      // send a from command and expect to receive a challenge
+      String fromCommand = VerbBuilders.fromCommandBuilder().atSign(atSign).build();
+      String fromResponse = connection.sendSync(fromCommand);
+      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
+
+      // send a cram command
+      String cramDigest = createDigest(cramSecret, challenge);
+      String cramCommand = VerbBuilders.cramCommandBuilder().digest(cramDigest).build();
+      String cramResponse = connection.sendSync(cramCommand);
+
+      // verify that cram succeeded
+      matchDataSuccess(throwExceptionIfError(cramResponse));
+
+    } catch (RuntimeException | ExecutionException | InterruptedException e) {
+      throw new AtUnauthenticatedException("CRAM command failed : " + e.getMessage());
+    }
+  }
+
+  private static String createDigest(String cramSecret, String challenge) throws AtEncryptionException {
+    try {
+      String digestInput = cramSecret + challenge;
+      byte[] digestInputBytes = digestInput.getBytes(StandardCharsets.UTF_8);
+      byte[] digest = MessageDigest.getInstance("SHA-512").digest(digestInputBytes);
+      return bytesToHex(digest);
+    } catch (RuntimeException | NoSuchAlgorithmException e) {
+      throw new AtEncryptionException("failed to generate cramDigest", e);
+    }
+  }
+
+  private static final char[] HEX_ARRAY = "0123456789abcdef".toCharArray();
+
+  public static String bytesToHex(byte[] bytes) {
+    char[] hexChars = new char[bytes.length * 2];
+    for (int j = 0; j < bytes.length; j++) {
+      int v = bytes[j] & 0xFF;
+      hexChars[j * 2] = HEX_ARRAY[v >>> 4];
+      hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
+    }
+    return new String(hexChars);
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
new file mode 100644
index 00000000..ccb84969
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
@@ -0,0 +1,117 @@
+package org.atsign.client.connection.protocol;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.atsign.common.Json;
+import org.atsign.common.Metadata;
+import org.atsign.common.response_models.LookupResponse;
+
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+/**
+ * Utilities for handling data responses in the AtSign protocol
+ */
+public class Data {
+
+  /**
+   * models server response string which is non-empty JSON map
+   */
+  protected static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
+
+  /**
+   * models server response string which is JSON map
+   */
+  protected static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
+
+  /**
+   * models server response string which is non-empty JSON list
+   */
+  protected static final Pattern DATA_JSON_LIST = Pattern.compile("data:(\\[.*])");
+
+  /**
+   * models server response string which is integer
+   */
+  protected static final Pattern DATA_INT = Pattern.compile("data:(-?\\d+)");
+
+  /**
+   * models server response string containing no whitespace
+   */
+  public static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
+
+  /**
+   * models server data response
+   */
+  public static final Pattern DATA = Pattern.compile("data:(.+)");
+
+  /**
+   * models server response string containing no whitespace
+   */
+  public static final Pattern DATA_SUCCESS = Pattern.compile("data:(success)");
+
+  public static String matchDataSuccess(String input) {
+    return Responses.match(input, DATA_SUCCESS);
+  }
+
+  public static String matchDataStringNoWhitespace(String input) {
+    return Responses.match(input, DATA_NON_WHITESPACE);
+  }
+
+  public static String matchData(String input) {
+    return Responses.match(input, DATA);
+  }
+
+  public static int matchDataInt(String input) {
+    return Responses.match(input, DATA_INT, Integer::parseInt);
+  }
+
+  public static List<Object> matchDataJsonList(String input) {
+    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonList);
+  }
+
+  public static List<String> matchDataJsonListOfStrings(String input) {
+    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonListOfStrings);
+  }
+
+  public static Map<String, String> matchDataJsonMapOfStrings(String input, boolean allowEmpty) {
+    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
+                           Responses::decodeJsonMapOfStrings);
+  }
+
+  public static Map<String, Object> matchDataJsonMapOfObjects(String input, boolean allowEmpty) {
+    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
+                           Responses::decodeJsonMapOfObjects);
+  }
+
+  public static Map<String, String> matchDataJsonMapOfStrings(String input) {
+    return matchDataJsonMapOfStrings(input, false);
+  }
+
+  public static Map<String, Object> matchDataJsonMapOfObjects(String input) {
+    return matchDataJsonMapOfObjects(input, false);
+  }
+
+  public static LookupResponse matchLookupResponse(String s) {
+    return Responses.match(s, DATA_JSON_NON_EMPTY_MAP, Data::toLookupResponse);
+  }
+
+  public static LookupResponse toLookupResponse(String s) {
+    try {
+      return Json.MAPPER.readValue(s, LookupResponse.class);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static Metadata matchMetadata(String s) {
+    return Responses.match(s, DATA_JSON_NON_EMPTY_MAP, Data::toMetaData);
+  }
+
+  public static Metadata toMetaData(String s) {
+    try {
+      return Json.MAPPER.readValue(s, Metadata.class);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
new file mode 100644
index 00000000..3b015ac6
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
@@ -0,0 +1,322 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.Data.*;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.common.VerbBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ExecutionException;
+import java.util.stream.Collectors;
+
+import org.atsign.client.api.AtKeyNames;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.util.EnrollmentId;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.VerbBuilders;
+
+/**
+ * Atsign Protocol utilitiy code that relates to onboarding and enrolling atsigns.
+ */
+public class Enroll {
+
+  /**
+   * Performs the onboarding workflow which sets up the manage keys for an atserver.
+   *
+   * @param connection A connection to an atserver command interface
+   * @param atSign The AtSign that corresponds to the connection
+   * @param keys The {@link AtKeys}
+   * @param cramSecret
+   * @param appName
+   * @param deviceName
+   * @param deleteCramKey
+   * @return a new {@link AtKeys} instance that has the enrollment id set
+   * @throws AtException
+   */
+  public static AtKeys onboard(AtClientConnection connection,
+                               AtSign atSign,
+                               AtKeys keys,
+                               String cramSecret,
+                               String appName,
+                               String deviceName,
+                               boolean deleteCramKey)
+      throws AtException {
+    try {
+
+      // verify that the connection is connected to the atsigns atserver
+      String scanCommand = VerbBuilders.scanCommandBuilder().build();
+      String scanResponse = throwExceptionIfError(connection.sendSync(scanCommand));
+      List<String> rawKeys = matchDataJsonListOfStrings(scanResponse);
+      if (!rawKeys.contains("signing_publickey" + atSign)) {
+        throw new IllegalStateException("not connected to the atsign's at server");
+      }
+
+      // authenticate with CRAM
+      Authentication.authenticateWithCram(connection, atSign, cramSecret);
+
+      // send an enroll request which should automatically be approved after CRAM authentication
+      String requestCommand = VerbBuilders.enrollCommandBuilder()
+          .operation(VerbBuilders.EnrollOperation.request)
+          .appName(appName)
+          .deviceName(deviceName)
+          .apkamPublicKey(keys.getApkamPublicKey())
+          .build();
+      String requestResponse = connection.sendSync(requestCommand);
+      Map<String, String> response = matchDataJsonMapOfStrings(throwExceptionIfError(requestResponse));
+      checkStatus(response, "approved");
+
+      // update the AtKeys with the enrollment id
+      keys = keys.toBuilder()
+          .enrollmentId(createEnrollmentId(response.get("enrollmentId")))
+          .build();
+
+      // authenticate with PKAM
+      Authentication.authenticateWithPkam(connection, atSign, keys);
+
+      // explicitly store the public encryption key in the atserver
+      String updateCommand = VerbBuilders.updateCommandBuilder()
+          .sharedBy(atSign)
+          .keyName(AtKeyNames.PUBLIC_ENCRYPT)
+          .isPublic(true)
+          .value(keys.getEncryptPublicKey())
+          .build();
+      String updateResponse = connection.sendSync(updateCommand);
+      matchDataInt(throwExceptionIfError(updateResponse));
+
+      if (deleteCramKey) {
+        deleteCramSecret(connection);
+      }
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+    return keys;
+  }
+
+  public static void deleteCramSecret(AtClientConnection connection) throws AtException {
+    Keys.deleteKey(connection, AtKeyNames.PRIVATE_AT_SECRET);
+  }
+
+  public static String otp(AtClientConnection connection) throws AtException {
+    try {
+
+      // send otp command
+      String otpCommand = VerbBuilders.otpCommandBuilder().build();
+      String otpResponse = connection.sendSync(otpCommand);
+
+      // verify that response is an OTP
+      return Data.matchDataStringNoWhitespace(throwExceptionIfError(otpResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static AtKeys enroll(AtClientConnection connection,
+                              AtSign atSign,
+                              AtKeys keys,
+                              String otp,
+                              String appName,
+                              String deviceName,
+                              Map<String, String> namespaces)
+      throws Exception {
+
+    checkNotNull(keys.getApkamPublicKey(), "apkam public key not set");
+    checkNotNull(keys.getApkamSymmetricKey(), "apkam symmetric key not set");
+
+    // lookup the public encryption key for the atserver's atsign, this will have been set during onboarding
+    String lookupCommand = VerbBuilders.lookupCommandBuilder()
+        .keyName(AtKeyNames.PUBLIC_ENCRYPT)
+        .sharedBy(atSign)
+        .build();
+    String lookupResponse = connection.sendSync(lookupCommand);
+    String publicKey = matchDataStringNoWhitespace(throwExceptionIfError(lookupResponse));
+
+    // send an enroll request and verify that the status is pending
+    String requestCommand = VerbBuilders.enrollCommandBuilder()
+        .operation(VerbBuilders.EnrollOperation.request)
+        .appName(appName)
+        .deviceName(deviceName)
+        .apkamPublicKey(keys.getApkamPublicKey())
+        .apkamSymmetricKey(rsaEncryptToBase64(keys.getApkamSymmetricKey(), publicKey))
+        .otp(otp)
+        .namespaces(namespaces)
+        .build();
+    String requestResponse = connection.sendSync(requestCommand);
+    Map<String, String> map = matchDataJsonMapOfStrings(throwExceptionIfError(requestResponse));
+    checkStatus(map, "pending");
+
+    // return a copy of the provided AtKeys with the public encryption key and enrollment id set
+    return keys.toBuilder()
+        .encryptPublicKey(publicKey)
+        .enrollmentId(EnrollmentId.createEnrollmentId(map.get("enrollmentId")))
+        .build();
+  }
+
+  public static AtKeys complete(AtClientConnection connection, AtSign atSign, AtKeys keys) throws AtException {
+
+    // attempt to authenticate with PKAM, this will succeed once the enroll request is approved
+    Authentication.authenticateWithPkam(connection, atSign, keys);
+
+    // Use the keys:get command to obtain the private encryption key and self encryption key
+    String selfEncryptKey = keysGetSelfEncryptKey(connection, atSign, keys);
+    String encryptPrivateKey = keysGetEncryptPrivateKey(connection, atSign, keys);
+
+    // return a copy of the provided AtKeys with the private encryption key and self encryption key set
+    return keys.toBuilder()
+        .selfEncryptKey(selfEncryptKey)
+        .encryptPrivateKey(encryptPrivateKey)
+        .build();
+
+  }
+
+  public static List<EnrollmentId> list(AtClientConnection connection, String status) throws AtException {
+    try {
+
+      // get the list of enrollment requests that have the status
+      String listCommand = VerbBuilders.enrollCommandBuilder()
+          .operation(VerbBuilders.EnrollOperation.list)
+          .status(status)
+          .build();
+      String listResponse = connection.sendSync(listCommand);
+      Map<String, Object> map = matchDataJsonMapOfObjects(throwExceptionIfError(listResponse), true);
+
+      // return the list enrollment ids, extracted from the keys
+      return map.keySet().stream()
+          .map(Enroll::inferEnrollmentId)
+          .collect(Collectors.toList());
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static void approve(AtClientConnection connection, AtKeys keys, EnrollmentId enrollmentId) throws AtException {
+    try {
+
+      // fetch the request and decrypt the apkam symmetric key that will be used encrypt the shared keys
+      String fetchCommand = VerbBuilders.enrollCommandBuilder()
+          .operation(VerbBuilders.EnrollOperation.fetch)
+          .enrollmentId(enrollmentId)
+          .build();
+      String fetchResponse = connection.sendSync(fetchCommand);
+      Map<String, Object> request = matchDataJsonMapOfObjects(throwExceptionIfError(fetchResponse));
+      checkStatus(request, "pending");
+      String encryptedApkamSymmetricKey = (String) request.get(ENCRYPTED_APKAM_SYMMETRIC_KEY);
+      String key = rsaDecryptFromBase64(encryptedApkamSymmetricKey, keys.getEncryptPrivateKey());
+
+      // encrypt the private encryption key and the self encryption key with the apkam symmetric key
+      String privateKeyIv = generateRandomIvBase64(16);
+      String encryptPrivateKey = aesEncryptToBase64(keys.getEncryptPrivateKey(), key, privateKeyIv);
+      String selfEncryptKeyIv = generateRandomIvBase64(16);
+      String selfEncryptKey = aesEncryptToBase64(keys.getSelfEncryptKey(), key, selfEncryptKeyIv);
+
+      // approve the request
+      String approveCommand = VerbBuilders.enrollCommandBuilder()
+          .operation(VerbBuilders.EnrollOperation.approve)
+          .enrollmentId(enrollmentId)
+          .encryptPrivateKey(encryptPrivateKey)
+          .encryptPrivateKeyIv(privateKeyIv)
+          .selfEncryptKey(selfEncryptKey)
+          .selfEncryptKeyIv(selfEncryptKeyIv)
+          .build();
+      String approveResponse = connection.sendSync(approveCommand);
+
+      // check the response
+      Map<String, String> response = matchDataJsonMapOfStrings(throwExceptionIfError(approveResponse));
+      checkStatus(response, "approved");
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+
+  }
+
+  public static void deny(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(connection, "deny", enrollmentId, "denied");
+  }
+
+  public static void revoke(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(connection, "revoke", enrollmentId, "revoked");
+  }
+
+  public static void unrevoke(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(connection, "unrevoke", enrollmentId, "approved");
+  }
+
+  public static void delete(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(connection, "delete", enrollmentId, "deleted");
+  }
+
+  private static void singleArgEnrollAction(AtClientConnection connection,
+                                            String action,
+                                            EnrollmentId enrollmentId,
+                                            String expectedStatus)
+      throws Exception {
+    String actionCommand = VerbBuilders.enrollCommandBuilder()
+        .operation(VerbBuilders.EnrollOperation.valueOf(action))
+        .enrollmentId(enrollmentId)
+        .build();
+    String actionResponse = connection.sendSync(actionCommand);
+    Map<String, String> map = matchDataJsonMapOfStrings(actionResponse);
+    checkStatus(map, expectedStatus);
+  }
+
+  private static EnrollmentId inferEnrollmentId(String key) {
+    int endIndex = key.indexOf('.');
+    if (key.contains("__manage") && endIndex > 0) {
+      return EnrollmentId.createEnrollmentId(key.substring(0, endIndex));
+    } else {
+      throw new RuntimeException(key + " doesn't match expected enrollment key pattern");
+    }
+  }
+
+  private static void checkStatus(Map<String, ? extends Object> map, String expectedStatus) {
+    String actualStatus = (String) map.get("status");
+    if (!Objects.equals(actualStatus, expectedStatus)) {
+      throw new RuntimeException("status is " + actualStatus);
+    }
+  }
+
+  private static String keysGetSelfEncryptKey(AtClientConnection connection, AtSign atSign, AtKeys keys)
+      throws AtException {
+    String keyName = keys.getEnrollmentId() + "." + "default_self_enc_key" + ".__manage" + atSign;
+    return keysGet(connection, keyName, keys.getApkamSymmetricKey());
+  }
+
+  private static String keysGetEncryptPrivateKey(AtClientConnection connection, AtSign atSign, AtKeys keys)
+      throws AtException {
+    String keyName = keys.getEnrollmentId() + "." + "default_enc_private_key" + ".__manage" + atSign;
+    return keysGet(connection, keyName, keys.getApkamSymmetricKey());
+  }
+
+  private static String keysGet(AtClientConnection connection, String keyName, String keyBase64) throws AtException {
+    try {
+
+      // send a key:get command
+      String keysGetCommand = VerbBuilders.keysCommandBuilder()
+          .operation(VerbBuilders.KeysOperation.get)
+          .keyName(keyName)
+          .build();
+      String keyGetResponse = connection.sendSync(keysGetCommand);
+
+      // unmarshall the encrypted value and the encryption iv that was used
+      Map<String, String> map = matchDataJsonMapOfStrings(Error.throwExceptionIfError(keyGetResponse));
+      String encryptedKey = map.get("value");
+      String iv = map.get("iv");
+
+      // return the decrypted value
+      return aesDecryptFromBase64(encryptedKey, keyBase64, iv);
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Error.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Error.java
new file mode 100644
index 00000000..f7b227ab
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Error.java
@@ -0,0 +1,50 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.AtExceptions.toTypedException;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.atsign.common.AtException;
+
+/**
+ * Utility methods for handling error responses in the AtSign protocol
+ */
+public class Error {
+
+  /**
+   * models server data response
+   */
+  public static final Pattern ERROR = Pattern.compile("error:(.+)");
+
+  public static String matchError(String input) {
+    return Responses.match(input, ERROR);
+  }
+
+  /**
+   * Utility method that can be used to wrap a response and throw a typed
+   * {@link AtException} is the response represents an error.
+   *
+   * @param response a response string from an AtSign command interface
+   * @return the response parameter if the response is NOT an error
+   * @throws AtException a typed exception if the response is an error
+   */
+  public static String throwExceptionIfError(String response) throws AtException {
+    AtException ex = getAtExceptionIfError(response);
+    if (ex != null) {
+      throw ex;
+    }
+    return response;
+  }
+
+  public static AtException getAtExceptionIfError(String response) throws AtException {
+    checkNotNull(response);
+    Matcher matcher = Pattern.compile("error:(AT\\d+)([^:]*):\\s*(.+)").matcher(response);
+    if (matcher.matches()) {
+      return toTypedException(matcher.group(1), matcher.group(3));
+    }
+    return null;
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
new file mode 100644
index 00000000..b77f1867
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
@@ -0,0 +1,82 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.Data.*;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.common.VerbBuilders.LookupOperation.meta;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.AtKeyNames;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.Keys.AtKey;
+import org.atsign.common.Metadata;
+import org.atsign.common.VerbBuilders;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Atsign Protocol utility code that relates to keys (the records) that are managed by an
+ * atserver.
+ *
+ */
+@Slf4j
+public class Keys {
+
+  public static void deleteKey(AtClientConnection connection, String rawKey) throws AtException {
+    try {
+
+      // send a delete command
+      String deleteCommand = VerbBuilders.deleteCommandBuilder().rawKey(rawKey).build();
+      String deleteResponse = connection.sendSync(deleteCommand);
+
+      // verify command succeeded
+      Data.matchDataInt(throwExceptionIfError(deleteResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static void deleteKey(AtClientConnection conn, AtKey key) throws AtException {
+    deleteKey(conn, key.rawKey());
+  }
+
+  public static List<AtKey> getKeys(AtClientConnection conn, String regex, boolean fetchMetadata) throws AtException {
+
+    try {
+
+      // send scan command and decode response
+      String scanCommand = VerbBuilders.scanCommandBuilder().regex(regex).showHidden(true).build();
+      String scanResponse = conn.sendSync(scanCommand);
+      List<String> keyNames = matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
+
+      // build typed key instances from each key name (optionally looking up metadata)
+      List<AtKey> atKeys = new ArrayList<>();
+      for (String keyName : keyNames) {
+        if (!AtKeyNames.isManagementKeyName(keyName)) {
+          Metadata metadata = fetchMetadata ? fetchMetadata(conn, keyName) : null;
+          AtKey atKey = org.atsign.common.Keys.keyBuilder()
+              .rawKey(keyName)
+              .metadata(metadata)
+              .build();
+          atKeys.add(atKey);
+        }
+      }
+
+      return atKeys;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Metadata fetchMetadata(AtClientConnection conn, String keyName)
+      throws ExecutionException, InterruptedException, AtException {
+    String llookupCommand = VerbBuilders.llookupCommandBuilder().operation(meta).rawKey(keyName).build();
+    String llookupResponse = conn.sendSync(llookupCommand);
+    return matchMetadata(throwExceptionIfError(llookupResponse));
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java
new file mode 100644
index 00000000..d64fa8d2
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java
@@ -0,0 +1,104 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.api.AtEvents.AtEventType.*;
+import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
+import static org.atsign.client.connection.protocol.Authentication.authenticateWithPkam;
+
+import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+import java.util.regex.Pattern;
+
+import lombok.extern.slf4j.Slf4j;
+import org.atsign.client.api.AtEvents;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+
+/**
+ * Utility methods for managing notifications within the AtSign protocol
+ */
+public class Notifications {
+
+  /**
+   * models server response string which is non-empty JSON map
+   */
+  protected static final Pattern NOTIFICATION_JSON_NON_EMPTY_MAP = Pattern.compile("notification:\\s*(\\{.+})");
+
+  public static Consumer<AtClientConnection> monitor(AtSign atSign, AtKeys keys, Consumer<String> consumer) {
+    return throwOnReadyException(connection -> monitor(connection, atSign, keys, consumer));
+  }
+
+  public static void monitor(AtClientConnection connection, AtSign atSign, AtKeys keys, Consumer<String> consumer)
+      throws AtException {
+    try {
+
+      // authenticate
+      authenticateWithPkam(connection, atSign, keys);
+
+      // send monitor command
+      connection.sendSync("monitor", consumer);
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static Map<String, Object> matchNotification(String s) {
+    return Responses.match(s, NOTIFICATION_JSON_NON_EMPTY_MAP, Responses::decodeJsonMapOfObjects);
+  }
+
+  /**
+   * A {@link Consumer} that "bridges" to the {@link AtEvents.AtEventBus} api. This is intended
+   * to be used for invoking {@link AtClientConnection#send(String, Consumer, CompletableFuture)}
+   *
+   */
+  @Slf4j
+  public static class EventBusBridge implements Consumer<String> {
+
+    private final AtEvents.AtEventBus eventBus;
+
+    private final AtSign atSign;
+
+    public EventBusBridge(AtEvents.AtEventBus eventBus, AtSign atSign) {
+      this.eventBus = eventBus;
+      this.atSign = atSign;
+    }
+
+    @Override
+    public void accept(String s) {
+      try {
+        Map<String, Object> eventData = matchNotification(s);
+        AtEvents.AtEventType eventType = toEventType(eventData);
+        if (eventType == monitorException) {
+          eventData.put("key", "__monitorException__");
+          eventData.put("value", s);
+          eventData.put("exception", "unknown notification operation '" + eventData.get("operation") + "'");
+        }
+        eventBus.publishEvent(eventType, eventData);
+      } catch (Exception e) {
+        log.error("unexpected exception processing : {}", s, e);
+      }
+    }
+
+    private AtEvents.AtEventType toEventType(Map<String, Object> eventData) {
+      String id = (String) eventData.get("id");
+      String operation = (String) eventData.get("operation");
+      if ("-1".equals(id)) {
+        return statsNotification;
+      } else if ("update".equals(operation)) {
+        String key = (String) eventData.get("key");
+        if (key.startsWith(atSign + ":shared_key@")) {
+          return sharedKeyNotification;
+        } else {
+          return updateNotification;
+        }
+      } else if ("delete".equals(operation)) {
+        return deleteNotification;
+      }
+      return monitorException;
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java b/at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java
new file mode 100644
index 00000000..68000c28
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java
@@ -0,0 +1,109 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.Data.matchDataInt;
+import static org.atsign.client.connection.protocol.Data.matchLookupResponse;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.client.util.EncryptionUtil.signSHA256RSA;
+import static org.atsign.common.VerbBuilders.LookupOperation.all;
+
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.Metadata;
+import org.atsign.common.VerbBuilders;
+import org.atsign.common.options.GetRequestOptions;
+import org.atsign.common.response_models.LookupResponse;
+
+/**
+ * Atsign protocol utility code that relates to "public keys"
+ *
+ */
+public class PublicKeys {
+
+  public static String get(AtClientConnection conn, AtSign atSign, PublicKey key, GetRequestOptions options)
+      throws AtException {
+    if (atSign.equals(key.sharedBy())) {
+      return getSharedByMe(conn, key);
+    } else {
+      return getSharedByOther(conn, key, options);
+    }
+  }
+
+  public static String getSharedByMe(AtClientConnection conn, PublicKey publicKey) throws AtException {
+    try {
+
+      // send a local lookup command and decode the response
+      String llookupCommand = VerbBuilders.llookupCommandBuilder()
+          .key(publicKey)
+          .operation(all)
+          .build();
+      String llookupResponse = conn.sendSync(llookupCommand);
+      LookupResponse response = matchLookupResponse(throwExceptionIfError(llookupResponse));
+
+      // set isCached in metadata
+      if (response.key.contains("cached:")) {
+        Metadata metadata = response.metaData.toBuilder().isCached(true).build();
+        publicKey.overwriteMetadata(metadata);
+      }
+
+      // return value
+      return response.data;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getSharedByOther(AtClientConnection conn, PublicKey publicKey, GetRequestOptions options)
+      throws AtException {
+    try {
+
+      // send public lookup command and decode the response
+      String plookupCommand = VerbBuilders.plookupCommandBuilder()
+          .key(publicKey)
+          .bypassCache(options != null ? options.isBypassCache() : null)
+          .operation(all)
+          .build();
+      String plookupResponse = conn.sendSync(plookupCommand);
+      LookupResponse response = matchLookupResponse(throwExceptionIfError(plookupResponse));
+
+      // set isCached in metadata
+      if (response.key.contains("cached:")) {
+        Metadata metadata = response.metaData.toBuilder().isCached(true).build();
+        publicKey.overwriteMetadata(metadata);
+      }
+
+      // return value
+      return response.data;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static void put(AtClientConnection conn, AtKeys keys, PublicKey publicKey, String value) throws AtException {
+    try {
+
+      // add a signature to the metadata
+      Metadata metadata = Metadata.builder()
+          .dataSignature(signSHA256RSA(value, keys.getEncryptPrivateKey()))
+          .build();
+      publicKey.updateMissingMetadata(metadata);
+
+      // send and update command
+      String updateCommand = VerbBuilders.updateCommandBuilder().key(publicKey).value(value).build();
+      String updateResponse = conn.sendSync(updateCommand);
+
+      // verify the response
+      matchDataInt(throwExceptionIfError(updateResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java
new file mode 100644
index 00000000..8d6a3416
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java
@@ -0,0 +1,70 @@
+package org.atsign.client.connection.protocol;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import org.atsign.common.Json;
+
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Atsign protocol utility code that relates to processing responses from an atserver
+ *
+ */
+
+public class Responses {
+
+  public static Map<String, String> decodeJsonMapOfStrings(String json) {
+    try {
+      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static Map<String, Object> decodeJsonMapOfObjects(String json) {
+    try {
+      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static List<Object> decodeJsonList(String json) {
+    try {
+      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static List<String> decodeJsonListOfStrings(String json) {
+    try {
+      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String match(String input, Pattern pattern) {
+    Matcher matcher = pattern.matcher(input);
+    if (!matcher.matches()) {
+      throw new RuntimeException("expected [" + pattern + "] but input was : " + input);
+    }
+    StringBuilder builder = new StringBuilder();
+    if (matcher.groupCount() == 0) {
+      builder.append(input);
+    } else {
+      for (int i = 1; i <= matcher.groupCount(); i++) {
+        builder.append(matcher.group(i));
+      }
+    }
+    return builder.toString();
+  }
+
+  public static <T> T match(String input, Pattern pattern, Function<String, T> transformer) {
+    return transformer.apply(match(input, pattern));
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
new file mode 100644
index 00000000..ac1697bf
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
@@ -0,0 +1,36 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.VerbBuilders;
+
+/**
+ * Atsign protocol utility code that relates querying the keys in an atserver.
+ *
+ */
+
+public class Scan {
+
+  public static List<String> scan(AtClientConnection connection, boolean showHidden, String regex) throws AtException {
+    try {
+
+      // send scan command
+      String scanCommand = VerbBuilders.scanCommandBuilder()
+          .showHidden(showHidden)
+          .regex(regex)
+          .build();
+      String scanResponse = connection.sendSync(scanCommand);
+
+      // return unmarshalled key names
+      return Data.matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java b/at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java
new file mode 100644
index 00000000..121f89f1
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java
@@ -0,0 +1,77 @@
+package org.atsign.client.connection.protocol;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtException;
+import org.atsign.common.Keys.SelfKey;
+import org.atsign.common.Metadata;
+import org.atsign.common.VerbBuilders;
+import org.atsign.common.response_models.LookupResponse;
+
+import java.util.concurrent.ExecutionException;
+
+import static org.atsign.client.connection.protocol.Data.matchDataInt;
+import static org.atsign.client.connection.protocol.Data.matchLookupResponse;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.client.util.EncryptionUtil.aesEncryptToBase64;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.common.VerbBuilders.LookupOperation.all;
+
+/**
+ * Atsign protocol utility code that relates to "self keys"
+ *
+ */
+public class SelfKeys {
+
+  public static String get(AtClientConnection conn, AtKeys keys, SelfKey key) throws AtException {
+    try {
+
+      // send local lookup command and decode response
+      String llookupCommand = VerbBuilders.llookupCommandBuilder().key(key).operation(all).build();
+      String llookupResponse = conn.sendSync(llookupCommand);
+      LookupResponse response = matchLookupResponse(throwExceptionIfError(llookupResponse));
+
+      // decrypt with my self encrypt key
+      String selfEncryptionKey = keys.getSelfEncryptKey();
+      String iv = checkNotNull(response.metaData.ivNonce(), "ivNonce is null");
+      String decrypted = aesDecryptFromBase64(response.data, selfEncryptionKey, iv);
+
+      // overwrite metadata
+      key.overwriteMetadata(response.metaData);
+
+      return decrypted;
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static void put(AtClientConnection conn, AtKeys keys, SelfKey key, String value) throws AtException {
+    try {
+
+      // add signature and iv
+      Metadata metadata = Metadata.builder()
+          .dataSignature(signSHA256RSA(value, keys.getEncryptPrivateKey()))
+          .ivNonce(generateRandomIvBase64(16))
+          .build();
+      key.updateMissingMetadata(metadata);
+
+      // encrypt with my self encrypt key
+      String encrypted = aesEncryptToBase64(value, keys.getSelfEncryptKey(), metadata.ivNonce());
+
+      // send update command to store encrypted value
+      String updateCommand = VerbBuilders.updateCommandBuilder()
+          .key(key)
+          .value(encrypted)
+          .build();
+      String updateResponse = conn.sendSync(updateCommand);
+
+      // verify response
+      matchDataInt(throwExceptionIfError(updateResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java b/at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java
new file mode 100644
index 00000000..1006f4a1
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java
@@ -0,0 +1,232 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.api.AtKeyNames.toSharedByMeKeyName;
+import static org.atsign.client.connection.protocol.Data.*;
+import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.util.Preconditions.checkTrue;
+import static org.atsign.common.VerbBuilders.LookupOperation.all;
+
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import org.atsign.client.api.AtKeyNames;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.util.EncryptionUtil;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.Keys.SharedKey;
+import org.atsign.common.Metadata;
+import org.atsign.common.VerbBuilders;
+import org.atsign.common.exceptions.AtKeyNotFoundException;
+import org.atsign.common.response_models.LookupResponse;
+
+/**
+ * Atsign protocol utility code that relates to "shared keys"
+ *
+ */
+
+public class SharedKeys {
+
+  public static String get(AtClientConnection conn, AtSign atSign, AtKeys keys, SharedKey key)
+      throws AtException {
+    if (key.sharedBy().equals(atSign)) {
+      return getSharedByMe(conn, keys, key);
+    } else if (key.sharedWith().equals(atSign)) {
+      return getSharedByOther(conn, keys, key);
+    } else {
+      throw new IllegalArgumentException("the client atsign is neither the sharedBy or sharedWith");
+    }
+  }
+
+  public static void put(AtClientConnection conn, AtSign atSign, AtKeys keys, SharedKey key, String value)
+      throws AtException {
+    checkTrue(key.sharedBy().equals(atSign), "sharedBy does not match this client's atsign");
+    try {
+
+      // get or create key for sharedBy - sharedWith
+      String aesKey = getEncryptKeySharedByMe(conn, keys, key);
+      if (aesKey == null) {
+        aesKey = createEncryptKey(conn, keys, key);
+      }
+
+      // encrypt the value
+      String iv = EncryptionUtil.generateRandomIvBase64(16);
+      key.updateMissingMetadata(Metadata.builder().ivNonce(iv).build());
+      String encrypted = aesEncryptToBase64(value, aesKey, iv);
+
+      // send an update command
+      String updateCommand = VerbBuilders.updateCommandBuilder().key(key).value(encrypted).build();
+      String updateResponse = conn.sendSync(updateCommand);
+
+      // verify the response
+      matchDataInt(throwExceptionIfError(updateResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getSharedByMe(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+    try {
+
+      // send local lookup command and decode
+      String llookupCommand = VerbBuilders.llookupCommandBuilder().key(key).operation(all).build();
+      LookupResponse llookupResponse = matchLookupResponse(throwExceptionIfError(conn.sendSync(llookupCommand)));
+
+      // get my encrypt key for sharedBy sharedWith
+      String aesKey = checkNotNull(getEncryptKeySharedByMe(conn, keys, key), key + " not found");
+
+      // return decrypted value
+      return aesDecryptFromBase64(llookupResponse.data, aesKey, llookupResponse.metaData.ivNonce());
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getSharedByOther(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+    try {
+
+      // send lookup command and decode
+      String lookupCommand = VerbBuilders.lookupCommandBuilder().key(key).operation(all).build();
+      LookupResponse lookupResponse = matchLookupResponse(throwExceptionIfError(conn.sendSync(lookupCommand)));
+
+      // get my encrypt key for sharedBy sharedWith
+      String shareEncryptionKey = getEncryptKeySharedByOther(conn, keys, key);
+
+      // return decrypted value
+      return aesDecryptFromBase64(lookupResponse.data, shareEncryptionKey, lookupResponse.metaData.ivNonce());
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getEncryptKeySharedByMe(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+    try {
+
+      String keyName = AtKeyNames.toSharedByMeKeyName(key.sharedWith());
+      String aesKey = keys.get(keyName);
+      if (aesKey != null) {
+        return aesKey;
+      }
+
+      // send local lookup command for sharedKey
+      String llookupCommand = VerbBuilders.llookupCommandBuilder()
+          .keyName(toSharedByMeKeyName(key.sharedWith()))
+          .sharedBy(key.sharedBy())
+          .build();
+      String llookupResponse = conn.sendSync(llookupCommand);
+
+      try {
+        // decrypt the key
+        String encrypted = Data.matchDataStringNoWhitespace(throwExceptionIfError(llookupResponse));
+        aesKey = rsaDecryptFromBase64(encrypted, keys.getEncryptPrivateKey());
+
+        // store in keys
+        keys.put(keyName, aesKey);
+
+        return aesKey;
+      } catch (AtKeyNotFoundException e) {
+        return null;
+      }
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getEncryptKeySharedByOther(AtClientConnection conn, AtKeys keys, SharedKey key)
+      throws AtException {
+    try {
+
+      // check in Keys cache
+      String keyName = AtKeyNames.toSharedWithMeKeyName(key.sharedBy(), key.sharedWith());
+      String aesKey = keys.get(keyName);
+      if (aesKey != null) {
+        return aesKey;
+      }
+
+      // otherwise send lookup
+      String lookupCommand = VerbBuilders.lookupCommandBuilder()
+          .keyName(AtKeyNames.SHARED_KEY)
+          .sharedBy(key.sharedBy())
+          .build();
+      String lookupResponse = conn.sendSync(lookupCommand);
+
+      // decrypt with my private key
+      String encrypted = matchDataStringNoWhitespace(throwExceptionIfError(lookupResponse));
+      aesKey = rsaDecryptFromBase64(encrypted, keys.getEncryptPrivateKey());
+
+      // store in keys
+      keys.put(keyName, aesKey);
+
+      return aesKey;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String createEncryptKey(AtClientConnection connection, AtKeys keys, SharedKey key) throws AtException {
+    try {
+
+      // generate a new encrypt key
+      String aesKey = EncryptionUtil.generateAESKeyBase64();
+
+      // compose an update command to store this key encrypted with this (sharedBy) atsign's public key
+      String encryptedForMe = rsaEncryptToBase64(aesKey, keys.getEncryptPublicKey());
+      String updateForUsCommand = VerbBuilders.updateCommandBuilder()
+          .keyName(toSharedByMeKeyName(key.sharedWith()))
+          .sharedBy(key.sharedBy())
+          .value(encryptedForMe)
+          .build();
+
+      // get the other (sharedWith) atsign's public key
+      String otherPublicKey = getEncryptKey(connection, key.sharedWith());
+
+      // compose an update command to store this key encrypted with the other (sharedWith) atsign's public key
+      String encryptedForOther = rsaEncryptToBase64(aesKey, otherPublicKey);
+      String updateForOtherCommand = VerbBuilders.updateCommandBuilder()
+          .keyName(AtKeyNames.SHARED_KEY)
+          .sharedBy(key.sharedBy())
+          .sharedWith(key.sharedWith())
+          .ttr(TimeUnit.HOURS.toMillis(24))
+          .value(encryptedForOther)
+          .build();
+
+      // send the update commands
+      connection.sendSync(updateForUsCommand);
+      connection.sendSync(updateForOtherCommand);
+
+      keys.put(AtKeyNames.toSharedByMeKeyName(key.sharedWith()), aesKey);
+
+      // return the new
+      return aesKey;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static String getEncryptKey(AtClientConnection connection, AtSign sharedBy) throws AtException {
+    try {
+
+      // send plookup for atsign's public encryption key
+      String plookupCommand = VerbBuilders.plookupCommandBuilder()
+          .keyName(AtKeyNames.PUBLIC_ENCRYPT)
+          .sharedBy(sharedBy)
+          .build();
+      String plookupResponse = connection.sendSync(plookupCommand);
+
+      // return key
+      return matchDataStringNoWhitespace(throwExceptionIfError(plookupResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java b/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
new file mode 100644
index 00000000..295e5094
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
@@ -0,0 +1,8 @@
+/**
+ * Utilities which given an {@link org.atsign.client.connection.api.AtClientConnection}
+ * can perform common functions such as authentication, atsign onboarding and
+ * enrollment. In some case these are simply sending the appropriate At Protocol command
+ * and verifying the response. Other scenarios such as those relating shared keys
+ * require some workflow.
+ */
+package org.atsign.client.connection.protocol;
diff --git a/at_client/src/main/java/org/atsign/client/util/AuthUtil.java b/at_client/src/main/java/org/atsign/client/util/AuthUtil.java
index 7f1de8d0..166ed6ed 100644
--- a/at_client/src/main/java/org/atsign/client/util/AuthUtil.java
+++ b/at_client/src/main/java/org/atsign/client/util/AuthUtil.java
@@ -20,6 +20,7 @@
 /**
  * Encapsulates Atsign Platform authentication command response workflows.
  */
+@Deprecated
 public class AuthUtil {
 
   /**
diff --git a/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java b/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java
index 68a7e8f2..fa41f68a 100644
--- a/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java
+++ b/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java
@@ -61,17 +61,25 @@ public static String aesDecryptFromBase64(String text, String key, String iv) th
     }
   }
 
-  public static KeyPair generateRSAKeyPair() throws NoSuchAlgorithmException {
-    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
-    generator.initialize(2048);
-    return generator.generateKeyPair();
+  public static KeyPair generateRSAKeyPair() throws AtEncryptionException {
+    try {
+      KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+      generator.initialize(2048);
+      return generator.generateKeyPair();
+    } catch (NoSuchAlgorithmException e) {
+      throw new AtEncryptionException(e.getMessage());
+    }
   }
 
-  public static String generateAESKeyBase64() throws NoSuchAlgorithmException {
-    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
-    keyGenerator.init(256);
-    byte[] key = keyGenerator.generateKey().getEncoded();
-    return Base64.getEncoder().encodeToString(key);
+  public static String generateAESKeyBase64() throws AtEncryptionException {
+    try {
+      KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
+      keyGenerator.init(256);
+      byte[] key = keyGenerator.generateKey().getEncoded();
+      return Base64.getEncoder().encodeToString(key);
+    } catch (NoSuchAlgorithmException e) {
+      throw new AtEncryptionException(e.getMessage());
+    }
   }
 
   public static String rsaDecryptFromBase64(String cipherTextBase64, String privateKeyBase64)
@@ -89,8 +97,7 @@ public static String rsaDecryptFromBase64(String cipherTextBase64, String privat
     }
   }
 
-  public static String rsaEncryptToBase64(String clearText, String publicKeyBase64)
-      throws AtEncryptionException {
+  public static String rsaEncryptToBase64(String clearText, String publicKeyBase64) throws AtEncryptionException {
     try {
       PublicKey publicKey = _publicKeyFromBase64(publicKeyBase64);
       Cipher encryptCipher = Cipher.getInstance("RSA");
@@ -104,10 +111,12 @@ public static String rsaEncryptToBase64(String clearText, String publicKeyBase64
     }
   }
 
-  public static String signSHA256RSA(String value, String privateKeyBase64)
-      throws NoSuchAlgorithmException, InvalidKeySpecException, SignatureException, InvalidKeyException {
-    PrivateKey privateKey = _privateKeyFromBase64(privateKeyBase64);
-    return _signSHA256RSA(value, privateKey);
+  public static String signSHA256RSA(String value, String privateKeyBase64) throws AtEncryptionException {
+    try {
+      return _signSHA256RSA(value, _privateKeyFromBase64(privateKeyBase64));
+    } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException | SignatureException e) {
+      throw new AtEncryptionException("SHA256 sign failed", e);
+    }
   }
 
   // non-public methods
diff --git a/at_client/src/main/java/org/atsign/common/Metadata.java b/at_client/src/main/java/org/atsign/common/Metadata.java
index 6895fe6a..98f3f4f0 100644
--- a/at_client/src/main/java/org/atsign/common/Metadata.java
+++ b/at_client/src/main/java/org/atsign/common/Metadata.java
@@ -44,14 +44,13 @@ public class Metadata {
   String encoding;
   String ivNonce;
 
-  // required for successful javadoc
-
   /**
    * A builder for instantiating {@link Metadata} instances. Note: Metadata is immutable so if you
    * want create a modified instance then use the toBuilder() method, override the fields and invoke
    * build().
    */
   public static class MetadataBuilder {
+    // required for javadoc
   };
 
   public static Metadata fromJson(String json) throws JsonProcessingException {
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtInvalidSyntaxException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java
similarity index 85%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtInvalidSyntaxException.java
rename to at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java
index 2092b317..f318e3c6 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtInvalidSyntaxException.java
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java
@@ -1,4 +1,4 @@
-package org.atsign.common.exceptions;
+package org.atsign.common.exceptions.AtExceptions;
 
 import org.atsign.common.AtException;
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtServerRuntimeException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java
similarity index 85%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtServerRuntimeException.java
rename to at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java
index c190512f..e9e81861 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtServerRuntimeException.java
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java
@@ -1,4 +1,4 @@
-package org.atsign.common.exceptions;
+package org.atsign.common.exceptions.AtExceptions;
 
 import org.atsign.common.AtException;
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java
new file mode 100644
index 00000000..cb470be3
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java
@@ -0,0 +1,19 @@
+package org.atsign.common.exceptions;
+
+import java.util.function.Consumer;
+
+/**
+ * A {@link RuntimeException} that is used to communicate fatal exception
+ * in the execution of an OnReady consumer.
+ * See {@link org.atsign.client.connection.api.AtClientConnection#onReady(Consumer)}.
+ */
+public class AtOnReadyException extends RuntimeException {
+
+  public AtOnReadyException(String message) {
+    super(message);
+  }
+
+  public AtOnReadyException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java b/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
index 7e21adef..f77016d4 100644
--- a/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
+++ b/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
@@ -1,30 +1,14 @@
 package org.atsign.common.options;
 
 
+import lombok.Builder;
+import lombok.Value;
+
 /**
  * Data class used to model options to the {@link org.atsign.client.api.AtClient} get methods
  */
-public class GetRequestOptions extends RequestOptions {
-
-  private boolean bypassCache;
-
-  public GetRequestOptions() {
-
-  }
-
-  public GetRequestOptions bypassCache(boolean bypassCache) {
-    this.bypassCache = bypassCache;
-    return this;
-  }
-
-  public boolean getBypassCache() {
-    return bypassCache;
-  }
-
-  @Override
-  public RequestOptions build() {
-    return (GetRequestOptions) this;
-  }
-
-
+@Value
+@Builder
+public class GetRequestOptions {
+  boolean bypassCache;
 }
diff --git a/at_client/src/main/java/org/atsign/common/options/RequestOptions.java b/at_client/src/main/java/org/atsign/common/options/RequestOptions.java
deleted file mode 100644
index 890b967d..00000000
--- a/at_client/src/main/java/org/atsign/common/options/RequestOptions.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package org.atsign.common.options;
-
-/**
- * Base class for options used in {@link org.atsign.client.api.AtClient} methods
- */
-public abstract class RequestOptions {
-  public abstract RequestOptions build();
-}
diff --git a/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java b/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java
index a46148e8..2954a0bb 100644
--- a/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java
+++ b/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java
@@ -45,7 +45,6 @@ public static void classSetup() {
     }
   }
 
-
   @BeforeEach
   public void setup() {
     executor = Executors.newSingleThreadExecutor();
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java b/at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java
new file mode 100644
index 00000000..927f00e8
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java
@@ -0,0 +1,365 @@
+package org.atsign.client.connection.common;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class CommandQueueTest {
+
+  private static final int DEFAULT_CAPACITY = 10;
+
+  private CommandQueue commandQueue;
+
+  @BeforeEach
+  void setUp() {
+    commandQueue = new CommandQueue(DEFAULT_CAPACITY);
+  }
+
+  @Test
+  void testNewQueueIsEmpty() {
+    assertThat(commandQueue.isEmpty(), is(true));
+  }
+
+  @Test
+  void testGetQueueCapacityReturnsConstructorArg() {
+    assertThat(new CommandQueue(2).getQueueCapacity(), equalTo(2));
+  }
+
+  @Test
+  void testNewQueueHasSizeZero() {
+    assertThat(commandQueue.size(), is(0));
+  }
+
+  @Test
+  void testOfferNonConsumerCommandWithinCapacityReturnsTrue() {
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+
+    boolean result = commandQueue.offer(command);
+
+    assertThat(result, is(true));
+  }
+
+  @Test
+  void testOfferNonConsumerCommandIncreasesSize() {
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+
+    commandQueue.offer(command);
+
+    assertThat(commandQueue.size(), is(1));
+  }
+
+  @Test
+  void testOfferMultipleCommandsIncreasesSize() {
+    for (int i = 0; i < 5; i++) {
+      Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+      commandQueue.offer(command);
+    }
+
+    assertThat(commandQueue.size(), is(5));
+  }
+
+  @Test
+  void testOfferExceedingCapacityReturnsFalse() {
+    CommandQueue queue = new CommandQueue(2);
+
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    Command command3 = new Command("request3", new CompletableFuture<>(), 2L, false);
+
+    queue.offer(command1);
+    queue.offer(command2);
+    boolean result = queue.offer(command3);
+
+    assertThat(result, is(false));
+  }
+
+  @Test
+  void testOfferExceedingCapacityDoesNotIncreaseSize() {
+    CommandQueue smallQueue = new CommandQueue(1);
+
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+
+    smallQueue.offer(command1);
+    smallQueue.offer(command2);
+
+    assertThat(smallQueue.size(), is(1));
+  }
+
+  @Test
+  void testOfferAtExactCapacityReturnsTrue() {
+    CommandQueue queue = new CommandQueue(1);
+
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+
+    assertThat(queue.offer(command), is(true));
+  }
+
+  @Test
+  void testOfferConsumerCommandWhenNoExistingConsumerReturnsTrue() {
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+
+    boolean result = commandQueue.offer(command);
+
+    assertThat(result, is(true));
+  }
+
+  @Test
+  void testOfferSecondConsumerCommandReturnsFalse() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    commandQueue.offer(command1);
+
+    Command command2 = new Command("request1", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+
+    commandQueue.offer(command2);
+    assertThat(commandQueue.hasConsumerCommand(), is(true));
+    assertThat(commandQueue.offer(command2), is(false));
+
+    commandQueue.pop("@");
+    assertThat(commandQueue.size(), equalTo(0));
+    assertThat(commandQueue.hasConsumerCommand(), is(true));
+    assertThat(commandQueue.offer(command2), is(false));
+  }
+
+  @Test
+  void testPopEmptyQueueReturnsNull() {
+    assertThat(commandQueue.pop("response"), nullValue());
+
+    Command command = new Command("request1", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    commandQueue.offer(command);
+    commandQueue.pop("response1");
+
+    assertThat(commandQueue.pop("response"), nullValue());
+  }
+
+  @Test
+  void testPopReturnsNullForEventIfNoConsumerCommand() {
+    assertThat(commandQueue.pop("notification:xyz"), nullValue());
+  }
+
+  @Test
+  void testPopReturnsExpectedCommandForResponse() {
+    Command command = new Command("request1", new CompletableFuture<>(), 0L, false);
+    commandQueue.offer(command);
+    commandQueue.pop("@");
+
+    assertThat(commandQueue.pop("response"), equalTo(command));
+  }
+
+  @Test
+  void testPopReturnsNullForPromptIfNoConsumerCommand() {
+    Command command = new Command("request1", new CompletableFuture<>(), 0L, false);
+    commandQueue.offer(command);
+    assertThat(commandQueue.pop("@"), nullValue());
+  }
+
+  @Test
+  void testPopReturnsConsumerCommandForPrompt() {
+    Command command = new Command("request1", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    commandQueue.offer(command);
+    assertThat(commandQueue.pop("@"), equalTo(command));
+  }
+
+  @Test
+  void testPopWithEventReturnsConsumerCommand() {
+    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    commandQueue.offer(command);
+    assertThat(commandQueue.size(), equalTo(1));
+    assertThat(commandQueue.isEmpty(), is(false));
+
+    assertThat(commandQueue.pop("@"), equalTo(command));
+
+    assertThat(commandQueue.pop("notification:xyz"), equalTo(command));
+    assertThat(commandQueue.size(), equalTo(0));
+    assertThat(commandQueue.isEmpty(), is(true));
+  }
+
+  @Test
+  void testPopWithEventReturnsPeekedConsumerCommand() {
+    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    commandQueue.offer(command);
+    assertThat(commandQueue.size(), equalTo(1));
+    assertThat(commandQueue.isEmpty(), is(false));
+
+    assertThat(commandQueue.pop("notification:xyz"), equalTo(command));
+    assertThat(commandQueue.size(), equalTo(0));
+    assertThat(commandQueue.isEmpty(), is(true));
+  }
+
+  @Test
+  void testPollReturnsFirstIn() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 0L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+    assertThat(commandQueue.size(), equalTo(2));
+
+    assertThat(commandQueue.poll(), equalTo(command1));
+    assertThat(commandQueue.size(), equalTo(1));
+    assertThat(commandQueue.poll(), equalTo(command2));
+    assertThat(commandQueue.size(), equalTo(0));
+    assertThat(commandQueue.poll(), nullValue());
+  }
+
+  @Test
+  void testPeekReturnsFirstIn() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 0L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+    assertThat(commandQueue.size(), equalTo(2));
+
+    assertThat(commandQueue.peek(), equalTo(command1));
+    assertThat(commandQueue.size(), equalTo(2));
+    assertThat(commandQueue.peek(), equalTo(command1));
+    commandQueue.poll();
+    assertThat(commandQueue.peek(), equalTo(command2));
+    commandQueue.poll();
+    assertThat(commandQueue.peek(), nullValue());
+  }
+
+  @Test
+  void testIsEmptyReturnsTrueWhenQueueHasNoCommands() {
+    assertThat(commandQueue.isEmpty(), is(true));
+  }
+
+  @Test
+  void testIsEmptyReturnsFalseAfterCommandOffered() {
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    commandQueue.offer(command);
+
+    assertThat(commandQueue.isEmpty(), is(false));
+  }
+
+  @Test
+  void testSizeReflectsNumberOfCommandsInQueue() {
+    int count = 4;
+    for (int i = 0; i < count; i++) {
+      Command command = new Command("request", new CompletableFuture<>(), i, false);
+      commandQueue.offer(command);
+      assertThat(commandQueue.size(), is(i + 1));
+    }
+  }
+
+  @Test
+  void testIteratorReturnsAllOfferedCommands() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+
+    List<Command> iterated = new ArrayList<>();
+    commandQueue.iterator().forEachRemaining(iterated::add);
+
+    assertThat(iterated, hasSize(2));
+    assertThat(iterated, containsInAnyOrder(command1, command2));
+  }
+
+  @Test
+  void testIteratorOnEmptyQueueHasNoElements() {
+    assertThat(commandQueue.iterator().hasNext(), is(false));
+  }
+
+  @Test
+  void testForEachVisitsAllCommands() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+
+    List<Command> visited = new ArrayList<>();
+    commandQueue.forEach(visited::add);
+
+    assertThat(visited, hasSize(2));
+    assertThat(visited, containsInAnyOrder(command1, command2));
+  }
+
+  @Test
+  void testSpliteratorCoversAllCommands() {
+    Command command1 = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0L, false);
+    Command command2 = new Command("request1", new CompletableFuture<>(), 0L, false);
+    Command command3 = new Command("request2", new CompletableFuture<>(), 1L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+    commandQueue.offer(command3);
+
+    List<Command> collected = new ArrayList<>();
+    commandQueue.spliterator().forEachRemaining(collected::add);
+
+    assertThat(collected, hasSize(3));
+    assertThat(collected, containsInAnyOrder(command1, command2, command3));
+
+    commandQueue.pop("notification:xyz");
+    collected = new ArrayList<>();
+    commandQueue.spliterator().forEachRemaining(collected::add);
+
+    assertThat(collected, hasSize(2));
+    assertThat(collected, containsInAnyOrder(command2, command3));
+
+    commandQueue.pop("response1");
+    collected = new ArrayList<>();
+    commandQueue.spliterator().forEachRemaining(collected::add);
+
+    assertThat(collected, hasSize(1));
+    assertThat(collected, containsInAnyOrder(command3));
+  }
+
+  @Test
+  void testOfferToZeroCapacityQueueReturnsFalse() {
+    CommandQueue zeroQueue = new CommandQueue(0);
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+
+    boolean result = zeroQueue.offer(command);
+
+    assertThat(result, is(false));
+  }
+
+  @Test
+  void testZeroCapacityQueueRemainsEmpty() {
+    CommandQueue zeroQueue = new CommandQueue(0);
+    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    zeroQueue.offer(command);
+
+    assertThat(zeroQueue.isEmpty(), is(true));
+  }
+
+  @Test
+  void testPollTimedOut() {
+    Command command1 = new Command("request1", new CompletableFuture<>(), 1L, false);
+    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    Command command3 = new Command("request3", new CompletableFuture<>(), 2L, false);
+
+    commandQueue.offer(command1);
+    commandQueue.offer(command2);
+    commandQueue.offer(command3);
+
+    assertThat(commandQueue.pollTimedOut(0L), is(empty()));
+    assertThat(commandQueue.size(), equalTo(3));
+    assertThat(commandQueue.pollTimedOut(1L), is(empty()));
+    assertThat(commandQueue.size(), equalTo(3));
+    assertThat(commandQueue.pollTimedOut(2L), containsInAnyOrder(command1, command2));
+    assertThat(commandQueue.size(), equalTo(1));
+    assertThat(commandQueue.pollTimedOut(3L), containsInAnyOrder(command3));
+    assertThat(commandQueue.size(), equalTo(0));
+  }
+
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java b/at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java
new file mode 100644
index 00000000..0c9c2d72
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java
@@ -0,0 +1,144 @@
+package org.atsign.client.connection.common;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.*;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+import org.junit.jupiter.api.Test;
+
+class CommandTest {
+
+  @Test
+  void testToStringReturnsText() {
+    Command command = new Command("scan", new CompletableFuture<>(), 100, false);
+
+    assertThat(command.toString(), equalTo("scan"));
+  }
+
+  @Test
+  void testIsTimedOutTrueWhenTimestampBeforeTimeout() {
+    Command command = new Command("cmd", new CompletableFuture<>(), 100, false);
+
+    assertThat(command.isTimedOut(101L), is(true));
+  }
+
+  @Test
+  void testIsTimedOutFalseWhenTimestampAfterTimeout() {
+    Command command = new Command("cmd", new CompletableFuture<>(), 300, false);
+
+    assertThat(command.isTimedOut(200L), is(false));
+  }
+
+  @Test
+  void testIsTimedOutFalseWhenTimestampEqualsTimeout() {
+    Command command = new Command("cmd", new CompletableFuture<>(), 300, false);
+
+    assertThat(command.isTimedOut(300L), is(false));
+  }
+
+  @Test
+  void testCompleteSetsFutureValue() throws Exception {
+    CompletableFuture<String> future = new CompletableFuture<>();
+    Command command = new Command("cmd", future, 0, false);
+
+    command.complete("result");
+
+    assertThat(future.get(), is("result"));
+  }
+
+  @Test
+  void testCompleteAllowsNullValue() throws Exception {
+    CompletableFuture<String> future = new CompletableFuture<>();
+    Command command = new Command("cmd", future, 0, false);
+
+    command.complete(null);
+
+    assertThat(future.get(), nullValue());
+  }
+
+  @Test
+  void testCompleteConsumerCommandCompletesFutureAndCallsConsumer() {
+    CompletableFuture<Void> future = new CompletableFuture<>();
+    Consumer<String> consumer = mock(Consumer.class);
+
+    Command command = new Command("monitor", future, consumer, 0, false);
+
+    command.complete("notification:xyz");
+
+    assertThat(future.isDone(), is(true));
+    verify(consumer).accept("notification:xyz");
+  }
+
+  @Test
+  void testCompleteConsumerCommandDoesNotCallConsumerWhenNullValue() {
+    CompletableFuture<Void> future = new CompletableFuture<>();
+    Consumer<String> consumer = mock(Consumer.class);
+
+    Command command = new Command("cmd", future, consumer, 0, false);
+
+    command.complete(null);
+
+    assertThat(future.isDone(), is(true));
+    verify(consumer, never()).accept("notification:xyz");
+  }
+
+  @Test
+  void testCompleteExceptionallyCompletesFutureExceptionally() {
+    CompletableFuture<String> future = new CompletableFuture<>();
+    Command command = new Command("cmd", future, 0, false);
+
+    command.completeExceptionally(new RuntimeException("deliberate"));
+
+    assertThat(future.isCompletedExceptionally(), is(true));
+    ExecutionException ex = assertThrows(ExecutionException.class, future::get);
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  void testIsMatchReturnsTrueForCommand() {
+    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
+
+    assertThat(command.isMatch("xyz"), is(true));
+  }
+
+  @Test
+  void testIsMatchReturnsExpectedResultForConsumerCommand() {
+    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0, false);
+
+    assertThat(command.isMatch("notification:xyz"), is(true));
+    assertThat(command.isMatch("ok"), is(false));
+  }
+
+  @Test
+  void testIsConsumerCommandReturnsExpectedResults() {
+    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
+    Command consumerCommand = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0, false);
+
+    assertThat(command.isConsumerCommand(), is(false));
+    assertThat(consumerCommand.isConsumerCommand(), is(true));
+  }
+
+  @Test
+  void testIsConsumerCommandStaticMethodReturnsExpectedResults() {
+    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
+    Command consumerCommand = new Command("monitor", new CompletableFuture<>(), s -> {
+    }, 0, false);
+
+    assertThat(Command.isConsumerCommand(consumerCommand), is(true));
+    assertThat(Command.isConsumerCommand(command), is(false));
+    assertThat(Command.isConsumerCommand(null), is(false));
+  }
+
+  @Test
+  void testIsConsumerResponseReturnsExpectedResults() {
+    assertThat(Command.isConsumerResponse("notification:test"), is(true));
+    assertThat(Command.isConsumerResponse("ok"), is(false));
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java b/at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java
new file mode 100644
index 00000000..9ea37521
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java
@@ -0,0 +1,157 @@
+package org.atsign.client.connection.common;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+class SimpleReconnectStrategyTest {
+
+  @Test
+  void testIsReconnectSupportedWhenMaxRetriesIsForever() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(SimpleReconnectStrategy.RECONNECT_RETRY_FOREVER)
+        .build();
+
+    assertThat(strategy.isReconnectSupported(), is(true));
+    RuntimeException ex = new RuntimeException("deliberate");
+    for (int i = 0; i < 1000; i++) {
+      strategy.onConnectFailure(ex);
+      assertThat(strategy.isReconnectSupported(), is(true));
+    }
+  }
+
+  @Test
+  void testIsReconnectSupportedWhenMaxRetriesIsNotForever() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(3)
+        .build();
+
+    // connect failure count < max
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReconnectSupported(), is(true));
+
+    // connect failure count = max
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReconnectSupported(), is(true));
+
+    // connect failure count > max
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReconnectSupported(), is(false));
+  }
+
+  @Test
+  void testIsReconnectSupportedAfterConnect() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(3)
+        .build();
+
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnect();
+    strategy.onDisconnect(new RuntimeException());
+
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReconnectSupported(), is(true));
+  }
+
+  @Test
+  void testGetReconnectPauseMillis() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(5)
+        .reconnectPauseMillis(2000L)
+        .build();
+
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnect();
+
+    // first disconnect after connect
+    assertThat(strategy.getReconnectPauseMillis(), is(0L));
+
+    // subsequent connection failures
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.getReconnectPauseMillis(), is(2000L));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.getReconnectPauseMillis(), is(2000L));
+
+    strategy.onConnect();
+
+    // first disconnect after connect
+    assertThat(strategy.getReconnectPauseMillis(), is(0L));
+  }
+
+  @Test
+  void testGetReconnectPauseMillisDefault() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(5)
+        .build();
+
+    strategy.onConnectFailure(new RuntimeException());
+    strategy.onConnect();
+
+    // first disconnect after connect
+    assertThat(strategy.getReconnectPauseMillis(), is(0L));
+
+    // subsequent connection failures
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.getReconnectPauseMillis(), is(1000L));
+  }
+
+  @Test
+  void testIsReresolveEndpointsEveryTime() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(5)
+        .resolveEndpointFrequency(1)
+        .build();
+
+    // first disconnect
+    strategy.onDisconnect(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+
+    // subsequent connection failures
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(true));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(true));
+  }
+
+
+  @Test
+  void testIsReresolveEndpointsEverOtherTime() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(5)
+        .resolveEndpointFrequency(2)
+        .build();
+
+    // first disconnect
+    strategy.onDisconnect(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+
+    // subsequent connection failures
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(true));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+  }
+
+
+  @Test
+  void testIsReresolveEndpointsDefaultNeverReresolves() {
+    SimpleReconnectStrategy strategy = SimpleReconnectStrategy.builder()
+        .maxReconnectRetries(5)
+        .build();
+    strategy.onDisconnect(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+    strategy.onConnectFailure(new RuntimeException());
+    assertThat(strategy.isReresolveEndpoint(), is(false));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java
new file mode 100644
index 00000000..be2841ce
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java
@@ -0,0 +1,72 @@
+package org.atsign.client.connection.netty;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.awaitility.Awaitility.await;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+import java.util.List;
+import java.util.concurrent.CopyOnWriteArrayList;
+
+import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
+import org.atsign.common.AtSign;
+import org.atsign.cucumber.helpers.Helpers;
+import org.atsign.virtualenv.VirtualEnv;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+class NettyAtClientConnectionIT {
+
+  @BeforeAll
+  public static void classSetup() {
+    if (!Helpers.isHostPortReachable("vip.ve.atsign.zone:64", SECONDS.toMillis(2))) {
+      VirtualEnv.setUp();
+    }
+  }
+
+  @Test
+  void testResolveAtServer() throws Exception {
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("vip.ve.atsign.zone:64")
+        .atsign(createAtSign("colin"))
+        .build();
+    assertThat(provider.get().matches("\\S+:\\d+"), is(true));
+  }
+
+
+  @Test
+  void testScan() throws Exception {
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("vip.ve.atsign.zone:64")
+        .atsign(createAtSign("colin"))
+        .build();
+    try (NettyAtClientConnection connection = NettyAtClientConnection.builder().endpoint(provider).build()) {
+      assertThat(connection.sendSync("scan"), Matchers.startsWith("data:"));
+    }
+  }
+
+  @Test
+  void testUnauthenticatedMonitorAttempt() throws Exception {
+    AtSign atSign = createAtSign("colin");
+
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("vip.ve.atsign.zone:64")
+        .atsign(atSign)
+        .build();
+
+    NettyAtClientConnectionBuilder builder = NettyAtClientConnection.builder()
+        .endpoint(provider);
+
+    try (NettyAtClientConnection connection = builder.build()) {
+      List<String> notifications = new CopyOnWriteArrayList<>();
+      connection.sendSync("monitor", notifications::add);
+      await().until(() -> !notifications.isEmpty());
+      assertThat(notifications.get(0), Matchers.startsWith("error:"));
+    }
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java
new file mode 100644
index 00000000..131be841
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java
@@ -0,0 +1,769 @@
+package org.atsign.client.connection.netty;
+
+import static java.util.concurrent.Executors.newSingleThreadScheduledExecutor;
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
+import static org.awaitility.Awaitility.await;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.hamcrest.Matchers.contains;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.*;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.ZoneId;
+import java.util.List;
+import java.util.concurrent.*;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Consumer;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.api.AtEndpointSupplier;
+import org.atsign.client.connection.common.SimpleReconnectStrategy;
+import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
+import org.atsign.client.connection.protocol.AtExceptions;
+import org.atsign.common.exceptions.AtSecondaryConnectException;
+import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+import org.atsign.common.exceptions.AtTimeoutException;
+import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.junit.jupiter.api.*;
+import org.mockito.ArgumentCaptor;
+import org.slf4j.Logger;
+
+import lombok.Builder;
+import lombok.extern.slf4j.Slf4j;
+
+@SuppressWarnings("unchecked")
+@Slf4j
+class NettyAtClientConnectionTest {
+
+  private TestServer server;
+  private TestEndPointSupplier endPointSupplier;
+  private NettyAtClientConnectionBuilder connectionBuilder;
+  private TestReconnectStrategy reconnectStrategy;
+
+  @BeforeEach
+  public void setup() throws Exception {
+    server = new TestServer();
+    stubTestServerConnectAndResponseBehaviour(server);
+    endPointSupplier = new TestEndPointSupplier();
+    connectionBuilder = NettyAtClientConnection.builder()
+        .endpoint(endPointSupplier)
+        .sslContext(server.getClientSslContext());
+    reconnectStrategy = TestReconnectStrategy.testBuilder()
+        .maxReconnectRetries(2)
+        .resolveEndpointFrequency(1)
+        .reconnectPauseMillis(100)
+        .build();
+  }
+
+  @AfterEach
+  public void teardown() throws Exception {
+    server.close();
+  }
+
+  @Test
+  void testConnectSucceed() throws Exception {
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      assertThat(endPointSupplier.invocationCount, equalTo(1));
+    }
+  }
+
+  @Test
+  void testBuilderOnReadyIsInvokedOnConnection() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    connectionBuilder.onReady(consumer);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      verify(consumer).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testBuilderOnReadyIsInvokedOnReconnect() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    connectionBuilder.onReady(consumer).reconnect(reconnectStrategy);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      await().until(connection::isReady);
+      server.closeClientSocket();
+      await().until(connection::isReady);
+      server.closeClientSocket();
+      await().until(connection::isReady);
+
+      verify(consumer, times(3)).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyIsInvokedIfReady() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      await().until(connection::isReady);
+      connection.onReady(consumer);
+
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyWhenConnectionIsEstablishedButBeforeConnectionIsReady() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    CountDownLatch latch = new CountDownLatch(1);
+    stubTestServerConnectAndResponseBehaviourWithConnectLatch(server, latch);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      connection.onReady(consumer);
+      latch.countDown();
+
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyBeforeConnectionIsBound() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    server.closeServerSocket();
+    connectionBuilder.reconnect(reconnectStrategy);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      connection.onReady(consumer);
+      server.newServerSocket();
+
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyBeforeConnectionIsAccepted() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    server.closeServerSocket();
+    server.newServerSocketWithoutAccept();
+    connectionBuilder.reconnect(reconnectStrategy);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      connection.onReady(consumer);
+      server.accept();
+
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyWhilstReadying() throws Exception {
+    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    CountDownLatch latch = new CountDownLatch(1);
+    stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
+    connectionBuilder.onReady(AtExceptions.throwOnReadyException(c -> c.sendSync("request")));
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      connection.onReady(consumer);
+      latch.countDown();
+
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+    }
+  }
+
+  @Test
+  void testOnReadyNetworkExceptionsShouldNotBeFatalForTheConnection() throws Exception {
+    AtomicInteger requestCount = new AtomicInteger();
+    server.setRequestHandler(s -> {
+      if (s == null || requestCount.incrementAndGet() > 1) {
+        testServerResponse(server, s);
+      } else {
+        // disconnect on first request
+        server.closeClientSocket();
+      }
+    });
+    connectionBuilder.reconnect(reconnectStrategy).onReady(throwOnReadyException(c -> c.sendSync("request")));
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      assertThat(connection.sendSync("request2"), equalTo("response2"));
+    }
+  }
+
+  @Test
+  void testOnReadyAtExceptionsShouldBeFatalForTheConnection() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).onReady(
+                                                           throwOnReadyException(c -> {
+                                                             throw new AtUnauthenticatedException("deliberate");
+                                                           }));
+    Exception ex = assertThrows(Exception.class, () -> connectionBuilder.build());
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  void testSendSync() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      assertThat(connection.sendSync("request"), equalTo("response"));
+    }
+  }
+
+  @Test
+  void testSendSyncAfterClosesThrowsException() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      connection.close();
+      Exception ex = assertThrows(Exception.class, () -> connection.sendSync("request"));
+      assertThat(ex.getMessage(), containsString("connection closed"));
+    }
+  }
+
+  @Test
+  void testSendSyncFromOnReady() throws Exception {
+    List<String> responses = new CopyOnWriteArrayList<>();
+    connectionBuilder.onReady(c -> {
+      try {
+        responses.add(c.sendSync("request1"));
+        responses.add(c.sendSync("request2"));
+      } catch (ExecutionException | InterruptedException e) {
+        throw new RuntimeException(e);
+      }
+    });
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      await().until(connection::isReady);
+      assertThat(responses, contains("response1", "response2"));
+    }
+  }
+
+  @Test
+  void testSendSyncFromConsumerTriggersException() throws Exception {
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      AtomicReference<Exception> ex = new AtomicReference<>();
+      connection.sendSync("monitor", s -> {
+        try {
+          connection.sendSync("request");
+        } catch (Exception e) {
+          ex.set(e);
+        }
+      });
+      await().until(() -> ex.get() != null);
+      assertThat(ex.get().getMessage(), containsString("send on netty event thread is prohibited"));
+    }
+  }
+
+  @Test
+  void testSend() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      assertThat(connection.send("request").get(), equalTo("response"));
+    }
+  }
+
+  @Test
+  void testSendFromConsumerTriggersException() throws Exception {
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      AtomicReference<Exception> ex = new AtomicReference<>();
+      connection.sendSync("monitor", s -> {
+        try {
+          connection.send("request");
+        } catch (Exception e) {
+          ex.set(e);
+        }
+      });
+      await().until(() -> ex.get() != null);
+      assertThat(ex.get().getMessage(), containsString("send on netty event thread is prohibited"));
+    }
+  }
+
+  @Test
+  void testSendFromOnReadyTriggersException() throws Exception {
+    connectionBuilder.onReady(c -> c.send("request"));
+    Exception ex = assertThrows(Exception.class, () -> connectionBuilder.build());
+    assertThat(ex.getMessage(), containsString("onReady is prohibited from invoking send, use sendSync"));
+  }
+
+  @Test
+  void testSendMultipleTimesWorksWhenNumberOfCommandsIsLessThanOrEqualToTheQueueLimit() throws Exception {
+    connectionBuilder.queueLimit(3);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = connection.send("request1");
+      CompletableFuture<String> future2 = connection.send("request2");
+      CompletableFuture<String> future3 = connection.send("request3");
+      assertThat(future1.get(), equalTo("response1"));
+      assertThat(future2.get(), equalTo("response2"));
+      assertThat(future3.get(), equalTo("response3"));
+    }
+  }
+
+  @Test
+  void testSendMultipleTimesWillCompleteExceptionallyWhenQueueLimitIsBreached() throws Exception {
+    CountDownLatch latch = new CountDownLatch(1);
+    stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
+    connectionBuilder.queueLimit(1);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = connection.send("request1");
+      CompletableFuture<String> future2 = connection.send("request2");
+      CompletableFuture<String> future3 = connection.send("request3");
+      latch.countDown();
+      assertThat(future1.get(), equalTo("response1"));
+      assertThat(future2.get(), equalTo("response2"));
+      ExecutionException ex = assertThrows(ExecutionException.class, future3::get);
+      assertThat(ex.getCause(), instanceOf(AtTimeoutException.class));
+      assertThat(ex.getMessage(), containsString("queue is full"));
+    }
+  }
+
+  @Test
+  void testSendWithFuture() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<String> future = new CompletableFuture<>();
+      connection.send("request", future);
+      assertThat(future.get(), equalTo("response"));
+    }
+  }
+
+  @Test
+  void testSendSyncWithConsumer() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      List<String> list = new CopyOnWriteArrayList<>();
+      Consumer<String> consumer = list::add;
+      connection.sendSync("monitor", consumer);
+      await().until(() -> "monitor".equals(server.poll()));
+      server.writeAndFlush("notification:one\n", "notification:two\n", "notification:three\n");
+      await().until(() -> list.size() == 3);
+      assertThat(list, contains("notification:one", "notification:two", "notification:three"));
+    }
+  }
+
+  @Test
+  void testSendSyncWithConsumerFromConsumerTriggersException() throws Exception {
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      AtomicReference<Exception> ex = new AtomicReference<>();
+      connection.sendSync("monitor", s -> {
+        try {
+          connection.sendSync("request", response -> {
+          });
+        } catch (Exception e) {
+          ex.set(e);
+        }
+      });
+      await().until(() -> ex.get() != null);
+      assertThat(ex.get().getMessage(), containsString("send on netty event thread is prohibited"));
+    }
+  }
+
+  @Test
+  void testSendWithConsumerFromConsumerTriggersException() throws Exception {
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      AtomicReference<Exception> ex = new AtomicReference<>();
+      connection.sendSync("monitor", s -> {
+        try {
+          connection.send("request", response -> {
+          }, new CompletableFuture<>());
+        } catch (Exception e) {
+          ex.set(e);
+        }
+      });
+      await().until(() -> ex.get() != null);
+      assertThat(ex.get().getMessage(), containsString("send on netty event thread is prohibited"));
+    }
+  }
+
+  @Test
+  void testSendSyncWithConsumerFromOnReady() throws Exception {
+    Consumer<String> consumer = mock(Consumer.class);
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    connectionBuilder.onReady(c -> {
+      try {
+        c.sendSync("monitor", consumer);
+      } catch (ExecutionException | InterruptedException e) {
+        throw new RuntimeException(e);
+      }
+    });
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      await().until(connection::isReady);
+      verify(consumer).accept("notification:xyz");
+    }
+  }
+
+  @Test
+  void testSendWithConsumerFromOnReadyTriggersException() throws Exception {
+    connectionBuilder.onReady(c -> c.send("monitor", s -> {
+    }, new CompletableFuture<>()));
+    Exception ex = assertThrows(Exception.class, () -> connectionBuilder.build());
+    assertThat(ex.getMessage(), containsString("onReady is prohibited from invoking send, use sendSync"));
+  }
+
+  @Test
+  void testSendSyncWithConsumerAndFuture() throws Exception {
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<Void> future = new CompletableFuture<>();
+      List<String> list = new CopyOnWriteArrayList<>();
+      Consumer<String> consumer = list::add;
+      connection.send("monitor", consumer, future);
+      future.get();
+      await().until(() -> "monitor".equals(server.poll()));
+      server.writeAndFlush("notification:one\n", "notification:two\n", "notification:three\n");
+      await().until(() -> list.size() == 3);
+      assertThat(list, contains("notification:one", "notification:two", "notification:three"));
+    }
+  }
+
+  @Test
+  void testConnectFail() {
+    server.closeServerSocket();
+    Exception ex = assertThrows(Exception.class, () -> connectionBuilder.build());
+    assertThat(ex.getMessage(), containsString("Connection refused"));
+  }
+
+  @Test
+  void testConnectEndpointProviderException() {
+    connectionBuilder.endpoint(() -> {
+      throw new AtSecondaryNotFoundException("deliberate");
+    });
+    Exception ex = assertThrows(Exception.class, () -> connectionBuilder.build());
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  void testConnectRetryFail() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    server.closeServerSocket();
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      ExecutionException ex = assertThrows(ExecutionException.class, () -> connection.sendSync("request"));
+      assertThat(ex.getMessage(), containsString("reconnect retries exceeded"));
+      assertThat(reconnectStrategy.connectFailCount, equalTo(3));
+      assertThat(reconnectStrategy.connectException.getMessage(), containsString("Connection refused"));
+    }
+  }
+
+  @Test
+  void testConnectRetryFailTimeout() throws Exception {
+    reconnectStrategy.reconnectNoLimit();
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    server.closeServerSocket();
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      ExecutionException ex = assertThrows(ExecutionException.class, () -> connection.sendSync("request"));
+      assertThat(ex.getMessage(), containsString("timed out (in queue)"));
+    }
+  }
+
+  @Test
+  void testConnectRetrySucceed() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    server.closeServerSocket();
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      server.newServerSocket();
+      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(reconnectStrategy.connectFailCount, greaterThanOrEqualTo(1));
+      assertThat(reconnectStrategy.connectException.getMessage(), containsString("Connection refused"));
+    }
+  }
+
+  @Test
+  void testReconnectAfterSocketDisconnect() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      server.closeClientSocket();
+      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
+      assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
+      assertThat(endPointSupplier.invocationCount, equalTo(1));
+    }
+  }
+
+  @Test
+  void testReconnectAndResendPendingAfterSocketDisconnect() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    stubTestServerToCloseClientSocketOnRequest(server);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      assertThat(connection.sendSync("request"), equalTo("response"));
+    }
+  }
+
+  @Test
+  void testReconnectAndSendQueueAfterSocketDisconnectTriggersPendingRequestToTimeout() throws Exception {
+    TestClock clock = new TestClock();
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L).clock(clock).queueLimit(2);
+    CountDownLatch latch = new CountDownLatch(1);
+    stubTestServerToCloseClientSocketOnRequest(server, latch, clock, 500L);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<String> future = connection.send("request");
+      await().until(() -> connection.getPendingSize() == 1);
+      clock.advance(1);
+      CompletableFuture<String> future2 = connection.send("request2");
+      await().until(() -> connection.getQueuedSize() == 1);
+      log.info("setting latch");
+      latch.countDown();
+      ExecutionException ex = assertThrows(ExecutionException.class, future::get);
+      assertThat(ex.getCause(), instanceOf(AtTimeoutException.class));
+      assertThat(future2.get(), equalTo("response2"));
+    }
+  }
+
+  @Test
+  void testReconnectAfterSocketAndSocketServerDisconnect() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      server.closeServerSocket();
+      CompletableFuture<String> future = connection.send("request");
+      server.newServerSocket();
+      await().until(future::isDone);
+      assertThat(future.get(), equalTo("response"));
+      assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
+      assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
+    }
+  }
+
+  @Test
+  void testReconnectTimeout() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
+    ExecutionException ex = assertThrows(ExecutionException.class, () -> {
+      try (AtClientConnection connection = connectionBuilder.build()) {
+        server.closeServerSocket();
+        newSingleThreadScheduledExecutor().schedule(() -> server.newServerSocket(), 5, SECONDS);
+        connection.sendSync("request");
+      }
+    });
+    assertThat(ex.getCause(), instanceOf(AtSecondaryConnectException.class));
+    assertThat(ex.getMessage(), containsString("reconnect retries exceeded"));
+  }
+
+  @Test
+  void testReconnectAfterSocketAndSocketServerDisconnectAndAcceptPause() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(5000L);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      server.closeServerSocket();
+      server.newServerSocketWithoutAccept();
+      sleep(SECONDS.toMillis(1));
+      server.accept();
+      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
+      assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
+      assertThat(endPointSupplier.invocationCount, equalTo(1));
+    }
+  }
+
+  @Test
+  void testReconnectAfterSocketAndSocketServerDisconnectAndMove() throws Exception {
+    connectionBuilder.reconnect(reconnectStrategy);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      server.closeServerSocket();
+      CompletableFuture<String> future = connection.send("request");
+      server.newServerSocketNewPort();
+      await().until(future::isDone);
+      assertThat(future.get(), equalTo("response"));
+      assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
+      assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
+      assertThat(endPointSupplier.invocationCount, equalTo(2));
+    }
+  }
+
+  @Test
+  void testCloseCompletesPendingCommands() throws Exception {
+    connectionBuilder.queueLimit(2);
+    CountDownLatch latch = new CountDownLatch(1);
+    stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
+    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = connection.send("request1");
+      CompletableFuture<String> future2 = connection.send("request2");
+      await().until(() -> connection.getPendingSize() == 1 && connection.getQueuedSize() == 1);
+      connection.close();
+      Exception ex = assertThrows(Exception.class, future1::get);
+      assertThat(ex.getMessage(), containsString("connection clos"));
+      ex = assertThrows(Exception.class, future2::get);
+      assertThat(ex.getMessage(), containsString("connection clos"));
+    } finally {
+      latch.countDown();
+    }
+  }
+
+  @Test
+  void testConsumerExceptionsAreLogged() throws Exception {
+    stubTestServerConnectAndAndAutomaticNotification(server);
+    Logger logger = mock(Logger.class);
+    connectionBuilder.log(logger);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      connection.sendSync("monitor", s -> {
+        throw new RuntimeException("deliberate");
+      });
+      ArgumentCaptor<Throwable> captor = ArgumentCaptor.forClass(Throwable.class);
+      verify(logger).error(eq("exception in handler"), captor.capture());
+      assertThat(captor.getValue().getMessage(), containsString("deliberate"));
+    }
+  }
+
+  @Test
+  void testHeartbeating() throws Exception {
+    connectionBuilder.heartbeatMillis(250L);
+    try (AtClientConnection connection = connectionBuilder.build()) {
+      await().until(() -> server.peek() != null);
+      assertThat(server.poll(), equalTo("noop:0"));
+      await().until(() -> server.peek() != null);
+      assertThat(server.poll(), equalTo("noop:0"));
+    }
+  }
+
+  private class TestEndPointSupplier implements AtEndpointSupplier {
+
+    int invocationCount;
+
+    @Override
+    public String get() {
+      invocationCount++;
+      return "localhost:" + server.getPort();
+    }
+  }
+
+  private static final class TestReconnectStrategy extends SimpleReconnectStrategy {
+
+    boolean reconnectNoLimit;
+    Throwable connectException;
+    int connectFailCount;
+    Throwable disconnectException;
+    int disconnectCount;
+
+    @Builder(builderMethodName = "testBuilder")
+    public TestReconnectStrategy(long maxReconnectRetries, int resolveEndpointFrequency, long reconnectPauseMillis) {
+      super(maxReconnectRetries, resolveEndpointFrequency, reconnectPauseMillis);
+    }
+
+    @Override
+    public void onConnectFailure(Throwable connectException) {
+      connectFailCount++;
+      this.connectException = connectException;
+      super.onConnectFailure(connectException);
+    }
+
+    @Override
+    public void onDisconnect(Throwable disconnectException) {
+      disconnectCount++;
+      this.disconnectException = disconnectException;
+      super.onDisconnect(disconnectException);
+    }
+
+    @Override
+    public boolean isReconnectSupported() {
+      return reconnectNoLimit || super.isReconnectSupported();
+    }
+
+    public void reconnectNoLimit() {
+      reconnectNoLimit = true;
+    }
+  }
+
+  private static void stubTestServerConnectAndResponseBehaviour(TestServer server) {
+    server.setRequestHandler(s -> testServerResponse(server, s));
+  }
+
+  private static void stubTestServerConnectAndAndAutomaticNotification(TestServer server) {
+    server.setRequestHandler(s -> testServerResponseWithAutomaticNotification(server, s));
+  }
+
+  private static void stubTestServerConnectAndResponseBehaviourWithRequestLatch(TestServer server,
+                                                                                CountDownLatch latch) {
+    server.setRequestHandler(request -> {
+      if (request != null) {
+        awaitLatch(latch);
+      }
+      testServerResponse(server, request);
+    });
+  }
+
+  private static void stubTestServerConnectAndResponseBehaviourWithConnectLatch(TestServer server,
+                                                                                CountDownLatch latch) {
+    server.setRequestHandler(request -> {
+      if (request == null) {
+        awaitLatch(latch);
+      }
+      testServerResponse(server, request);
+    });
+  }
+
+  private static void stubTestServerToCloseClientSocketOnRequest(TestServer server) {
+    stubTestServerToCloseClientSocketOnRequest(server, null, null, 0);
+  }
+
+  private static void stubTestServerToCloseClientSocketOnRequest(TestServer server,
+                                                                 CountDownLatch latch,
+                                                                 TestClock clock,
+                                                                 long elapsedMillis) {
+    AtomicInteger invocationCount = new AtomicInteger(0);
+    server.setRequestHandler(request -> {
+      if (request != null && invocationCount.incrementAndGet() == 1) {
+        awaitLatch(latch);
+        log.info("deliberately closing client socket as part of test");
+        server.closeClientSocket();
+        if (clock != null) {
+          clock.advance(elapsedMillis);
+        }
+      } else {
+        testServerResponse(server, request);
+      }
+    });
+  }
+
+  private static void awaitLatch(CountDownLatch latch) {
+    if (latch != null) {
+      try {
+        latch.await();
+      } catch (InterruptedException e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  private static void testServerResponse(TestServer server, String command) {
+    if (command == null) {
+      // invoked on connect
+      server.writeAndFlush("@");
+    } else if (command.equals("request")) {
+      server.writeAndFlush("response\n@");
+    } else if (command.startsWith("request")) {
+      String suffix = command.replace("request", "");
+      server.writeAndFlush("response" + suffix + "\n@");
+    }
+  }
+
+  private static void testServerResponseWithAutomaticNotification(TestServer server, String command) {
+    if (command == null) {
+      // invoked on connect
+      server.writeAndFlush("@");
+    } else if (command.equals("request")) {
+      server.writeAndFlush("response\n@");
+    } else if (command.startsWith("request")) {
+      String suffix = command.replace("request", "");
+      server.writeAndFlush("response" + suffix + "\n@");
+    } else if (command.equals("monitor")) {
+      server.writeAndFlush("notification:xyz\n");
+    }
+  }
+
+  static class TestClock extends Clock {
+
+    private final AtomicReference<Instant> instant = new AtomicReference<>();
+
+    private final ZoneId zone;
+
+    TestClock() {
+      this.instant.set(Instant.now());
+      this.zone = ZoneId.systemDefault();
+    }
+
+    void advance(long millis) {
+      instant.set(instant.get().plus(Duration.ofMillis(millis)));
+    }
+
+    @Override
+    public Instant instant() {
+      return instant.get();
+    }
+
+    @Override
+    public ZoneId getZone() {
+      return zone;
+    }
+
+    @Override
+    public Clock withZone(ZoneId zone) {
+      return this;
+    }
+  }
+
+  private static void sleep(long millis) {
+    try {
+      Thread.sleep(millis);
+    } catch (InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java
new file mode 100644
index 00000000..56fc22b8
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java
@@ -0,0 +1,49 @@
+package org.atsign.client.connection.netty;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.embedded.EmbeddedChannel;
+
+class NettyAtCommandEncoderTest {
+
+  private EmbeddedChannel channel;
+
+  @BeforeEach
+  public void setup() {
+    channel = new EmbeddedChannel(new NettyAtCommandEncoder());
+  }
+
+  @Test
+  public void testEncode() {
+    channel.writeOutbound("scan");
+    byte[] expected = new byte[] {'s', 'c', 'a', 'n', '\n'};
+    assertMatch(channel.readOutbound(), expected);
+  }
+
+  @Test
+  public void testEncodeEmptyString() {
+    channel.writeOutbound("");
+    byte[] expected = new byte[] {'\n'};
+    assertMatch(channel.readOutbound(), expected);
+  }
+
+  @Test
+  public void testEncodeWithNewline() {
+    channel.writeOutbound("scan\n");
+    byte[] expected = new byte[] {'s', 'c', 'a', 'n', '\n'};
+    assertMatch(channel.readOutbound(), expected);
+  }
+
+  private static void assertMatch(ByteBuf buf, byte[] expected) {
+    assertThat(buf.readableBytes(), equalTo(expected.length));
+    for (int i = 0; i < expected.length; i++) {
+      assertThat(buf.getByte(i), equalTo(expected[i]));
+    }
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java
new file mode 100644
index 00000000..f996ac9b
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java
@@ -0,0 +1,107 @@
+package org.atsign.client.connection.netty;
+
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.IOException;
+
+import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class NettyAtEndpointSupplierTest {
+
+  private static TestServer TEST_SERVER;
+
+  @BeforeAll
+  public static void setupAll() throws Exception {
+    TEST_SERVER = new TestServer();
+  }
+
+  @AfterAll
+  public static void teardownAll() throws Exception {
+    TEST_SERVER.close();
+  }
+
+  @BeforeEach
+  public void setup() throws IOException {
+    TEST_SERVER.setRequestHandler(s -> {
+      if (s == null) {
+        // invoked on connect
+        TEST_SERVER.writeAndFlush("@");
+      } else if (s.equals("colin")) {
+        TEST_SERVER.writeAndFlush("host:60001\r\n@");
+      } else {
+        TEST_SERVER.writeAndFlush("null\r\n@");
+      }
+    });
+    TEST_SERVER.reset();
+  }
+
+  @Test
+  void testMandatoryFields() throws Exception {
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> NettyAtEndpointSupplier.builder().build());
+    assertThat(ex.getMessage(), containsString("atSign not set"));
+    ex = assertThrows(IllegalArgumentException.class,
+                      () -> NettyAtEndpointSupplier.builder().atsign(createAtSign("colin")).build());
+    assertThat(ex.getMessage(), containsString("rootUrl not set"));
+  }
+
+  @Test
+  void testConnectAndResolve() throws Exception {
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("localhost:" + TEST_SERVER.getPort())
+        .atsign(createAtSign("colin"))
+        .sslContext(TEST_SERVER.getClientSslContext())
+        .build();
+    assertThat(provider.get(), equalTo("host:60001"));
+  }
+
+  @Test
+  void testConnectAndResolveFail() throws Exception {
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("localhost:" + TEST_SERVER.getPort())
+        .atsign(createAtSign("gary"))
+        .sslContext(TEST_SERVER.getClientSslContext())
+        .build();
+    AtSecondaryNotFoundException ex = assertThrows(AtSecondaryNotFoundException.class, () -> provider.get());
+    assertThat(ex.getMessage(), containsString("unable to resolve the endpoint for @gary"));
+  }
+
+  @Test
+  void testResolveFailIfUnableToConnect() throws Exception {
+    TEST_SERVER.closeServerSocket();
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("localhost:" + TEST_SERVER.getPort())
+        .atsign(createAtSign("colin"))
+        .sslContext(TEST_SERVER.getClientSslContext())
+        .build();
+    AtSecondaryNotFoundException ex = assertThrows(AtSecondaryNotFoundException.class, () -> provider.get());
+    assertThat(ex.getMessage(), containsString("unable to resolve the endpoint for @colin"));
+  }
+
+  @Test
+  void testResolveFailIfNoResponse() throws Exception {
+    TEST_SERVER.setRequestHandler(s -> {
+      if (s == null) {
+        // invoked on connect
+        TEST_SERVER.writeAndFlush("@");
+      }
+      // but no response for anything else
+    });
+    NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
+        .rootUrl("localhost:" + TEST_SERVER.getPort())
+        .atsign(createAtSign("colin"))
+        .sslContext(TEST_SERVER.getClientSslContext())
+        .build();
+    AtSecondaryNotFoundException ex = assertThrows(AtSecondaryNotFoundException.class, () -> provider.get());
+    assertThat(ex.getMessage(), containsString("unable to resolve the endpoint for @colin"));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java
new file mode 100644
index 00000000..dcd981ec
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java
@@ -0,0 +1,140 @@
+package org.atsign.client.connection.netty;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.hamcrest.Matcher;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import io.netty.buffer.Unpooled;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.util.CharsetUtil;
+
+class NettyAtServerResponseDecoderTest {
+
+  private EmbeddedChannel channel;
+
+  @BeforeEach
+  public void setup() {
+    channel = new EmbeddedChannel(new NettyAtResponseDecoder(1024));
+  }
+
+  @Test
+  void testDecodeInitialPrompt() {
+    writeInbound(channel, "@");
+    assertReadInbound(channel, equalTo("@"));
+  }
+
+  @Test
+  void testDecodeAuthenticatedPrompt() {
+    writeInbound(channel, "@gary@");
+    assertReadInbound(channel, equalTo("@gary@"));
+  }
+
+  @Test
+  void testDecodeResponse() {
+    writeInbound(channel, "data:success\n");
+    assertReadInbound(channel, equalTo("data:success"));
+  }
+
+  @Test
+  void testDecodeResponseWithCrlf() {
+    writeInbound(channel, "data:success\r\n");
+    assertReadInbound(channel, equalTo("data:success"));
+  }
+
+  @Test
+  void testDecodeResponseAndPrompt() {
+    writeInbound(channel, "data:success\n@");
+    assertReadInbound(channel, equalTo("data:success"), equalTo("@"));
+  }
+
+  @Test
+  void testDecodeResponseAndAuthenticatedPrompt() {
+    writeInbound(channel, "data:success\n@gary@");
+    assertReadInbound(channel, equalTo("data:success"), equalTo("@gary@"));
+  }
+
+  @Test
+  void testDecodeSequence() {
+    writeInbound(channel, "@data:_183dece2-5cb6\n@data:success\n@gary@");
+    assertReadInbound(channel, equalTo("@"),
+                      equalTo("data:_183dece2-5cb6"),
+                      equalTo("@"),
+                      equalTo("data:success"),
+                      equalTo("@gary@"));
+  }
+
+  @Test
+  void testDecodeSequenceWhereTheResponseIsFragmented() {
+    writeInbound(channel, "@data:_183dece2");
+    writeInbound(channel, "-5cb6\n@data:success\n@gary@");
+    assertReadInbound(channel, equalTo("@"),
+                      equalTo("data:_183dece2-5cb6"),
+                      equalTo("@"),
+                      equalTo("data:success"),
+                      equalTo("@gary@"));
+  }
+
+  @Test
+  void testDecodeSequenceWhereTheAuthenticatedPromptIsFragmented() {
+    writeInbound(channel, "@data:_183dece2-5cb6\n@data:success\n@gar");
+    writeInbound(channel, "y@");
+    assertReadInbound(channel, equalTo("@"),
+                      equalTo("data:_183dece2-5cb6"),
+                      equalTo("@"),
+                      equalTo("data:success"),
+                      equalTo("@gary@"));
+  }
+
+  @Test
+  void testDecodeSequenceWhereResponseContainsAnAtSymbol() {
+    writeInbound(channel, "@data:[\"@gary:signing_privatekey@gary\"" +
+        ",\"public:pkaminstalled@gary\"]\n@");
+    assertReadInbound(channel, equalTo("@"),
+                      equalTo("data:[\"@gary:signing_privatekey@gary\",\"public:pkaminstalled@gary\"]"),
+                      equalTo("@"));
+  }
+
+  @Test
+  void testDecodeSequenceWhereResponseContainsAnAtSymbolAndThePromptIsAuthenticated() {
+    writeInbound(channel, "@gary@data:[\"@gary:signing_privatekey@gary\"" +
+        ",\"public:pkaminstalled@gary\"]\n@gary@");
+    assertReadInbound(channel, equalTo("@gary@"),
+                      equalTo("data:[\"@gary:signing_privatekey@gary\",\"public:pkaminstalled@gary\"]"),
+                      equalTo("@gary@"));
+  }
+
+
+  @Test
+  void testDecodeSequenceWhereResponseContainsAnAtSymbolAndThePromptIsAuthenticatedAndFragmented() {
+    writeInbound(channel, "@gar");
+    writeInbound(channel, "y@data");
+    writeInbound(channel, ":[\"@gary:signing_privatekey");
+    writeInbound(channel, "@gary\",\"public:pkaminstalled@gary\"]\n@gary@");
+    assertReadInbound(channel, equalTo("@gary@"),
+                      equalTo("data:[\"@gary:signing_privatekey@gary\",\"public:pkaminstalled@gary\"]"),
+                      equalTo("@gary@"));
+  }
+
+  @Test
+  void testMaxFrameSize() {
+    EmbeddedChannel channel = new EmbeddedChannel(new NettyAtResponseDecoder(10));
+    writeInbound(channel, "0123456789");
+    Exception ex = assertThrows(Exception.class, () -> writeInbound(channel, "1"));
+    assertThat(ex.getMessage(), containsString("buffer exceeds maxFrameSize [10]"));
+  }
+
+  private static void writeInbound(EmbeddedChannel channel, String s) {
+    channel.writeInbound(Unpooled.copiedBuffer(s, CharsetUtil.UTF_8));
+  }
+
+  private static void assertReadInbound(EmbeddedChannel channel, Matcher<String>... matchers) {
+    for (Matcher<String> matcher : matchers) {
+      assertThat(channel.readInbound(), matcher);
+    }
+    assertThat(channel.readInbound(), nullValue());
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java b/at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java
new file mode 100644
index 00000000..a605f273
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java
@@ -0,0 +1,262 @@
+package org.atsign.client.connection.netty;
+
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.atsign.client.util.Preconditions.checkNotNull;
+
+import java.io.*;
+import java.math.BigInteger;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.*;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.function.Consumer;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+import lombok.Getter;
+import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class TestServer implements AutoCloseable {
+
+  @Getter
+  private int port;
+  @Getter
+  private final SSLContext clientSslContext;
+
+  private final SSLServerSocketFactory factory;
+  private volatile ServerSocket serverSocket;
+  private volatile Socket socket;
+  private volatile PrintWriter writer;
+  private volatile BufferedReader reader;
+
+  private final BlockingQueue<String> received = new LinkedBlockingQueue<>();
+
+  @Setter
+  private Consumer<String> requestHandler = x -> {
+  };
+
+  private AtomicBoolean isAccept = new AtomicBoolean(true);
+
+  private AtomicBoolean shutdown = new AtomicBoolean();
+
+  private final Thread workerThread;
+
+  public TestServer() throws Exception {
+    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+    kpg.initialize(2048, new SecureRandom());
+    KeyPair keyPair = kpg.generateKeyPair();
+    X509Certificate cert = generateSelfSignedCert(keyPair);
+    SSLContext serverCtx = buildServerSslContext(keyPair.getPrivate(), cert);
+    factory = serverCtx.getServerSocketFactory();
+    clientSslContext = buildClientSslContext(cert);
+    newServerSocketNewPort();
+    workerThread = new Thread(() -> {
+      while (!shutdown.get()) {
+        try {
+          if (serverSocket != null && socket == null && isAccept.get()) {
+            log.debug("accepting on {}", serverSocket.getLocalPort());
+            socket = serverSocket.accept();
+            writer = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream())), false);
+            reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
+            requestHandler.accept(null);
+          } else if (socket != null) {
+            try {
+              String request = reader.readLine();
+              if (request != null) {
+                received.add(request);
+                requestHandler.accept(request);
+              } else {
+                closeClientSocket();
+              }
+            } catch (Exception e) {
+              closeClientSocket();
+            }
+          } else {
+            if (serverSocket == null) {
+              log.debug("sleeping (no server socket)...");
+            } else if (!isAccept.get()) {
+              log.debug("sleeping (server socket is not accepting)...");
+            } else {
+              log.debug("sleeping...");
+            }
+            sleepNoThrow(100, MILLISECONDS);
+          }
+        } catch (Exception e) {
+          log.debug("unexpected exception", e);
+        }
+      }
+    });
+    workerThread.setDaemon(true);
+    workerThread.start();
+  }
+
+  private static void sleepNoThrow(long duration, TimeUnit unit) {
+    try {
+      Thread.sleep(unit.toMillis(duration));
+    } catch (InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public String poll() {
+    return received.poll();
+  }
+
+  public String peek() {
+    return received.peek();
+  }
+
+  public TestServer writeAndFlush(String... messages) {
+    for (String message : messages) {
+      try {
+        checkNotNull(writer).print(message);
+        writer.flush();
+      } catch (Exception e) {
+        closeClientSocket();
+      }
+    }
+    return this;
+  }
+
+  public void closeClientSocket() {
+    try {
+      closeNoThrow(writer, reader, socket);
+    } finally {
+      socket = null;
+    }
+  }
+
+  public void closeServerSocket() {
+    try {
+      closeNoThrow(serverSocket, socket, reader, writer);
+    } finally {
+      serverSocket = null;
+      socket = null;
+    }
+  }
+
+  public void accept() {
+    boolean previous = isAccept.getAndSet(true);
+    if (!previous) {
+      log.info("accept is now unblocked");
+    }
+  }
+
+  public void newServerSocket() {
+    newServerSocket(true, true);
+  }
+
+  public void newServerSocketWithoutAccept() {
+    newServerSocket(true, false);
+  }
+
+  public void newServerSocketNewPort() {
+    newServerSocket(false, true);
+  }
+
+  protected void newServerSocket(boolean reusePort, boolean autoAccept) {
+    if (serverSocket != null) {
+      throw new IllegalStateException("the server socket has not been closed");
+    }
+    try {
+      isAccept.set(autoAccept);
+      serverSocket = factory.createServerSocket(reusePort ? port : 0);
+      port = serverSocket.getLocalPort();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public void reset() throws IOException {
+    closeNoThrow(reader, writer, socket);
+    socket = null;
+    if (serverSocket == null) {
+      newServerSocket(true, true);
+    }
+    received.clear();
+  }
+
+
+  @Override
+  public void close() throws InterruptedException {
+    shutdown.set(true);
+    closeNoThrow(writer, reader, socket, serverSocket);
+    workerThread.join();
+  }
+
+  private static void closeNoThrow(Closeable... closeables) {
+    for (Closeable closeable : closeables) {
+      if (closeable != null) {
+        try {
+          closeable.close();
+        } catch (IOException e) {
+        }
+      }
+    }
+  }
+
+  private static X509Certificate generateSelfSignedCert(KeyPair keyPair) throws Exception {
+    Instant now = Instant.now();
+    Instant expiry = now.plus(1, ChronoUnit.DAYS);
+
+    X500Name subject = new X500Name("CN=MockSocketServer,O=Test,C=US");
+
+    X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+        subject,
+        BigInteger.valueOf(System.currentTimeMillis()),
+        Date.from(now),
+        Date.from(expiry),
+        subject,
+        keyPair.getPublic());
+
+    ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
+        .build(keyPair.getPrivate());
+
+    return new JcaX509CertificateConverter().getCertificate(builder.build(signer));
+  }
+
+  private static SSLContext buildServerSslContext(PrivateKey privateKey,
+                                                  X509Certificate cert)
+      throws Exception {
+    KeyStore ks = KeyStore.getInstance("PKCS12");
+    ks.load(null, null);
+    ks.setKeyEntry("mock", privateKey, new char[0], new X509Certificate[] {cert});
+
+    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+    kmf.init(ks, new char[0]);
+
+    SSLContext ctx = SSLContext.getInstance("TLS");
+    ctx.init(kmf.getKeyManagers(), null, new SecureRandom());
+    return ctx;
+  }
+
+  private static SSLContext buildClientSslContext(X509Certificate cert) throws Exception {
+    KeyStore ts = KeyStore.getInstance("PKCS12");
+    ts.load(null, null);
+    ts.setCertificateEntry("mock-server", cert);
+    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    tmf.init(ts);
+    SSLContext ctx = SSLContext.getInstance("TLS");
+    ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
+    return ctx;
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java
new file mode 100644
index 00000000..dc49556a
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java
@@ -0,0 +1,185 @@
+package org.atsign.client.connection.protocol;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.protocol.AtExceptions.AtClientConnectionCommand;
+import org.atsign.common.AtException;
+import org.atsign.common.exceptions.*;
+import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.junit.jupiter.api.Test;
+
+public class AtExceptionsTest {
+
+  @Test
+  public void testServerRuntimeExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtServerRuntimeException.CODE, "msg");
+    assertThat(e, instanceOf(AtServerRuntimeException.class));
+    assertThat(e.getMessage(), is("msg"));
+  }
+
+  @Test
+  public void testInvalidSyntaxExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtInvalidSyntaxException.CODE, "msg");
+    assertThat(e, instanceOf(AtInvalidSyntaxException.class));
+  }
+
+  @Test
+  public void testBufferOverflowExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtBufferOverFlowException.CODE, "msg");
+    assertThat(e, instanceOf(AtBufferOverFlowException.class));
+  }
+
+  @Test
+  public void testOutboundConnectionLimitExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtOutboundConnectionLimitException.CODE, "msg");
+    assertThat(e, instanceOf(AtOutboundConnectionLimitException.class));
+  }
+
+  @Test
+  public void testSecondaryNotFoundExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtSecondaryNotFoundException.CODE, "msg");
+    assertThat(e, instanceOf(AtSecondaryNotFoundException.class));
+  }
+
+  @Test
+  public void testHandshakeExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtHandShakeException.CODE, "msg");
+    assertThat(e, instanceOf(AtHandShakeException.class));
+  }
+
+  @Test
+  public void testUnauthorizedExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtUnauthorizedException.CODE, "msg");
+    assertThat(e, instanceOf(AtUnauthorizedException.class));
+  }
+
+  @Test
+  public void testInternalServerErrorMapping() {
+    AtException e = AtExceptions.toTypedException(AtInternalServerError.CODE, "msg");
+    assertThat(e, instanceOf(AtInternalServerError.class));
+  }
+
+  @Test
+  public void testInternalServerExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtInternalServerException.CODE, "msg");
+    assertThat(e, instanceOf(AtInternalServerException.class));
+  }
+
+  @Test
+  public void testInboundConnectionLimitExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtInboundConnectionLimitException.CODE, "msg");
+    assertThat(e, instanceOf(AtInboundConnectionLimitException.class));
+  }
+
+  @Test
+  public void testBlockedConnectionExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtBlockedConnectionException.CODE, "msg");
+    assertThat(e, instanceOf(AtBlockedConnectionException.class));
+  }
+
+  @Test
+  public void testKeyNotFoundExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtKeyNotFoundException.CODE, "msg");
+    assertThat(e, instanceOf(AtKeyNotFoundException.class));
+  }
+
+  @Test
+  public void testInvalidAtKeyExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtInvalidAtKeyException.CODE, "msg");
+    assertThat(e, instanceOf(AtInvalidAtKeyException.class));
+  }
+
+  @Test
+  public void testSecondaryConnectExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtSecondaryConnectException.CODE, "msg");
+    assertThat(e, instanceOf(AtSecondaryConnectException.class));
+  }
+
+  @Test
+  public void testIllegalArgumentExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtIllegalArgumentException.CODE, "msg");
+    assertThat(e, instanceOf(AtIllegalArgumentException.class));
+  }
+
+  @Test
+  public void testTimeoutExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtTimeoutException.CODE, "msg");
+    assertThat(e, instanceOf(AtTimeoutException.class));
+  }
+
+  @Test
+  public void testServerIsPausedExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtServerIsPausedException.CODE, "msg");
+    assertThat(e, instanceOf(AtServerIsPausedException.class));
+  }
+
+  @Test
+  public void testUnauthenticatedExceptionMapping() {
+    AtException e = AtExceptions.toTypedException(AtUnauthenticatedException.CODE, "msg");
+    assertThat(e, instanceOf(AtUnauthenticatedException.class));
+  }
+
+  @Test
+  public void testUnknownCodeReturnsNewErrorCodeException() {
+    AtException e = AtExceptions.toTypedException("UNKNOWN_CODE", "msg");
+    assertThat(e, instanceOf(AtNewErrorCodeWhoDisException.class));
+  }
+
+  @Test
+  public void testThrowOnReadyExceptionWrapsAtException() {
+    AtClientConnectionCommand command = connection -> {
+      throw new AtUnauthorizedException("deliberate");
+    };
+    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
+    AtClientConnection connection = mock(AtClientConnection.class);
+
+    AtOnReadyException ex = assertThrows(AtOnReadyException.class, () -> consumer.accept(connection));
+    assertThat(ex.getMessage(), containsString("deliberate"));
+    assertThat(ex.getCause(), instanceOf(AtUnauthorizedException.class));
+  }
+
+  @Test
+  public void testThrowOnReadyExceptionWrapsExecutionException() {
+    AtClientConnectionCommand command = connection -> {
+      throw new ExecutionException(new RuntimeException("deliberate"));
+    };
+    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
+    AtClientConnection connection = mock(AtClientConnection.class);
+
+    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(connection));
+    assertThat(ex.getCause(), instanceOf(ExecutionException.class));
+  }
+
+  @Test
+  public void testThrowOnReadyExceptionWrapsInterruptedException() {
+    AtClientConnectionCommand command = connection -> {
+      throw new InterruptedException("deliberate");
+    };
+    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
+    AtClientConnection connection = mock(AtClientConnection.class);
+
+    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(connection));
+    assertThat(ex.getCause(), instanceOf(InterruptedException.class));
+  }
+
+  @Test
+  public void testThrowOnReadyExceptionInvokesWrappedCommand()
+      throws AtException, ExecutionException, InterruptedException {
+    AtClientConnectionCommand command = mock(AtClientConnectionCommand.class);
+    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
+    AtClientConnection connection = mock(AtClientConnection.class);
+
+    consumer.accept(connection);
+
+    verify(command).run(connection);
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java
new file mode 100644
index 00000000..f0ebd1cf
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java
@@ -0,0 +1,94 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
+import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.exceptions.AtOnReadyException;
+import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.junit.jupiter.api.Test;
+
+public class AuthenticationTest {
+
+  @Test
+  public void testAuthenticateWithCramDoesNotThrowException() throws Exception {
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("cram:7e91508d5.+", "data:success")
+        .build();
+
+    Authentication.authenticateWithCram(conn, createAtSign("@alice"), "secret");
+  }
+
+  @Test
+  public void testAuthenticateWithCramFailThrowsExpectedException() throws Exception {
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("cram:.+", "error:AT0401:deliberate")
+        .build();
+
+    Exception ex = assertThrows(AtUnauthenticatedException.class,
+                                () -> Authentication.authenticateWithCram(conn, createAtSign("@alice"), "secret"));
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  public void testAuthenticateWithPkamDoesNotThrowException() throws Exception {
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("pkam:[^{].+", "data:success")
+        .build();
+
+    Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys);
+  }
+
+  @Test
+  public void testAuthenticateWithApkamWithEnrollmentId() throws Exception {
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("pkam:signingAlgo:rsa2048:hashingAlgo:sha256:enrollmentId:12345:.+", "data:success")
+        .build();
+
+    Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys);
+  }
+
+  @Test
+  public void testAuthenticateWithApkamFailThrowsExpectedException() throws Exception {
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("pkam:.+", "error:AT0401:deliberate")
+        .build();
+
+    Exception ex = assertThrows(AtUnauthenticatedException.class,
+                                () -> Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys));
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  public void testPkamAuthenticatorThrowsOnReadyException() throws Exception {
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
+    AtClientConnection conn = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("pkam:.+", "error:AT0401:deliberate")
+        .build();
+
+    Exception ex = assertThrows(Exception.class,
+                                () -> Authentication.pkamAuthenticator(createAtSign("@alice"), keys).accept(conn));
+    assertThat(ex, instanceOf(AtOnReadyException.class));
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+
+  @Test
+  public void testBytesToHex() throws Exception {
+    byte[] bytes = new byte[] {(byte) 0x00, (byte) 0x0f, (byte) 0xff};
+    assertThat(Authentication.bytesToHex(bytes), is("000fff"));
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java
new file mode 100644
index 00000000..4adaa8b3
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java
@@ -0,0 +1,99 @@
+package org.atsign.client.connection.protocol;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.Map;
+
+import org.atsign.common.Metadata;
+import org.atsign.common.response_models.LookupResponse;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+
+public class DataTest {
+
+  @Test
+  public void testMatchDataSuccess() {
+    assertThat(Data.matchDataSuccess("data:success"), is("success"));
+  }
+
+  @Test
+  public void testMatchDataSuccessThrowException() {
+    Exception ex = assertThrows(Exception.class, () -> Data.matchDataSuccess("error:epicfail"));
+    assertThat(ex.getMessage(), containsString("expected [data:(success)] but input was : error:epicfail"));
+  }
+
+  @Test
+  public void testMatchDataStringNoWhitespace() {
+    assertThat(Data.matchDataStringNoWhitespace("data:somestring"), is("somestring"));
+  }
+
+  @Test
+  public void testMatchDataStringNoWhitespaceThrowException() {
+    assertThrows(Exception.class, () -> Data.matchDataStringNoWhitespace("data:some string with spaces"));
+  }
+
+  @Test
+  public void testMatchData() {
+    assertThat(Data.matchData("data:some string"), is("some string"));
+    assertThat(Data.matchData("data:{\"member\":value}"), is("{\"member\":value}"));
+  }
+
+  @Test
+  public void testMatchDataInt() {
+    assertThat(Data.matchDataInt("data:42"), is(42));
+  }
+
+  @Test
+  public void testMatchDataNegativeInt() {
+    assertThat(Data.matchDataInt("data:-42"), is(-42));
+  }
+
+  @Test
+  public void testMatchDataJsonList() {
+    assertThat(Data.matchDataJsonList("data:[1,2,3]"), contains(1, 2, 3));
+  }
+
+  @Test
+  public void testMatchDataJsonListOfStrings() {
+    assertThat(Data.matchDataJsonListOfStrings("data:[\"a\",\"b\"]"), contains("a", "b"));
+  }
+
+  @Test
+  public void testMatchDataJsonMapOfStringsNonEmpty() {
+    assertThat(Data.matchDataJsonMapOfStrings("data:{\"k\":\"v\"}"), hasEntry("k", "v"));
+  }
+
+  @Test
+  public void testMatchDataJsonMapOfStringsAllowEmpty() {
+    Map<String, String> result = Data.matchDataJsonMapOfStrings("data:{}", true);
+    assertThat(result.entrySet(), Matchers.empty());
+  }
+
+  @Test
+  public void testMatchDataJsonMapOfObjectsNonEmpty() {
+    Map<String, Object> result = Data.matchDataJsonMapOfObjects("data:{\"k\":42}");
+    assertThat(result.get("k"), is(42));
+  }
+
+  @Test
+  public void testMatchDataJsonMapOfObjectsAllowEmpty() {
+    Map<String, Object> result = Data.matchDataJsonMapOfObjects("data:{}", true);
+    assertThat(result.isEmpty(), is(true));
+  }
+
+  @Test
+  public void testMatchLookupResponse() {
+    String json = "data:{\"data\":\"xyz\"}";
+    LookupResponse result = Data.matchLookupResponse(json);
+    assertThat(result.data, is("xyz"));
+  }
+
+  @Test
+  public void testMatchMetadata() {
+    String json = "data:{\"ttr\":0}";
+    Metadata result = Data.matchMetadata(json);
+    assertThat(result.ttr(), is(0L));
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java
new file mode 100644
index 00000000..dc352a4c
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java
@@ -0,0 +1,250 @@
+package org.atsign.client.connection.protocol;
+
+import static java.lang.String.format;
+import static java.util.Collections.singletonMap;
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.List;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.util.EnrollmentId;
+import org.atsign.common.AtException;
+import org.atsign.common.AtSign;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.junit.jupiter.api.Test;
+
+public class EnrollTest {
+
+  public static final String RSA_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0ZpMHagomCnC6MX" +
+      "GIRbG9our0NsmPsSPLKSpL/BbJU8nMqwbsSVlDoW9LX8h8yyLeMDC/AsrHjF3jviXWEYNQhZTZohPP" +
+      "ioFSEMUHv9N1OC67KoMvZNRU1hEKe2kOaXUQl/Bud257QKl4I9bxr7L1qZD+TPrzclKGKgkKtWDB6M" +
+      "+nlql3wFUGRny3RWEjNvLdv0XsIfQwQPO16dZ9vYSXHTiFueqRuTu+HjBVjWudnV2eERpdMq5Hg+Mst" +
+      "TYE1uCPuLR5+dcn6UaW1b2H6X9o4ps46BMKLr+xa+/E0EBdAQIhd0QP5O3/ZNLbhJnn7jB+QokmNKoKVN55p7yu0QdwIDAQAB";
+
+  public static final String AES_KEY = "U1xSuG5yjRTolsqoXFcHaSw4al0UJAiWF9Ae3wQ20uM=";
+
+  public static final String IV = "9OD1f3XTbZjz0fWJcw/5Ww==";
+
+
+  @Test
+  public void testDeleteCramSecretDoesNotThrowException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("delete:privatekey:at_secret", "data:1")
+        .build();
+
+    Enroll.deleteCramSecret(connection);
+  }
+
+  @Test
+  public void testDeleteCramSecretThrowsException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("delete:privatekey:at_secret", "error:AT0001:deliberate")
+        .build();
+
+    assertThrows(AtServerRuntimeException.class, () -> Enroll.deleteCramSecret(connection));
+  }
+
+  @Test
+  public void testOnboardThrowsExceptionIfSigningPublicKeyIsMissing() throws Exception {
+    AtSign atSign = createAtSign("@alice");
+    AtKeys keys = AtKeys.builder()
+        .apkamKeyPair(generateRSAKeyPair())
+        .encryptKeyPair(generateRSAKeyPair())
+        .build();
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan", "data:[\"signing_publickey@gary\"]")
+        .build();
+
+    Exception ex = assertThrows(Exception.class,
+                                () -> Enroll.onboard(connection, atSign, keys, "secret", "app", "device", false));
+    assertThat(ex.getMessage(), containsString("not connected to the atsign's at server"));
+  }
+
+  @Test
+  void testOtpSendsExpectedCommandAndMatchesExpectedResponse() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("otp:get", "data:ABC123")
+        .build();
+
+    assertThat(Enroll.otp(connection), equalTo("ABC123"));
+  }
+
+  @Test
+  void testOtpThrowsExceptionOnError() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("otp:get", "error:AT0013:deliberate")
+        .build();
+
+    assertThrows(AtException.class, () -> Enroll.otp(connection));
+  }
+
+  @Test
+  public void testOnboard() throws Exception {
+    AtSign atSign = createAtSign("@alice");
+    AtKeys keys = AtKeys.builder()
+        .apkamKeyPair(generateRSAKeyPair())
+        .encryptKeyPair(generateRSAKeyPair())
+        .build();
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan", "data:[\"signing_publickey@alice\"]")
+        .stub("from:@alice", "data:challenge")
+        .stub("cram:7e91508d5.+", "data:success")
+        .stub("enroll:request.+", "data:{\"enrollmentId\":\"904dcbf7\",\"status\":\"approved\"}")
+        .stub("pkam:[^{].+", "data:success")
+        .stub("update:public:publickey@alice .+", "data:1")
+        .build();
+
+    AtKeys newKeys = Enroll.onboard(connection, atSign, keys, "secret", "app", "device", false);
+
+    assertThat(newKeys, is(not(sameInstance(keys))));
+    assertThat(newKeys.getEnrollmentId(), equalTo(createEnrollmentId("904dcbf7")));
+  }
+
+  @Test
+  public void testEnroll() throws Exception {
+    AtSign atSign = createAtSign("@alice");
+    AtKeys keys = AtKeys.builder()
+        .apkamKeyPair(generateRSAKeyPair())
+        .apkamSymmetricKey(generateAESKeyBase64())
+        .build();
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("lookup:publickey@alice", "data:" + RSA_KEY)
+        .stub("enroll:request\\{.+}", "data:{\"enrollmentId\":\"759acb09\",\"status\":\"pending\"}")
+        .build();
+
+    AtKeys newKeys = Enroll.enroll(connection, atSign, keys, "OTP123", "app", "device", singletonMap("ns", "rw"));
+
+    assertThat(newKeys, is(not(sameInstance(keys))));
+    assertThat(newKeys.getEnrollmentId(), equalTo(createEnrollmentId("759acb09")));
+    assertThat(newKeys.getEncryptPublicKey(), notNullValue());
+  }
+
+
+  @Test
+  public void testComplete() throws Exception {
+    AtSign atSign = createAtSign("@alice");
+    AtKeys keys = AtKeys.builder()
+        .apkamKeyPair(generateRSAKeyPair())
+        .apkamSymmetricKey(generateAESKeyBase64())
+        .enrollmentId(createEnrollmentId("12345"))
+        .build();
+
+    String selfEncryptKeysGetResponse = format("data:{\"value\":\"%s\",\"iv\":\"%s\"}",
+                                               aesEncryptToBase64(AES_KEY, keys.getApkamSymmetricKey(), IV), IV);
+    String privateEncryptKeysGetResponse = format("data:{\"value\":\"%s\",\"iv\":\"%s\"}",
+                                                  aesEncryptToBase64(RSA_KEY, keys.getApkamSymmetricKey(), IV), IV);
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("from:@alice", "data:challenge")
+        .stub("pkam:[^{].+", "data:success")
+        .stub("keys:get:keyName:12345.default_self_enc_key.__manage@alice", selfEncryptKeysGetResponse)
+        .stub("keys:get:keyName:12345.default_enc_private_key.__manage@alice", privateEncryptKeysGetResponse)
+        .build();
+
+    AtKeys newKeys = Enroll.complete(connection, atSign, keys);
+
+    assertThat(newKeys, is(not(sameInstance(keys))));
+    assertThat(newKeys.getEncryptPrivateKey(), notNullValue());
+    assertThat(newKeys.getSelfEncryptKey(), notNullValue());
+  }
+
+  @Test
+  public void testApprove() throws Exception {
+    AtKeys keys = AtKeys.builder()
+        .encryptKeyPair(generateRSAKeyPair())
+        .selfEncryptKey(generateAESKeyBase64())
+        .build();
+
+    String fetchResponse = format("data:{\"appName\":\"app1\",\"deviceName\":\"device1\"," +
+        "\"namespace\":{\"ns\":\"rw\"},\"encryptedAPKAMSymmetricKey\":\"%s\",\"status\":\"pending\"}",
+                                  rsaEncryptToBase64(AES_KEY, keys.getEncryptPublicKey()));
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:fetch\\{\"enrollmentId\":\"12345\"}", fetchResponse)
+        .stub("enroll:approve\\{\"enrollmentId\":\"12345\".+",
+              "data:{\"status\":\"approved\",\"enrollmentId\":\"12345\"}")
+        .build();
+
+    Enroll.approve(connection, keys, createEnrollmentId("12345"));
+  }
+
+  @Test
+  public void testDeny() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:deny\\{\"enrollmentId\":\"12345\".+",
+              "data:{\"status\":\"denied\",\"enrollmentId\":\"12345\"}")
+        .build();
+
+    Enroll.deny(connection, createEnrollmentId("12345"));
+  }
+
+  @Test
+  public void testRevoke() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:revoke\\{\"enrollmentId\":\"12345\".+",
+              "data:{\"status\":\"revoked\",\"enrollmentId\":\"12345\"}")
+        .build();
+
+    Enroll.revoke(connection, createEnrollmentId("12345"));
+  }
+
+  @Test
+  public void testUnrevoke() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:unrevoke\\{\"enrollmentId\":\"12345\".+",
+              "data:{\"status\":\"approved\",\"enrollmentId\":\"12345\"}")
+        .build();
+
+    Enroll.unrevoke(connection, createEnrollmentId("12345"));
+  }
+
+  @Test
+  public void testDelete() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:delete\\{\"enrollmentId\":\"12345\".+",
+              "data:{\"status\":\"deleted\",\"enrollmentId\":\"12345\"}")
+        .build();
+
+    Enroll.delete(connection, createEnrollmentId("12345"));
+  }
+
+  @Test
+  public void testList() throws Exception {
+    String response = "data:{" +
+        "  \"bc8bfdf3-eadd-4373-b0cc-a9c8a52c96c5.new.enrollments.__manage@alice\": {" +
+        "    \"sessionId\": \"_e425ba99-88d7-4382-b40d-aeb61ec77ee6\"," +
+        "    \"appName\": \"app\"," +
+        "    \"deviceName\": \"device\"," +
+        "    \"namespaces\": {" +
+        "      \"fredns\": \"rw\"" +
+        "    }," +
+        "    \"apkamPublicKey\": \"\"," +
+        "    \"requestType\": \"newEnrollment\"," +
+        "    \"approval\": {" +
+        "      \"state\": \"pending\"" +
+        "    }," +
+        "    \"encryptedAPKAMSymmetricKey\": \"\"," +
+        "    \"apkamKeysExpiryInMillis\": 0," +
+        "    \"status\": \"pending\"," +
+        "    \"namespace\": {" +
+        "      \"fredns\": \"rw\"" +
+        "    }}}";
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("enroll:list\\{\"enrollmentStatusFilter\":\\[\"pending\"]}", response)
+        .build();
+
+    List<EnrollmentId> ids = Enroll.list(connection, "pending");
+    assertThat(ids, contains(createEnrollmentId("bc8bfdf3-eadd-4373-b0cc-a9c8a52c96c5")));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
new file mode 100644
index 00000000..9754ad9c
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
@@ -0,0 +1,39 @@
+package org.atsign.client.connection.protocol;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.atsign.common.AtException;
+import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.junit.jupiter.api.Test;
+
+class ErrorTest {
+
+  @Test
+  public void testError() {
+    assertThat(Error.matchError("error:fail"), is("fail"));
+    assertThat(Error.matchError("error:some reason"), is("some reason"));
+    assertThat(Error.matchError("error:AT0401:an error message"), is("AT0401:an error message"));
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorDoesNothingIfNoError() throws AtException {
+    Error.throwExceptionIfError("data:success");
+    Error.throwExceptionIfError("");
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorThrowsTypedException() {
+    Exception ex = assertThrows(Exception.class, () -> Error.throwExceptionIfError("error:AT0401:an error message"));
+    assertThat(ex, instanceOf(AtUnauthenticatedException.class));
+    assertThat(ex.getMessage(), containsString("an error message"));
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorThrowsExceptionIfNull() {
+    Exception ex = assertThrows(Exception.class, () -> Error.throwExceptionIfError(null));
+    assertThat(ex, instanceOf(IllegalArgumentException.class));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java
new file mode 100644
index 00000000..e87e6c49
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java
@@ -0,0 +1,94 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.nullValue;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.verify;
+
+import java.util.List;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.junit.jupiter.api.Test;
+
+class KeysTest {
+
+  @Test
+  void testDeleteKeyRawKey() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("delete:selfkey1@alice", "data:1")
+        .build();
+
+    Keys.deleteKey(connection, "selfkey1@alice");
+  }
+
+  @Test
+  void testDeleteKeyRawKeyThrowsExceptionIfResponseIsError() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("delete:selfkey1@alice", "error:AT0001:an error message")
+        .build();
+
+    assertThrows(Exception.class, () -> Keys.deleteKey(connection, "selfkey1@alice"));
+  }
+
+  @Test
+  void testDeleteKey() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("delete:keyname@colin", "data:1")
+        .build();
+
+    org.atsign.common.Keys.SelfKey key = org.atsign.common.Keys.selfKeyBuilder()
+        .name("keyname")
+        .sharedBy(createAtSign("colin"))
+        .build();
+    Keys.deleteKey(connection, key);
+
+    verify(connection).sendSync("delete:keyname@colin");
+  }
+
+  @Test
+  void getKeysWithMetaDataReturnsExpectedResults() throws Exception {
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
+        .stub("llookup:meta:public:publickey@gary", "data:{\"ttl\":1000}")
+        .stub("llookup:meta:public:signing_publickey@gary", "data:{\"ttl\":2000}")
+        .build();
+
+    List<org.atsign.common.Keys.AtKey> result = Keys.getKeys(connection, ".+", true);
+
+    assertThat(result.size(), equalTo(2));
+    assertThat(result.get(0).rawKey(), equalTo("public:publickey@gary"));
+    assertThat(result.get(0).name(), equalTo("publickey"));
+    assertThat(result.get(0).sharedBy(), equalTo(createAtSign("gary")));
+    assertThat(result.get(0).metadata().ttl(), equalTo(1000L));
+
+    assertThat(result.get(1).rawKey(), equalTo("public:signing_publickey@gary"));
+    assertThat(result.get(1).name(), equalTo("signing_publickey"));
+    assertThat(result.get(1).sharedBy(), equalTo(createAtSign("gary")));
+    assertThat(result.get(1).metadata().ttl(), equalTo(2000L));
+  }
+
+  @Test
+  void getKeysWithoutMetaDataReturnsExpectedResults() throws Exception {
+
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
+        .build();
+
+    List<org.atsign.common.Keys.AtKey> result = Keys.getKeys(connection, ".*gary", false);
+
+    assertThat(result.size(), equalTo(2));
+    assertThat(result.get(0).rawKey(), equalTo("public:publickey@gary"));
+    assertThat(result.get(0).name(), equalTo("publickey"));
+    assertThat(result.get(0).sharedBy(), equalTo(createAtSign("gary")));
+    assertThat(result.get(0).metadata().ttl(), nullValue());
+
+    assertThat(result.get(1).rawKey(), equalTo("public:signing_publickey@gary"));
+    assertThat(result.get(1).name(), equalTo("signing_publickey"));
+    assertThat(result.get(1).sharedBy(), equalTo(createAtSign("gary")));
+    assertThat(result.get(1).metadata().ttl(), nullValue());
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java
new file mode 100644
index 00000000..b7446a3d
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java
@@ -0,0 +1,184 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.*;
+
+import java.util.Map;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+import org.atsign.client.api.AtEvents;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.AtSign;
+import org.atsign.common.exceptions.AtOnReadyException;
+import org.atsign.common.exceptions.AtTimeoutException;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mockito;
+import org.mockito.stubbing.Answer;
+
+class NotificationsTest {
+
+  @Test
+  void testMonitorSendExpectedCommands() throws Exception {
+    AtSign atSign = createAtSign("colin");
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
+    AtClientConnection conn = mock(AtClientConnection.class);
+    stubAuthentication(conn, atSign);
+
+    Consumer<String> consumer = mock(Consumer.class);
+    Notifications.monitor(conn, atSign, keys, consumer);
+
+    verify(conn).sendSync(eq("monitor"), eq(consumer));
+  }
+
+  @Test
+  void testMonitorWrapsConsumer() throws Exception {
+    AtSign atSign = createAtSign("colin");
+    AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
+    AtClientConnection conn = mock(AtClientConnection.class);
+    stubAuthentication(conn, atSign);
+    Consumer<String> consumer = mock(Consumer.class);
+    doAnswer((Answer<Void>) invocation -> {
+      throw new AtTimeoutException("deliberate");
+    }).when(conn).sendSync(eq("monitor"), Mockito.any(Consumer.class));
+
+    Exception ex = assertThrows(Exception.class, () -> Notifications.monitor(atSign, keys, consumer).accept(conn));
+    assertThat(ex, instanceOf(AtOnReadyException.class));
+  }
+
+  @Test
+  void testMatchNotification() {
+    Map<String, Object> eventData = Notifications.matchNotification("notification:{\"id\":\"-1\",\"from\":\"@gary\"}");
+    assertThat(eventData.get("id"), equalTo("-1"));
+    assertThat(eventData.get("from"), equalTo("@gary"));
+  }
+
+  @Test
+  void testMatchNotificationThrowsException() {
+    Exception ex = assertThrows(Exception.class, () -> Notifications.matchNotification("data:ok"));
+    assertThat(ex.getMessage(), containsString("expected [notification:\\s*(\\{.+})] but input was : data:ok"));
+  }
+
+  @Test
+  void testEventBusBridgePublishesExpectedEventForStatsNotification() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("colin"));
+
+    consumer.accept("notification: {\"id\":\"-1\",\"from\":\"@gary\",\"to\":\"@gary\"" +
+        ",\"key\":\"statsNotification.@gary\",\"value\":\"229\"" +
+        ",\"operation\":\"update\",\"epochMillis\":100000,\"messageType\":\"MessageType.key\"" +
+        ",\"isEncrypted\":false,\"metadata\":null}");
+
+    ArgumentCaptor<Map<String, Object>> captor = ArgumentCaptor.forClass(Map.class);
+    verify(eventBus).publishEvent(eq(AtEvents.AtEventType.statsNotification), captor.capture());
+    assertThat(captor.getValue().get("id"), equalTo("-1"));
+    assertThat(captor.getValue().get("operation"), equalTo("update"));
+    assertThat(captor.getValue().get("epochMillis"), equalTo(100000));
+  }
+
+  @Test
+  void testEventBusBridgePublishesExpectedEventForSharedKeyNotification() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("gary"));
+
+    consumer.accept("notification: {\"id\":\"0480060d\",\"from\":\"@colin\"" +
+        ",\"to\":\"@gary\",\"key\":\"@gary:shared_key@colin\"" +
+        ",\"value\":\"xxx==\",\"operation\":\"update\",\"epochMillis\":1773077019848" +
+        ",\"messageType\":\"MessageType.key\",\"isEncrypted\":false,\"metadata\":{\"encKeyName\":null" +
+        ",\"encAlgo\":null,\"ivNonce\":null,\"skeEncKeyName\":null,\"skeEncAlgo\":null,\"sharedKeyEnc\":null" +
+        ",\"pubKeyCS\":null,\"dataSignature\":null,\"pubKeyHash\":null}}");
+
+    ArgumentCaptor<Map<String, Object>> captor = ArgumentCaptor.forClass(Map.class);
+    verify(eventBus).publishEvent(eq(AtEvents.AtEventType.sharedKeyNotification), captor.capture());
+    assertThat(captor.getValue().get("id"), equalTo("0480060d"));
+    assertThat(captor.getValue().get("operation"), equalTo("update"));
+    assertThat(captor.getValue().get("epochMillis"), equalTo(1773077019848L));
+  }
+
+  @Test
+  void testEventBusBridgePublishesExpectedEventForUpdateNotification() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("gary"));
+
+    consumer.accept("notification: {\"id\":\"cc72371c\",\"from\":\"@colin\",\"to\":\"@gary\"" +
+        ",\"key\":\"@gary:test@colin\",\"value\":\"C8gg7hDuJ4BVk6hrgu2GCQ==\",\"operation\":\"update\"" +
+        ",\"epochMillis\":1773077220149,\"messageType\":\"MessageType.key\",\"isEncrypted\":true" +
+        ",\"metadata\":{\"encKeyName\":null,\"encAlgo\":null,\"ivNonce\":\"yeZOQZleN6sXeVUuajn12w==\"" +
+        ",\"skeEncKeyName\":null,\"skeEncAlgo\":null,\"sharedKeyEnc\":null,\"pubKeyCS\":null" +
+        ",\"dataSignature\":null,\"pubKeyHash\":null}}");
+
+    ArgumentCaptor<Map<String, Object>> captor = ArgumentCaptor.forClass(Map.class);
+    verify(eventBus).publishEvent(eq(AtEvents.AtEventType.updateNotification), captor.capture());
+    assertThat(captor.getValue().get("id"), equalTo("cc72371c"));
+    assertThat(captor.getValue().get("operation"), equalTo("update"));
+    assertThat(captor.getValue().get("epochMillis"), equalTo(1773077220149L));
+  }
+
+  @Test
+  void testEventBusBridgeCatchesUnexpectedExceptions() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("gary"));
+
+    consumer.accept("xyz");
+
+    verifyNoInteractions(eventBus);
+  }
+
+  @Test
+  void testEventBusBridgePublishesExpectedEventForDeleteNotification() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("gary"));
+
+    consumer.accept("notification: {\"id\":\"41b265d8\",\"from\":\"@colin\",\"to\":\"@gary\"" +
+        ",\"key\":\"@gary:test@colin\",\"value\":null,\"operation\":\"delete\",\"epochMillis\":1773077405537" +
+        ",\"messageType\":\"MessageType.key\",\"isEncrypted\":true,\"metadata\":{\"encKeyName\":null" +
+        ",\"encAlgo\":null,\"ivNonce\":null,\"skeEncKeyName\":null,\"skeEncAlgo\":null,\"sharedKeyEnc\":null" +
+        ",\"pubKeyCS\":null,\"dataSignature\":null,\"pubKeyHash\":null}}");
+
+    ArgumentCaptor<Map<String, Object>> captor = ArgumentCaptor.forClass(Map.class);
+    verify(eventBus).publishEvent(eq(AtEvents.AtEventType.deleteNotification), captor.capture());
+    assertThat(captor.getValue().get("id"), equalTo("41b265d8"));
+    assertThat(captor.getValue().get("operation"), equalTo("delete"));
+    assertThat(captor.getValue().get("epochMillis"), equalTo(1773077405537L));
+  }
+
+  @Test
+  void testEventBusBridgePublishesExpectedEventForUnrecognizedNotification() {
+    AtEvents.AtEventBus eventBus = mock(AtEvents.AtEventBus.class);
+    Notifications.EventBusBridge consumer = new Notifications.EventBusBridge(eventBus, createAtSign("gary"));
+
+    consumer.accept("notification: {\"id\":\"41b265d8\",\"from\":\"@colin\",\"to\":\"@gary\"" +
+        ",\"key\":\"@gary:test@colin\",\"value\":null,\"operation\":\"unrecognized\",\"epochMillis\":1773077405537" +
+        ",\"messageType\":\"MessageType.key\",\"isEncrypted\":true,\"metadata\":{\"encKeyName\":null" +
+        ",\"encAlgo\":null,\"ivNonce\":null,\"skeEncKeyName\":null,\"skeEncAlgo\":null,\"sharedKeyEnc\":null" +
+        ",\"pubKeyCS\":null,\"dataSignature\":null,\"pubKeyHash\":null}}");
+
+    ArgumentCaptor<Map<String, Object>> captor = ArgumentCaptor.forClass(Map.class);
+    verify(eventBus).publishEvent(eq(AtEvents.AtEventType.monitorException), captor.capture());
+    assertThat(captor.getValue().get("key"), equalTo("__monitorException__"));
+    assertThat(captor.getValue().get("exception"), equalTo("unknown notification operation 'unrecognized'"));
+  }
+
+  private static void stubAuthentication(AtClientConnection conn, AtSign atSign)
+      throws ExecutionException, InterruptedException {
+    when(conn.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
+      String command = invocation.getArgument(0);
+      if (command.matches("from:" + atSign)) {
+        return "data:challenge";
+      } else if (command.matches("pkam:[^{].+")) {
+        return "data:success";
+      } else {
+        throw new IllegalArgumentException("unexpected command : " + command);
+      }
+    });
+  }
+
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java
new file mode 100644
index 00000000..5f7996da
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java
@@ -0,0 +1,174 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.util.EncryptionUtil;
+import org.atsign.common.Keys;
+import org.atsign.common.exceptions.AtKeyNotFoundException;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.common.options.GetRequestOptions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class PublicKeysTest {
+
+  private Keys.PublicKey key;
+
+  private AtKeys keys;
+
+  @BeforeEach
+  public void setup() throws Exception {
+    keys = AtKeys.builder()
+        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .build();
+    key = Keys.publicKeyBuilder()
+        .sharedBy(createAtSign("gary"))
+        .name("test")
+        .build();
+  }
+
+  @Test
+  void testGetSharedByMe() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:public:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
+        .build();
+
+    String actual = PublicKeys.get(connection, createAtSign("gary"), key, null);
+
+    assertThat(actual, equalTo("hello world"));
+  }
+
+  @Test
+  void testGetCachedSharedByMe() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:public:test@gary", createMockLookupResponse("cached:public:test@gary", "hello world"))
+        .build();
+
+    PublicKeys.get(connection, createAtSign("gary"), key, null);
+
+    assertThat(key.metadata().isCached(), is(true));
+  }
+
+  @Test
+  void testGetSharedByMeNoSuchKey() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:public:test@gary", "error:AT0015:deliberate")
+        .build();
+
+    assertThrows(AtKeyNotFoundException.class, () -> PublicKeys.get(connection, createAtSign("gary"), key, null));
+  }
+
+  @Test
+  void testGetSharedByMeExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:public:test@gary", new ExecutionException("deliberate", null))
+        .build();
+
+    assertThrows(RuntimeException.class, () -> PublicKeys.get(connection, createAtSign("gary"), key, null));
+  }
+
+  @Test
+  void testGetSharedByOther() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("plookup:all:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
+        .build();
+
+    String actual = PublicKeys.get(connection, createAtSign("colin"), key, null);
+
+    assertThat(actual, equalTo("hello world"));
+  }
+
+  @Test
+  void testGetCachedSharedByOther() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("plookup:all:test@gary", createMockLookupResponse("cached:public:test@gary", "hello world"))
+        .build();
+
+    PublicKeys.get(connection, createAtSign("colin"), key, null);
+
+    assertThat(key.metadata().isCached(), is(true));
+  }
+
+  @Test
+  void testGetSharedByOtherBypassCache() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("plookup:bypassCache:true:all:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
+        .build();
+
+    GetRequestOptions options = GetRequestOptions.builder().bypassCache(true).build();
+    String actual = PublicKeys.get(connection, createAtSign("colin"), key, options);
+
+    assertThat(actual, equalTo("hello world"));
+  }
+
+
+
+  @Test
+  void testGetSharedByOtherNoSuchKey() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("plookup:all:test@gary", "error:AT0015:deliberate")
+        .build();
+
+    assertThrows(AtKeyNotFoundException.class, () -> PublicKeys.get(connection, createAtSign("colin"), key, null));
+  }
+
+  @Test
+  void testGetSharedByOtherExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stubExecutionException("plookup:all:test@gary")
+        .build();
+
+    assertThrows(RuntimeException.class, () -> PublicKeys.get(connection, createAtSign("colin"), key, null));
+  }
+
+  @Test
+  void testPutSendsExpectedCommands() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world", "data:123")
+        .build();
+
+    PublicKeys.put(connection, keys, key, "hello world");
+  }
+
+  @Test
+  void testPutThrowExceptionIfCommandFails() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world", "error:AT0001:deliberate")
+        .build();
+
+    AtKeys keys = AtKeys.builder()
+        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .build();
+
+    assertThrows(AtServerRuntimeException.class, () -> PublicKeys.put(connection, keys, key, "hello world"));
+  }
+
+  @Test
+  void testPutExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stubExecutionException("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world")
+        .build();
+
+    AtKeys keys = AtKeys.builder()
+        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .build();
+
+    assertThrows(RuntimeException.class, () -> PublicKeys.put(connection, keys, key, "hello world"));
+  }
+
+  private static String createMockLookupResponse(String key, String value) {
+    return String.format("data:{" +
+        "\"key\": \"%s\"," +
+        "\"data\": \"%s\"," +
+        "\"metaData\": {\"ttl\": 86400000, \"isBinary\": false, \"isEncrypted\": false, \"isPublic\": true}" +
+        "}", key, value);
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java
new file mode 100644
index 00000000..73b5276a
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java
@@ -0,0 +1,96 @@
+package org.atsign.client.connection.protocol;
+
+import static java.util.Collections.emptyList;
+import static java.util.Collections.emptyMap;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import org.junit.jupiter.api.Test;
+
+class ResponsesTest {
+
+  @Test
+  void testDecodeJsonMapOfStringsReturnsExpectedResults() {
+    String json = "{\"key\":\"public:test@gary\",\"data\":\"hello world\"}";
+
+    Map<String, String> expected = new HashMap<>();
+    expected.put("key", "public:test@gary");
+    expected.put("data", "hello world");
+
+    assertThat(Responses.decodeJsonMapOfStrings(json), equalTo(expected));
+    assertThat(Responses.decodeJsonMapOfStrings("{}"), equalTo(emptyMap()));
+    assertThrows(RuntimeException.class, () -> Responses.decodeJsonMapOfStrings("x" + json + "x"));
+  }
+
+  @Test
+  void testDecodeJsonMapOfObjectsReturnsExpectedResults() {
+    String json = "{\"key\":\"public:test@gary\",\"ttl\":1000001,\"ccd\":true}";
+
+    Map<String, Object> expected = new HashMap<>();
+    expected.put("key", "public:test@gary");
+    expected.put("ttl", 1000001);
+    expected.put("ccd", true);
+
+    assertThat(Responses.decodeJsonMapOfObjects(json), equalTo(expected));
+    assertThat(Responses.decodeJsonMapOfObjects("{}"), equalTo(emptyMap()));
+    assertThrows(RuntimeException.class, () -> Responses.decodeJsonMapOfObjects("x" + json + "x"));
+  }
+
+  @Test
+  void testDecodeJsonListReturnsExpectedResults() {
+    String json = "[\"public:test@gary\",\"public:test2@gary\"]";
+
+    List<Object> expected = new ArrayList<>();
+    expected.add("public:test@gary");
+    expected.add("public:test2@gary");
+
+    assertThat(Responses.decodeJsonList(json), equalTo(expected));
+    assertThat(Responses.decodeJsonList("[]"), equalTo(emptyList()));
+    assertThrows(RuntimeException.class, () -> Responses.decodeJsonList("x" + json + "x"));
+  }
+
+  @Test
+  void decodeJsonListOfStringsReturnsExpectedResults() {
+    String json = "[\"public:test@gary\",\"public:test2@gary\"]";
+
+    List<String> expected = new ArrayList<>();
+    expected.add("public:test@gary");
+    expected.add("public:test2@gary");
+
+    assertThat(Responses.decodeJsonListOfStrings(json), equalTo(expected));
+    assertThat(Responses.decodeJsonListOfStrings("[]"), equalTo(emptyList()));
+    assertThrows(RuntimeException.class, () -> Responses.decodeJsonListOfStrings("x" + json + "x"));
+  }
+
+  @Test
+  void testMatchReturnsExpectedResults() {
+    assertThat(Responses.match("abc", Pattern.compile("abc")), equalTo("abc"));
+    assertThat(Responses.match("abc", Pattern.compile("a(bc)")), equalTo("bc"));
+    assertThat(Responses.match("abc", Pattern.compile("(a)b(c)")), equalTo("ac"));
+    RuntimeException ex = assertThrows(RuntimeException.class, () -> Responses.match("xyz", Pattern.compile("abc")));
+    assertThat(ex.getMessage(), containsString("expected [abc] but input was : xyz"));
+  }
+
+  @Test
+  void testMatchWithTransformReturnsExpectedResults() {
+    assertThat(Responses.match("abc", Pattern.compile("abc"), String::toUpperCase), equalTo("ABC"));
+    assertThat(Responses.match("abc", Pattern.compile("a(bc)"), String::toUpperCase), equalTo("BC"));
+    assertThat(Responses.match("abc", Pattern.compile("(a)b(c)"), String::toUpperCase), equalTo("AC"));
+    RuntimeException ex =
+        assertThrows(RuntimeException.class, () -> Responses.match("xyz", Pattern.compile("abc"), String::toUpperCase));
+    assertThat(ex.getMessage(), containsString("expected [abc] but input was : xyz"));
+    ex = assertThrows(RuntimeException.class,
+                      () -> Responses.match("abc", Pattern.compile("abc"), s -> {
+                        throw new RuntimeException("deliberate");
+                      }));
+    assertThat(ex.getMessage(), containsString("deliberate"));
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java
new file mode 100644
index 00000000..0ebbe93e
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java
@@ -0,0 +1,54 @@
+package org.atsign.client.connection.protocol;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.List;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.junit.jupiter.api.Test;
+
+class ScanTest {
+
+  @Test
+  void testScanReturnsExpectedResults() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan:showHidden:true .*", "data:[]")
+        .build();
+
+    assertThat(Scan.scan(connection, true, ".*"), equalTo(List.of()));
+
+    connection = TestConnectionBuilder.builder()
+        .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
+        .build();
+
+    assertThat(Scan.scan(connection, true, ".+"),
+               equalTo(List.of("public:publickey@gary", "public:signing_publickey@gary")));
+
+    connection = TestConnectionBuilder.builder()
+        .stub("scan .*", "data:[\"public:publickey@gary\"]")
+        .build();
+    assertThat(Scan.scan(connection, false, ".*"),
+               equalTo(List.of("public:publickey@gary")));
+  }
+
+  @Test
+  void testScanThrowsServerException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("scan:showHidden:true .*", "error:AT0001:deliberate")
+        .build();
+    assertThrows(AtServerRuntimeException.class, () -> Scan.scan(connection, true, ".*"));
+  }
+
+
+  @Test
+  void testScanThrowsExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stubExecutionException("scan:showHidden:true .*")
+        .build();
+    assertThrows(RuntimeException.class, () -> Scan.scan(connection, true, ".*"));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java
new file mode 100644
index 00000000..484fdc0d
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java
@@ -0,0 +1,105 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.Mockito.verify;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.Keys;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class SelfKeysTest {
+
+  private Keys.SelfKey key;
+
+  private AtKeys keys;
+
+  @BeforeEach
+  public void setup() throws Exception {
+    keys = AtKeys.builder()
+        .selfEncryptKey(generateAESKeyBase64())
+        .encryptKeyPair(generateRSAKeyPair())
+        .build();
+    key = Keys.selfKeyBuilder()
+        .sharedBy(createAtSign("gary"))
+        .name("test")
+        .build();
+  }
+
+  @Test
+  void testGet() throws Exception {
+
+    String iv = generateRandomIvBase64(16);
+    String encrypted = aesEncryptToBase64("hello me", keys.getSelfEncryptKey(), iv);
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:test@gary", createMockLookupResponse("test@gary", encrypted, iv))
+        .build();
+
+    String actual = SelfKeys.get(connection, keys, key);
+
+    assertThat(actual, equalTo("hello me"));
+  }
+
+  @Test
+  void testGetException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:test@gary", "error:AT0001:deliberate")
+        .build();
+
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeys.get(connection, keys, key));
+  }
+
+  @Test
+  void testGetExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stubExecutionException("llookup:all:test@gary")
+        .build();
+
+    assertThrows(RuntimeException.class, () -> SelfKeys.get(connection, keys, key));
+  }
+
+  @Test
+  void testPut() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "data:123")
+        .build();
+
+    SelfKeys.put(connection, keys, key, "hello world");
+    verify(connection).sendSync(argThat(s -> !s.contains("hello world")));
+  }
+
+  @Test
+  void testPutAtException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "error:AT0001:deliberate")
+        .build();
+
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeys.put(connection, keys, key, "hello world"));
+  }
+
+  @Test
+  void testPutExecutionException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stubExecutionException("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+")
+        .build();
+
+    assertThrows(RuntimeException.class, () -> SelfKeys.put(connection, keys, key, "hello world"));
+  }
+
+  private static String createMockLookupResponse(String key, String encrypted, String iv) {
+
+    return String.format("data:{" +
+        "\"key\": \"%s\"," +
+        "\"data\": \"%s\"," +
+        "\"metaData\": {\"ttl\": 86400000, \"ivNonce\": \"%s\", \"isEncrypted\": true, \"isPublic\": false}" +
+        "}", key, encrypted, iv);
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java
new file mode 100644
index 00000000..e9e0e587
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java
@@ -0,0 +1,157 @@
+package org.atsign.client.connection.protocol;
+
+import static org.atsign.client.util.EncryptionUtil.*;
+import static org.atsign.common.AtSign.createAtSign;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.Mockito.verify;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.common.Keys;
+import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class SharedKeysTest {
+
+  private Keys.SharedKey key;
+
+  private AtKeys keys;
+
+  @BeforeEach
+  public void setup() throws Exception {
+    keys = AtKeys.builder()
+        .encryptKeyPair(generateRSAKeyPair())
+        .selfEncryptKey(generateAESKeyBase64())
+        .build();
+    key = Keys.sharedKeyBuilder()
+        .sharedBy(createAtSign("gary"))
+        .sharedWith(createAtSign("colin"))
+        .name("test")
+        .build();
+  }
+
+  @Test
+  void testGetSharedByMe() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    String iv = generateRandomIvBase64(16);
+    String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
+        .stub("llookup:all:@colin:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
+        .build();
+
+    String actual = SharedKeys.get(connection, createAtSign("gary"), keys, key);
+
+    assertThat(actual, equalTo("hello colin"));
+  }
+
+  @Test
+  void testGetNotSharedByMeOrWithMeThrowsException() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .build();
+
+    RuntimeException ex =
+        assertThrows(RuntimeException.class, () -> SharedKeys.get(connection, createAtSign("alice"), keys, key));
+    assertThat(ex.getMessage(), containsString("the client atsign is neither the sharedBy or sharedWith"));
+  }
+
+  @Test
+  void testGetSharedByMeCachedKey() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    String iv = generateRandomIvBase64(16);
+    String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
+    keys.put("shared_key.colin", encryptKey);
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:all:@colin:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
+        .build();
+
+    String actual = SharedKeys.get(connection, createAtSign("gary"), keys, key);
+
+    assertThat(actual, equalTo("hello colin"));
+  }
+
+  @Test
+  void testGetSharedByMeServerException() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
+        .stub("llookup:all:@colin:test@gary", "error:AT0001:deliberate")
+        .build();
+
+    assertThrows(AtServerRuntimeException.class, () -> SharedKeys.get(connection, createAtSign("gary"), keys, key));
+  }
+
+  @Test
+  void testGetSharedByMeExecutionException() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
+        .stubExecutionException("llookup:all:@colin:test@gary")
+        .build();
+
+    assertThrows(RuntimeException.class, () -> SharedKeys.get(connection, createAtSign("gary"), keys, key));
+  }
+
+  @Test
+  void getGetSharedByOther() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    String iv = generateRandomIvBase64(16);
+    String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("lookup:all:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
+        .stub("lookup:shared_key@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
+        .build();
+
+    String actual = SharedKeys.get(connection, createAtSign("colin"), keys, key);
+
+    assertThat(actual, equalTo("hello colin"));
+  }
+
+  @Test
+  void testPutWhenSharedKeyAlreadyExists() throws Exception {
+    String encryptKey = generateAESKeyBase64();
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
+        .stub("update:isEncrypted:true:ivNonce:.+:@colin:test@gary .+", "data:123")
+        .build();
+
+    SharedKeys.put(connection, createAtSign("gary"), keys, key, "hello colin");
+    verify(connection).sendSync(argThat(s -> s.contains("update:") && !s.contains("hello colin")));
+  }
+
+  @Test
+  void testPutWhenSharedKeDoesNotAlreadyExists() throws Exception {
+    AtClientConnection connection = TestConnectionBuilder.builder()
+        .stub("llookup:shared_key.colin@gary", "error:AT0015:deliberate")
+        .stub("plookup:publickey@colin", "data:" + keys.getEncryptPublicKey())
+        .stub("update:shared_key.colin@gary .+", "data:1")
+        .stub("update:ttr:86400000:@colin:shared_key@gary .+", "data:2")
+        .stub("update:isEncrypted:true:ivNonce:.+:@colin:test@gary .+", "data:3")
+        .build();
+
+    SharedKeys.put(connection, createAtSign("gary"), keys, key, "hello colin");
+  }
+
+  private static String createMockLookupResponse(String key, String value) {
+    return String.format("data:{" +
+        "\"key\": \"%s\"," +
+        "\"data\": \"%s\"," +
+        "\"metaData\": {\"ttl\": 86400000, \"isEncrypted\": false, \"isPublic\": true}" +
+        "}", key, value);
+  }
+
+
+  private static String createMockLookupResponse(String key, String encrypted, String iv) {
+    return String.format("data:{" +
+        "\"key\": \"%s\"," +
+        "\"data\": \"%s\"," +
+        "\"metaData\": {\"ttl\": 86400000, \"ivNonce\": \"%s\", \"isEncrypted\": true, \"isPublic\": false}" +
+        "}", key, encrypted, iv);
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java b/at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java
new file mode 100644
index 00000000..0487d380
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java
@@ -0,0 +1,76 @@
+package org.atsign.client.connection.protocol;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Function;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.atsign.client.connection.api.AtClientConnection;
+import org.mockito.Mockito;
+import org.mockito.stubbing.Answer;
+
+public class TestConnectionBuilder {
+
+  private Map<Pattern, Object> mapping = new LinkedHashMap<>();
+
+  public static TestConnectionBuilder builder() {
+    return new TestConnectionBuilder();
+  }
+
+  public TestConnectionBuilder stub(String command, String response) {
+    return stub(Pattern.compile(command), response);
+  }
+
+  public TestConnectionBuilder stub(Pattern command, String response) {
+    mapping.put(command, response);
+    return this;
+  }
+
+  public TestConnectionBuilder stub(String command, Function<Matcher, String> fn) {
+    return stub(Pattern.compile(command), fn);
+  }
+
+  public TestConnectionBuilder stub(Pattern command, Function<Matcher, String> fn) {
+    mapping.put(command, fn);
+    return this;
+  }
+
+  public TestConnectionBuilder stub(String command, Exception ex) {
+    return stub(Pattern.compile(command), ex);
+  }
+
+  public TestConnectionBuilder stubExecutionException(String command) {
+    return stub(Pattern.compile(command), new ExecutionException("deliberate", null));
+  }
+
+  public TestConnectionBuilder stub(Pattern command, Exception ex) {
+    mapping.put(command, ex);
+    return this;
+  }
+
+  public AtClientConnection build() throws ExecutionException, InterruptedException {
+    AtClientConnection connection = Mockito.mock(AtClientConnection.class);
+    when(connection.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
+      String command = invocation.getArgument(0);
+      for (Map.Entry<Pattern, Object> entry : mapping.entrySet()) {
+        Matcher matcher = entry.getKey().matcher(command);
+        if (matcher.matches()) {
+          if (entry.getValue() instanceof Throwable) {
+            throw (Throwable) entry.getValue();
+          } else if (entry.getValue() instanceof Function) {
+            return ((Function<Matcher, String>) entry.getValue()).apply(matcher);
+          } else {
+            return (String) entry.getValue();
+          }
+        }
+      }
+      throw new IllegalArgumentException("no stub for " + command);
+    });
+    return connection;
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
index fe3bf896..57693193 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
@@ -1,5 +1,7 @@
 package org.atsign.cucumber.steps;
 
+import static org.atsign.client.connection.protocol.Authentication.authenticateWithPkam;
+import static org.atsign.client.connection.protocol.Data.matchDataJsonListOfStrings;
 import static org.atsign.cucumber.helpers.Helpers.getFirstValue;
 import static org.atsign.cucumber.helpers.Helpers.toCanonicalMaps;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -11,8 +13,10 @@
 import java.util.Map;
 import java.util.Stack;
 
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
 import org.atsign.client.cli.Activate;
+import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.connection.protocol.Enroll;
+import org.atsign.client.connection.protocol.Keys;
 import org.atsign.client.util.EnrollmentId;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtSign;
@@ -227,22 +231,22 @@ public ActivateTeardown(AtSign atSign, File keysFile, String cramSecret, Enrollm
 
     public void run() {
 
-      try (AtSecondaryConnection connection = createAtSecondaryConnection(atSign, rootUrl, 0)) {
+      try (AtClientConnection connection = createConnection(rootUrl, atSign, 0)) {
 
-        authenticateWithApkam(connection, atSign, KeysUtil.loadKeys(keysFile));
+        authenticateWithPkam(connection, atSign, KeysUtil.loadKeys(keysFile));
 
         // delete keys that have been created
-        matchDataJsonListOfStrings(connection.executeCommand("scan")).stream()
+        matchDataJsonListOfStrings(connection.sendSync("scan")).stream()
             .filter(k -> !isProtectedKey(atSign, k))
-            .forEach(k -> deleteKeyNoThrow(connection, k));
+            .forEach(k -> deleteKeyNoThrow(connection, atSign, k));
 
         // remove enrollments
-        list(connection, "pending").forEach(id -> denyDeleteNoThrow(connection, id));
-        list(connection, "denied").forEach(id -> deleteNoThrow(connection, id));
-        list(connection, "approved").stream()
+        Enroll.list(connection, "pending").forEach(id -> denyDeleteNoThrow(connection, atSign, id));
+        Enroll.list(connection, "denied").forEach(id -> deleteNoThrow(connection, atSign, id));
+        Enroll.list(connection, "approved").stream()
             .filter(id -> !id.equals(onboardEnrollmentId))
-            .forEach(id -> revokeDeleteNoThrow(connection, id));
-        revokeDeleteNoThrow(connection, onboardEnrollmentId);
+            .forEach(id -> revokeDeleteNoThrow(connection, atSign, id));
+        revokeDeleteNoThrow(connection, atSign, onboardEnrollmentId);
       } catch (Exception e) {
         log.error("teardown for {} failed : {}", atSign, e.getMessage());
       }
@@ -255,47 +259,47 @@ private boolean isProtectedKey(AtSign atSign, String key) {
           || key.contains(("__manage@"));
     }
 
-    protected void deleteKeyNoThrow(AtSecondaryConnection connection, String key) {
+    protected void deleteKeyNoThrow(AtClientConnection connection, AtSign atSign, String key) {
       try {
-        log.debug("teardown for {} deleting key {}", connection.getAtSign(), key);
-        deleteKey(connection, key);
+        log.debug("teardown for {} deleting key {}", atSign, key);
+        Keys.deleteKey(connection, key);
       } catch (Exception e) {
         log.error("teardown for {} failed to delete key {} in onboarded server : {}",
-                  connection.getAtSign(), key, e.getMessage());
+                  atSign, key, e.getMessage());
       }
     }
 
-    private void deleteNoThrow(AtSecondaryConnection connection, EnrollmentId id) {
+    private void deleteNoThrow(AtClientConnection connection, AtSign atSign, EnrollmentId id) {
       try {
         log.debug("teardown for {} deleting enroll request {}", id);
         delete(connection, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll delete {} in onboarded server : {}",
-                  connection.getAtSign(), id, e.getMessage());
+                  atSign, id, e.getMessage());
       }
     }
 
-    private void denyDeleteNoThrow(AtSecondaryConnection connection, EnrollmentId id) {
+    private void denyDeleteNoThrow(AtClientConnection connection, AtSign atsign, EnrollmentId id) {
       try {
-        log.debug("teardown for {} denying enroll request {}", connection.getAtSign(), id);
-        deny(connection, id);
-        log.debug("teardown for {} deleting enroll request {}", connection.getAtSign(), id);
-        delete(connection, id);
+        log.debug("teardown for {} denying enroll request {}", atsign, id);
+        Enroll.deny(connection, id);
+        log.debug("teardown for {} deleting enroll request {}", atsign, id);
+        Enroll.delete(connection, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll deny and delete {} in onboarded server : {}",
-                  connection.getAtSign(), id, e.getMessage());
+                  atsign, id, e.getMessage());
       }
     }
 
-    private void revokeDeleteNoThrow(AtSecondaryConnection connection, EnrollmentId id) {
+    private void revokeDeleteNoThrow(AtClientConnection connection, AtSign atSign, EnrollmentId id) {
       try {
-        log.debug("teardown for {} revoking enroll request {}", connection.getAtSign(), id);
-        revoke(connection, id);
-        log.debug("teardown for {} deleting enroll request {}", connection.getAtSign(), id);
-        delete(connection, id);
+        log.debug("teardown for {} revoking enroll request {}", atSign, id);
+        Enroll.revoke(connection, id);
+        log.debug("teardown for {} deleting enroll request {}", atSign, id);
+        Enroll.delete(connection, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll revoke and delete {} in onboarded server : {}",
-                  connection.getAtSign(), id, e.getMessage());
+                  atSign, id, e.getMessage());
       }
     }
   }
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
index 3205e374..59cdcfe6 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
@@ -1,7 +1,7 @@
 package org.atsign.cucumber.steps;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.client.cli.AbstractCli.decodeJsonListOfStrings;
+import static org.atsign.client.connection.protocol.Responses.decodeJsonListOfStrings;
 import static org.atsign.client.util.Preconditions.checkNotNull;
 import static org.atsign.cucumber.helpers.Helpers.isHostPortReachable;
 import static org.awaitility.Awaitility.await;
@@ -21,6 +21,7 @@
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.EnrollmentId;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtException;
@@ -249,10 +250,15 @@ private void stopAtClientMonitor(AtClient atClient) {
 
   @Then("exception was {exception}")
   public void assertExpectedExceptionClass(Class<AtException> expectedClass) throws AtException {
-    if (expectedException.getCause() != null) {
-      assertThat(expectedException.getCause().getClass(), typeCompatibleWith(expectedClass));
-    } else {
-      assertThat(expectedException.getClass(), typeCompatibleWith(expectedClass));
+    try {
+      if (expectedException.getCause() != null) {
+        assertThat(expectedException.getCause().getClass(), typeCompatibleWith(expectedClass));
+      } else {
+        assertThat(expectedException.getClass(), typeCompatibleWith(expectedClass));
+      }
+    } catch (Throwable e) {
+      expectedException.printStackTrace();
+      throw e;
     }
   }
 
@@ -324,7 +330,12 @@ private AtClient createAtClient(AtSign atSign, AtKeys keys, boolean withMonitor)
     if (rootHostAndPort == null) {
       throw new IllegalArgumentException("root host and port not set");
     }
-    AtClient atClient = AtClient.withRemoteSecondary(rootHostAndPort, atSign, keys, isVerbose());
+    AtClient atClient = AtClients.builder()
+        .url(rootHostAndPort)
+        .atSign(atSign)
+        .keys(keys)
+        .isVerbose(isVerbose())
+        .build();
     AtClientEventListener listener = new AtClientEventListener(qualifiedAtSign);
     atClient.addEventListener(listener, ALL_EVENT_TYPES);
     clients.put(qualifiedAtSign, atClient);
@@ -472,7 +483,7 @@ private void deleteKeyNoThrow(AtClient client, String key) {
 
   private List<String> scanNoThrow(AtClient client) {
     try {
-      String json = client.getSecondary().executeCommand("scan:showHidden:true .*", true).getRawDataResponse();
+      String json = client.executeCommand("scan:showHidden:true .*", true).getRawDataResponse();
       return decodeJsonListOfStrings(json);
     } catch (Exception e) {
       log.error("failed to scan : {}", e.getMessage());
diff --git a/at_client/src/test/resources/features/Activate.feature b/at_client/src/test/resources/features/Activate.feature
index 63dd1de0..87650264 100644
--- a/at_client/src/test/resources/features/Activate.feature
+++ b/at_client/src/test/resources/features/Activate.feature
@@ -44,7 +44,7 @@ Feature: AtClient API tests for onboarding and enrolling atsign
       | Namespace | Access Control |
       | ns        | rw             |
     Then AtClient with keys @srie-app1-device1.atKeys fails for @srie
-    And exception message matches "PKAM command failed: error:AT0026:enrollment_id: .+ is pending"
+    And exception message matches "AT0026:enrollment_id: .+ is pending"
 
   Scenario: After enrolling an app and device and approving an AtClient can be created and used to get and put keys
     When @srie Activate.onboard with SrieKeys._cramKey from at_demo_apkam_keys.dart in at_demo_data package
@@ -76,7 +76,7 @@ Feature: AtClient API tests for onboarding and enrolling atsign
       | ns        | rw             |
     When @srie Activate.deny for last enrollment
     Then AtClient with keys @srie-app1-device1.atKeys fails for @srie
-    And exception message matches "PKAM command failed: error:AT0025:enrollment_id: .+ is denied"
+    And exception message matches "AT0025:enrollment_id: .+ is denied"
 
   Scenario: After enrolling an app and device and approving but then revoking an AtClient cannot be created
     And @srie Activate.onboard with SrieKeys._cramKey from at_demo_apkam_keys.dart in at_demo_data package
diff --git a/at_client/src/test/resources/features/Monitor.feature b/at_client/src/test/resources/features/Monitor.feature
index c81341cc..b3c5cb0b 100644
--- a/at_client/src/test/resources/features/Monitor.feature
+++ b/at_client/src/test/resources/features/Monitor.feature
@@ -25,9 +25,11 @@ Feature: AtClient API Monitor tests
 
   Scenario: SharedKey put triggers expected notifications for shared with atsign
     When @colin AtClient.put for SharedKey test shared with @gary and value "hello world"
+    And @colin AtClient.delete for SharedKey test shared with @gary
     Then @gary AtClient monitor receives the following
       | Event Type                  | messageType     | from   | to    | operation | key                    | decryptedValue |
       | sharedKeyNotification       | MessageType.key | @colin | @gary | update    | @gary:shared_key@colin |                |
       | updateNotification          | MessageType.key | @colin | @gary | update    | @gary:test@colin       |                |
       | decryptedUpdateNotification | MessageType.key | @colin | @gary | update    | @gary:test@colin       | hello world    |
+      | deleteNotification          | MessageType.key | @colin | @gary | delete    | @gary:test@colin       |                |
 
diff --git a/at_client/src/test/resources/simpleLogger.properties b/at_client/src/test/resources/simpleLogger.properties
index 1d52cd54..21d6eb02 100644
--- a/at_client/src/test/resources/simpleLogger.properties
+++ b/at_client/src/test/resources/simpleLogger.properties
@@ -1,3 +1,5 @@
 org.slf4j.simpleLogger.defaultLogLevel=info
 org.slf4j.simpleLogger.showDateTime=true
-org.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss
+org.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss.SSS
+
+#org.slf4j.simpleLogger.log.org.atsign.client.connection.netty=debug
diff --git a/at_shell/src/main/java/org/atsign/client/cli/REPL.java b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
index 38931828..71196c40 100644
--- a/at_shell/src/main/java/org/atsign/client/cli/REPL.java
+++ b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
@@ -20,7 +20,7 @@
 import org.atsign.common.Keys.SelfKey;
 import org.atsign.common.Keys.SharedKey;
 import org.atsign.common.exceptions.AtIllegalArgumentException;
-import org.atsign.common.exceptions.AtInvalidSyntaxException;
+import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
 import org.fusesource.jansi.Ansi;
 import org.fusesource.jansi.AnsiConsole;
 
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
index 21ad8494..9927ea16 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
@@ -31,7 +31,7 @@ public static void main(String[] args) {
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name(KEY_NAME).build();
 
       // 5. get the value associated with the key
-      String response = atClient.get(pk, (GetRequestOptions) new GetRequestOptions().bypassCache(true).build()).get();
+      String response = atClient.get(pk, GetRequestOptions.builder().bypassCache(true).build()).get();
       System.out.println(response);
 
     } catch (AtException | IOException | InterruptedException | ExecutionException e) {
diff --git a/pom.xml b/pom.xml
index 9d3f6311..869514a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,6 +48,7 @@
     <!-- dependency versions -->
     <version.jackson>2.16.1</version.jackson>
     <version.bouncycastle>1.78.1</version.bouncycastle>
+    <version.netty>4.1.109.Final</version.netty>
     <version.picocli>4.7.6</version.picocli>
     <version.slf4j>2.0.13</version.slf4j>
     <version.lombok>1.18.30</version.lombok>
@@ -85,6 +86,17 @@
         <artifactId>bcprov-jdk15to18</artifactId>
         <version>${version.bouncycastle}</version>
       </dependency>
+      <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bcpkix-jdk18on</artifactId>
+        <version>${version.bouncycastle}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-all</artifactId>
+        <version>${version.netty}</version>
+      </dependency>
 
       <dependency>
         <groupId>info.picocli</groupId>
@@ -331,6 +343,27 @@
           </executions>
         </plugin>
 
+        <plugin>
+          <groupId>org.jacoco</groupId>
+          <artifactId>jacoco-maven-plugin</artifactId>
+          <version>0.8.11</version>
+          <executions>
+            <execution>
+              <id>prepare-agent</id>
+              <goals>
+                <goal>prepare-agent</goal>
+              </goals>
+            </execution>
+            <execution>
+              <id>report</id>
+              <phase>verify</phase>
+              <goals>
+                <goal>report</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
+
         <plugin>
           <groupId>org.codehaus.mojo</groupId>
           <artifactId>exec-maven-plugin</artifactId>

From 9b8d87f68bd32668a5a704bfe0a5944d7d216948 Mon Sep 17 00:00:00 2001
From: akafredperry <fred@atsign.com>
Date: Tue, 10 Mar 2026 15:41:55 +0000
Subject: [PATCH 2/5] feature: removed redundant code

---
 .../java/org/atsign/client/api/AtClient.java  | 198 +----
 .../org/atsign/client/api/AtConnection.java   |  44 -
 .../client/api/AtConnectionFactory.java       |  32 -
 .../java/org/atsign/client/api/Secondary.java | 154 ----
 .../client/api/impl/clients/AtClientImpl.java | 796 ------------------
 .../api/impl/clients/DefaultAtClientImpl.java | 171 ++--
 .../impl/connections/AtConnectionBase.java    | 193 -----
 .../impl/connections/AtMonitorConnection.java | 258 ------
 .../impl/connections/AtRootConnection.java    |  80 --
 .../connections/AtSecondaryConnection.java    |  66 --
 .../DefaultAtConnectionFactory.java           |  49 --
 .../api/impl/secondaries/RemoteSecondary.java | 197 -----
 .../java/org/atsign/client/cli/Delete.java    |  13 +-
 .../main/java/org/atsign/client/cli/Get.java  |   9 +-
 .../main/java/org/atsign/client/cli/Scan.java |   7 +-
 .../java/org/atsign/client/cli/Share.java     |  13 +-
 .../client/connection/protocol/Enroll.java    |  16 +-
 .../java/org/atsign/client/util/ArgsUtil.java |  27 -
 .../client/util/AtClientValidation.java       |  39 -
 .../java/org/atsign/client/util/AuthUtil.java | 128 ---
 .../atsign/common/ResponseTransformers.java   |  73 --
 .../AtResponseHandlingException.java          |   2 +-
 .../exceptions/AtServerIsPausedException.java |   2 +-
 .../AtUnknownResponseException.java           |   3 +-
 .../org/atsign/client/api/SecondaryTest.java  |  20 -
 .../atsign/common/AtClientValidationIT.java   |  54 --
 .../org/atsign/common/FromStringTest.java     |  28 +-
 .../common/ResponseTransformerTest.java       |  83 --
 .../cucumber/steps/AtClientContext.java       |  11 +-
 .../main/java/org/atsign/client/cli/REPL.java |  40 +-
 .../examples/PublicKeyDeleteExample.java      |  22 +-
 .../PublicKeyGetBypassCacheExample.java       |  19 +-
 .../atsign/examples/PublicKeyGetExample.java  |  19 +-
 .../atsign/examples/PublicKeyPutExample.java  |  23 +-
 .../atsign/examples/SelfKeyDeleteExample.java |  22 +-
 .../atsign/examples/SelfKeyGetExample.java    |  19 +-
 .../atsign/examples/SelfKeyPutExample.java    |  22 +-
 .../examples/SharedKeyDeleteExample.java      |  22 +-
 .../examples/SharedKeyGetOtherExample.java    |  19 +-
 .../examples/SharedKeyGetSelfExample.java     |  19 +-
 40 files changed, 276 insertions(+), 2736 deletions(-)
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/AtConnection.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/AtConnectionFactory.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/Secondary.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/connections/AtConnectionBase.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/connections/AtMonitorConnection.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/connections/AtRootConnection.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/connections/AtSecondaryConnection.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/connections/DefaultAtConnectionFactory.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/util/ArgsUtil.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/util/AtClientValidation.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/util/AuthUtil.java
 delete mode 100644 at_client/src/main/java/org/atsign/common/ResponseTransformers.java
 delete mode 100644 at_client/src/test/java/org/atsign/client/api/SecondaryTest.java
 delete mode 100644 at_client/src/test/java/org/atsign/common/AtClientValidationIT.java
 delete mode 100644 at_client/src/test/java/org/atsign/common/ResponseTransformerTest.java

diff --git a/at_client/src/main/java/org/atsign/client/api/AtClient.java b/at_client/src/main/java/org/atsign/client/api/AtClient.java
index 5fde566b..c2e1a2bd 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtClient.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtClient.java
@@ -1,205 +1,39 @@
 package org.atsign.client.api;
 
-import static org.atsign.common.Keys.AtKey;
-import static org.atsign.common.Keys.PublicKey;
-import static org.atsign.common.Keys.SelfKey;
-import static org.atsign.common.Keys.SharedKey;
+import static org.atsign.common.Keys.*;
 
-import java.io.Closeable;
-import java.io.IOException;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
 
-import org.atsign.client.api.impl.clients.AtClientImpl;
-import org.atsign.client.api.impl.connections.AtRootConnection;
-import org.atsign.client.api.impl.connections.DefaultAtConnectionFactory;
-import org.atsign.client.api.impl.events.SimpleAtEventBus;
-import org.atsign.client.api.impl.secondaries.RemoteSecondary;
-import org.atsign.common.AtException;
+import org.atsign.client.connection.api.AtClientConnection;
 import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtSecondaryConnectException;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
 import org.atsign.common.options.GetRequestOptions;
 
 /**
  * The primary interface of the AtSign client library.
  */
 @SuppressWarnings("unused")
-public interface AtClient extends Secondary, AtEvents.AtEventBus, Closeable {
-
-  /**
-   * Standard AtClient factory - uses production @ root to look up the cloud secondary address for
-   * this atSign
-   *
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @return An {@link AtClient}
-   * @throws AtException if something goes wrong with looking up or connecting to the remote secondary
-   */
-  static AtClient withRemoteSecondary(AtSign atSign, AtKeys keys) throws AtException {
-    return withRemoteSecondary("root.atsign.org:64", atSign, keys);
-  }
-
-  /**
-   * Standard AtClient factory - uses production @ root to look up the cloud secondary address for
-   * this atSign
-   *
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @param verbose set to true for chatty logs
-   * @return An {@link AtClient}
-   * @throws AtException if something goes wrong with looking up or connecting to the remote secondary
-   */
-  static AtClient withRemoteSecondary(AtSign atSign, AtKeys keys, boolean verbose) throws AtException {
-    return withRemoteSecondary("root.atsign.org:64", atSign, keys, verbose);
-  }
-
-  /**
-   * Factory to use when you wish to use a custom Secondary.AddressFinder
-   *
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @param secondaryAddressFinder will be used to find the Secondary.Address of the atSign
-   * @return An {@link AtClient}
-   * @throws AtException if any other exception occurs while connecting to the remote (cloud)
-   *         secondary
-   */
-  static AtClient withRemoteSecondary(AtSign atSign, AtKeys keys, Secondary.AddressFinder secondaryAddressFinder)
-      throws AtException {
-    Secondary.Address remoteSecondaryAddress;
-    try {
-      remoteSecondaryAddress = secondaryAddressFinder.findSecondary(atSign);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to find secondary, with IOException", e);
-    }
-    return withRemoteSecondary(atSign, keys, remoteSecondaryAddress, false);
-  }
-
-  /**
-   * Factory - returns default AtClientImpl with a RemoteSecondary and a DefaultConnectionFactory
-   *
-   * @param rootUrl the address of the root server to use - e.g. root.atsign.org:64 for production
-   *        at-signs
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @return An {@link AtClient}
-   * @throws AtException if anything goes wrong during construction
-   */
-  static AtClient withRemoteSecondary(String rootUrl, AtSign atSign, AtKeys keys) throws AtException {
-    return withRemoteSecondary(rootUrl, atSign, keys, false);
-  }
-
-  /**
-   * Factory - returns default AtClientImpl with a RemoteSecondary and a DefaultConnectionFactory
-   *
-   * @param rootUrl the address of the root server to use - e.g. root.atsign.org:64 for production
-   *        at-signs
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @param verbose set to true for chatty logs
-   * @return An {@link AtClient}
-   * @throws AtException if anything goes wrong during construction
-   */
-  static AtClient withRemoteSecondary(String rootUrl, AtSign atSign, AtKeys keys, boolean verbose) throws AtException {
-    DefaultAtConnectionFactory connectionFactory = new DefaultAtConnectionFactory();
-
-    Secondary.Address secondaryAddress;
-    try {
-      AtRootConnection rootConnection = connectionFactory.getRootConnection(new SimpleAtEventBus(), rootUrl, verbose);
-      rootConnection.connect();
-      secondaryAddress = rootConnection.findSecondary(atSign);
-    } catch (AtSecondaryNotFoundException e) {
-      throw e;
-    } catch (Exception e) {
-      throw new AtSecondaryNotFoundException("Failed to lookup remote secondary", e);
-    }
-
-    return withRemoteSecondary(atSign, keys, secondaryAddress, verbose);
-  }
-
-  /**
-   * Factory to use when you wish to use a custom Secondary.AddressFinder
-   *
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @param verbose set to true for chatty logs
-   * @return An {@link AtClient}
-   * @throws IOException if thrown by the address finder
-   * @throws AtException if any other exception occurs while connecting to the remote (cloud)
-   *         secondary
-   */
-  static AtClient withRemoteSecondary(AtSign atSign, AtKeys keys, Secondary.AddressFinder secondaryAddressFinder,
-                                      boolean verbose)
-      throws IOException, AtException {
-    Secondary.Address remoteSecondaryAddress = secondaryAddressFinder.findSecondary(atSign);
-    return withRemoteSecondary(atSign, keys, remoteSecondaryAddress, verbose);
-  }
-
-  /**
-   * Factory to use when you already know the address of the remote (cloud) secondary
-   *
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @param remoteSecondaryAddress the address of the remote secondary server
-   * @param verbose set to true for chatty logs
-   * @return An {@link AtClient}
-   * @throws AtException if any other exception occurs while connecting to the remote (cloud)
-   *         secondary
-   */
-  static AtClient withRemoteSecondary(AtSign atSign, AtKeys keys, Secondary.Address remoteSecondaryAddress,
-                                      boolean verbose)
-      throws AtException {
-    DefaultAtConnectionFactory connectionFactory = new DefaultAtConnectionFactory();
-    AtEvents.AtEventBus eventBus = new SimpleAtEventBus();
-
-    RemoteSecondary secondary;
-    try {
-      secondary = new RemoteSecondary(eventBus, atSign, remoteSecondaryAddress, keys, connectionFactory, verbose);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to create RemoteSecondary", e);
-    }
-
-    return new AtClientImpl(eventBus, atSign, keys, secondary);
-  }
-
-  /**
-   * Factory to use when you already know the address of the remote (cloud) secondary
-   *
-   * @param remoteSecondaryAddress the address of the remote secondary server
-   * @param atSign the {@link AtSign} of this client - e.g. @alice
-   * @param keys the {@link AtKeys} for this client
-   * @return An {@link AtClient}
-   * @throws AtException if any other exception occurs while connecting to the remote (cloud)
-   *         secondary
-   */
-  static AtClient withRemoteSecondary(Secondary.Address remoteSecondaryAddress, AtSign atSign, AtKeys keys)
-      throws AtException {
-    return withRemoteSecondary(atSign, keys, remoteSecondaryAddress, false);
-  }
-
-
+public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   AtSign getAtSign();
 
-  Secondary getSecondary();
-
   AtKeys getEncryptionKeys();
 
   CompletableFuture<String> get(SharedKey sharedKey);
 
   CompletableFuture<byte[]> getBinary(SharedKey sharedKey);
 
-  CompletableFuture<String> put(SharedKey sharedKey, String value);
+  CompletableFuture<Void> put(SharedKey sharedKey, String value);
 
-  CompletableFuture<String> delete(SharedKey sharedKey);
+  CompletableFuture<Void> delete(SharedKey sharedKey);
 
   CompletableFuture<String> get(SelfKey selfKey);
 
   CompletableFuture<byte[]> getBinary(SelfKey selfKey);
 
-  CompletableFuture<String> put(SelfKey selfKey, String value);
+  CompletableFuture<Void> put(SelfKey selfKey, String value);
 
-  CompletableFuture<String> delete(SelfKey selfKey);
+  CompletableFuture<Void> delete(SelfKey selfKey);
 
   CompletableFuture<String> get(PublicKey publicKey);
 
@@ -209,17 +43,25 @@ static AtClient withRemoteSecondary(Secondary.Address remoteSecondaryAddress, At
 
   CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions);
 
-  CompletableFuture<String> put(PublicKey publicKey, String value);
+  CompletableFuture<Void> put(PublicKey publicKey, String value);
 
-  CompletableFuture<String> delete(PublicKey publicKey);
+  CompletableFuture<Void> delete(PublicKey publicKey);
 
-  CompletableFuture<String> put(SharedKey sharedKey, byte[] value);
+  CompletableFuture<Void> put(SharedKey sharedKey, byte[] value);
 
-  CompletableFuture<String> put(SelfKey selfKey, byte[] value);
+  CompletableFuture<Void> put(SelfKey selfKey, byte[] value);
 
-  CompletableFuture<String> put(PublicKey publicKey, byte[] value);
+  CompletableFuture<Void> put(PublicKey publicKey, byte[] value);
 
   CompletableFuture<List<AtKey>> getAtKeys(String regex);
 
   CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetadata);
+
+  void startMonitor();
+
+  void stopMonitor();
+
+  boolean isMonitorRunning();
+
+  AtClientConnection getCommandExecutor();
 }
diff --git a/at_client/src/main/java/org/atsign/client/api/AtConnection.java b/at_client/src/main/java/org/atsign/client/api/AtConnection.java
deleted file mode 100644
index 21ace30b..00000000
--- a/at_client/src/main/java/org/atsign/client/api/AtConnection.java
+++ /dev/null
@@ -1,44 +0,0 @@
-package org.atsign.client.api;
-
-import java.io.IOException;
-import java.net.Socket;
-
-import org.atsign.common.AtException;
-
-/**
- * A simple abstraction around connections to @ platform services - e.g. the root server and
- * secondary servers
- */
-@SuppressWarnings("unused")
-public interface AtConnection {
-  String getUrl();
-
-  String getHost();
-
-  int getPort();
-
-  Socket getSocket();
-
-  boolean isConnected();
-
-  boolean isAutoReconnect();
-
-  boolean isVerbose();
-
-  void setVerbose(boolean verbose);
-
-  void connect() throws IOException, AtException;
-
-  void disconnect();
-
-  String executeCommand(String command) throws IOException;
-
-  /**
-   * Represents something which can implement atprotocol authentication workflow
-   * by executing commands with a {@link AtConnection}
-   */
-  interface Authenticator {
-    void authenticate(AtConnection connection) throws AtException, IOException;
-  }
-
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/AtConnectionFactory.java b/at_client/src/main/java/org/atsign/client/api/AtConnectionFactory.java
deleted file mode 100644
index 8936769f..00000000
--- a/at_client/src/main/java/org/atsign/client/api/AtConnectionFactory.java
+++ /dev/null
@@ -1,32 +0,0 @@
-package org.atsign.client.api;
-
-import org.atsign.client.api.impl.connections.AtRootConnection;
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
-import org.atsign.common.AtSign;
-
-/**
- * For getting a hold of AtConnections to things. We inject an AtConnectionFactory into
- * AtClientImpl, primarily for testability
- */
-public interface AtConnectionFactory {
-  AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                               AtSign atSign,
-                                               Secondary.Address secondaryAddress,
-                                               AtConnection.Authenticator authenticator);
-
-  AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                               AtSign atSign,
-                                               String secondaryUrl,
-                                               AtConnection.Authenticator authenticator,
-                                               boolean verbose);
-
-  AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                               AtSign atSign,
-                                               Secondary.Address secondaryAddress,
-                                               AtConnection.Authenticator authenticator,
-                                               boolean verbose);
-
-  AtRootConnection getRootConnection(AtEvents.AtEventBus eventBus, String rootUrl);
-
-  AtRootConnection getRootConnection(AtEvents.AtEventBus eventBus, String rootUrl, boolean verbose);
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/Secondary.java b/at_client/src/main/java/org/atsign/client/api/Secondary.java
deleted file mode 100644
index b6a0619b..00000000
--- a/at_client/src/main/java/org/atsign/client/api/Secondary.java
+++ /dev/null
@@ -1,154 +0,0 @@
-package org.atsign.client.api;
-
-import java.io.Closeable;
-import java.io.IOException;
-
-import org.atsign.client.connection.protocol.AtExceptions;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.*;
-
-/**
- * Clients ultimately talk to a Secondary server - usually this is a microservice which implements
- * the @ protocol server spec, running somewhere in the cloud.
- * <br>
- * In the initial implementation we just have AtClientImpl talking to a RemoteSecondary which in
- * turn
- * talks, via TLS over a secure socket, to the cloud Secondary server.
- * <br>
- * As we implement client-side offline storage, performance caching etc., we can expect e.g.
- * <br>
- * AtClient {@code ->} FastCacheSecondary {@code ->} OfflineStorageSecondary {@code ->}
- * RemoteSecondary
- * <br>
- * where FastCacheSecondary might be an in-memory LRU cache, and OfflineStorageSecondary is a
- * persistent cache of some or all of the information in the RemoteSecondary. To make this
- * possible, each Secondary will need to be able to fully handle the @ protocol, thus the
- * interface is effectively the same as when interacting with a cloud secondary via openssl
- * from command line.
- */
-public interface Secondary extends AtEvents.AtEventListener, Closeable {
-  /**
-   * @param command in @ protocol format
-   * @param throwExceptionOnErrorResponse sometimes we want to inspect an error response,
-   *        sometimes we want to just throw an exception
-   * @return response in @ protocol format
-   * @throws AtException if there was an error response and throwExceptionOnErrorResponse is true
-   * @throws IOException if one is encountered
-   */
-  Response executeCommand(String command, boolean throwExceptionOnErrorResponse) throws IOException, AtException;
-
-  void startMonitor();
-
-  void stopMonitor();
-
-  boolean isMonitorRunning();
-
-  /**
-   * Used to hold the partially decoded response from a {@link Secondary}
-   */
-  class Response {
-    private String rawDataResponse = null;
-    private String rawErrorResponse;
-    private String errorCode;
-    private String errorText;
-
-    public String getRawDataResponse() {
-      return rawDataResponse;
-    }
-
-    public void setRawDataResponse(String s) {
-      rawDataResponse = s;
-      rawErrorResponse = null;
-      errorCode = null;
-      errorText = null;
-    }
-
-    public String getRawErrorResponse() {
-      return rawErrorResponse;
-    }
-
-    public void setRawErrorResponse(String s) {
-      // In format "AT1234-meaning of error code : <any other text>"
-      rawErrorResponse = s;
-      rawDataResponse = null;
-
-      int codeDelimiter = rawErrorResponse.indexOf(":");
-      String errorCodeSegment = rawErrorResponse.substring(0, codeDelimiter).trim();
-      String[] separatedByHyphen = errorCodeSegment.split("-");
-      errorCode = separatedByHyphen[0].trim();
-      errorText = rawErrorResponse.substring(codeDelimiter + 1).trim();
-    }
-
-    public boolean isError() {
-      return rawErrorResponse != null;
-    }
-
-    public String getErrorCode() {
-      return errorCode;
-    }
-
-    public String getErrorText() {
-      return errorText;
-    }
-
-    @Override
-    public String toString() {
-      if (isError()) {
-        return "error:" + rawErrorResponse;
-      } else {
-        return "data:" + rawDataResponse;
-      }
-    }
-
-    public AtException getException() {
-      if (!isError()) {
-        return null;
-      }
-      return AtExceptions.toTypedException(errorCode, errorText);
-    }
-  }
-
-  /**
-   * Value class for hostname and port tuple
-   */
-  class Address {
-    public final String host;
-    public final int port;
-
-    public Address(String host, int port) {
-      this.host = host;
-      this.port = port;
-    }
-
-    public static Address fromString(String hostAndPort) throws IllegalArgumentException {
-      String[] split = hostAndPort.split(":");
-      if (split.length != 2) {
-        throw new IllegalArgumentException(
-            "Cannot construct Secondary.Address from malformed host:port string '" + hostAndPort + "'");
-      }
-      String host = split[0];
-      int port;
-      try {
-        port = Integer.parseInt(split[1]);
-      } catch (NumberFormatException e) {
-        throw new IllegalArgumentException(
-            "Cannot construct Secondary.Address from malformed host:port string '" + hostAndPort + "'");
-      }
-      return new Address(host, port);
-    }
-
-    @Override
-    public String toString() {
-      return host + ":" + port;
-    }
-  }
-
-  /**
-   * Represents something that, given an {@link AtSign}, can resolve the {@link Address} of the
-   * {@link Secondary} for this {@link AtSign}
-   */
-  interface AddressFinder {
-    Address findSecondary(AtSign atSign) throws IOException, AtSecondaryNotFoundException;
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
deleted file mode 100644
index 9f320e31..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClientImpl.java
+++ /dev/null
@@ -1,796 +0,0 @@
-package org.atsign.client.api.impl.clients;
-
-import static org.atsign.client.api.AtEvents.AtEventType.decryptedUpdateNotification;
-import static org.atsign.client.api.AtKeyNames.toSharedByMeKeyName;
-import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.common.VerbBuilders.*;
-import static org.atsign.common.VerbBuilders.LookupOperation.all;
-import static org.atsign.common.VerbBuilders.LookupOperation.meta;
-
-import java.io.IOException;
-import java.util.*;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.CompletionException;
-import java.util.concurrent.TimeUnit;
-
-
-import lombok.extern.slf4j.Slf4j;
-import org.atsign.client.api.AtClient;
-import org.atsign.client.api.AtEvents.AtEventBus;
-import org.atsign.client.api.AtEvents.AtEventListener;
-import org.atsign.client.api.AtEvents.AtEventType;
-import org.atsign.client.api.AtKeyNames;
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.Secondary;
-import org.atsign.client.util.EncryptionUtil;
-import org.atsign.common.*;
-import org.atsign.common.Keys.AtKey;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.*;
-import org.atsign.common.options.GetRequestOptions;
-import org.atsign.common.response_models.LookupResponse;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-
-/**
- * Implementation of an {@link AtClient} which wraps a {@link Secondary}
- * in order to implement the "map like" features of the {@link AtClient} interface
- */
-@SuppressWarnings({"RedundantThrows", "unused"})
-@Slf4j
-public class AtClientImpl implements AtClient {
-
-  // Factory method - creates an AtClientImpl with a RemoteSecondary
-
-  private final AtSign atSign;
-
-  @Override
-  public AtSign getAtSign() {
-    return atSign;
-  }
-
-  private final AtKeys keys;
-
-  @Override
-  public AtKeys getEncryptionKeys() {
-    return keys;
-  }
-
-  private final Secondary secondary;
-
-  @Override
-  public Secondary getSecondary() {
-    return secondary;
-  }
-
-  private final AtEventBus eventBus;
-
-  public AtClientImpl(AtEventBus eventBus, AtSign atSign, AtKeys keys, Secondary secondary) {
-    this.eventBus = eventBus;
-    this.atSign = atSign;
-    this.keys = keys;
-    this.secondary = secondary;
-    checkNotNull(keys.getEncryptPrivateKey(), "AtKeys have not been fully enrolled");
-    eventBus.addEventListener(this, EnumSet.allOf(AtEventType.class));
-  }
-
-  @Override
-  public void startMonitor() {
-    secondary.startMonitor();
-  }
-
-  @Override
-  public void stopMonitor() {
-    secondary.stopMonitor();
-  }
-
-  @Override
-  public boolean isMonitorRunning() {
-    return secondary.isMonitorRunning();
-  }
-
-  @Override
-  public synchronized void addEventListener(AtEventListener listener, Set<AtEventType> eventTypes) {
-    eventBus.addEventListener(listener, eventTypes);
-  }
-
-  @Override
-  public synchronized void removeEventListener(AtEventListener listener) {
-    eventBus.removeEventListener(listener);
-  }
-
-  @Override
-  public int publishEvent(AtEventType eventType, Map<String, Object> eventData) {
-    return eventBus.publishEvent(eventType, eventData);
-  }
-
-  @Override
-  public synchronized void handleEvent(AtEventType eventType, Map<String, Object> eventData) {
-    switch (eventType) {
-      case sharedKeyNotification:
-        // We've got notification that someone has shared an encryption key with us
-        // If we also got a value, we can decrypt it and add it to our keys map
-        // Note: a value isn't supplied when the ttr on the shared key was set to 0
-        if (eventData.get("value") != null) {
-          String sharedSharedKeyName = (String) eventData.get("key");
-          String sharedSharedKeyEncryptedValue = (String) eventData.get("value");
-          // decrypt it with our encryption private key
-          try {
-            String sharedKeyDecryptedValue =
-                EncryptionUtil.rsaDecryptFromBase64(sharedSharedKeyEncryptedValue, keys.getEncryptPrivateKey());
-            keys.put(sharedSharedKeyName, sharedKeyDecryptedValue);
-          } catch (Exception e) {
-            log.error("caught exception {} while decrypting received shared key {}", e, sharedSharedKeyName);
-          }
-        }
-        break;
-      case updateNotification:
-        // Let's see if we can decrypt it on the fly
-        if (eventData.get("value") != null) {
-          String key = (String) eventData.get("key");
-          String encryptedValue = (String) eventData.get("value");
-          @SuppressWarnings("unchecked")
-          Map<String, Object> metadata = (Map<String, Object>) eventData.get("metadata");
-          String ivNonce = (String) metadata.get("ivNonce");
-
-          try {
-            // decrypt it with the symmetric key that the other atSign shared with me
-            SharedKey sk = Keys.sharedKeyBuilder().rawKey(key).build();
-            String encryptionKeySharedByOther = getEncryptionKeySharedByOther(sk);
-
-            String decryptedValue =
-                EncryptionUtil.aesDecryptFromBase64(encryptedValue, encryptionKeySharedByOther, ivNonce);
-            HashMap<String, Object> newEventData = new HashMap<>(eventData);
-            newEventData.put("decryptedValue", decryptedValue);
-            eventBus.publishEvent(decryptedUpdateNotification, newEventData);
-          } catch (Exception e) {
-            log.error("caught exception while decrypting received data with key name [{}]", key, e);
-          }
-        }
-        break;
-      default:
-        break;
-    }
-  }
-
-  @Override
-  public CompletableFuture<String> get(SharedKey sharedKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _get(sharedKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<byte[]> getBinary(SharedKey sharedKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _getBinary(sharedKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(SharedKey sharedKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(sharedKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> delete(SharedKey sharedKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _delete(sharedKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> get(SelfKey selfKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _get(selfKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<byte[]> getBinary(SelfKey selfKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _getBinary(selfKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(SelfKey selfKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(selfKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> delete(SelfKey selfKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _delete(selfKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> get(PublicKey publicKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _get(publicKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions getRequestOptions) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _get(publicKey, getRequestOptions);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<byte[]> getBinary(PublicKey publicKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _getBinary(publicKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _getBinary(publicKey, getRequestOptions);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(PublicKey publicKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(publicKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> delete(PublicKey publicKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _delete(publicKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(SharedKey sharedKey, byte[] value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(sharedKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(SelfKey selfKey, byte[] value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(selfKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<String> put(PublicKey publicKey, byte[] value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _put(publicKey, value);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public CompletableFuture<List<AtKey>> getAtKeys(String regex) {
-    return getAtKeys(regex, true);
-  }
-
-  @Override
-  public CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetadata) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return _getAtKeys(regex, fetchMetadata);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  /**
-   * Synchronous, talks @-protocol directly to the client's Secondary server
-   *
-   * @param command in @ protocol format
-   * @param throwExceptionOnErrorResponse sometimes we want to inspect an error response,
-   *        sometimes we want to just throw an exception
-   * @return a Secondary Response
-   * @throws AtException if the response from the Secondary starts with 'error:', or
-   *         if there is any other exception
-   */
-  @Override
-  public Response executeCommand(String command, boolean throwExceptionOnErrorResponse)
-      throws AtException, IOException {
-    return secondary.executeCommand(command, throwExceptionOnErrorResponse);
-  }
-
-  @Override
-  public void close() throws IOException {
-    stopMonitor();
-    secondary.close();
-  }
-
-  // ============================================================================================================================================
-  // ============================================================================================================================================
-  // ============================================================================================================================================
-
-  //
-  // Synchronous methods which do the actual work
-  //
-  private String _get(SharedKey sharedKey) throws AtException {
-    if (sharedKey.sharedBy().equals(atSign)) {
-      return _getSharedByMeWithOther(sharedKey);
-    } else {
-      return _getSharedByOtherWithMe(sharedKey);
-    }
-  }
-
-  private String _getSharedByMeWithOther(SharedKey sharedKey) throws AtException {
-    String shareEncryptionKey = getEncryptionKeySharedByMe(sharedKey);
-
-    String command = llookupCommandBuilder().key(sharedKey).operation(all).build();
-    LookupResponse response = getLookupResponse(command);
-
-    try {
-      return EncryptionUtil.aesDecryptFromBase64(response.data, shareEncryptionKey, response.metaData.ivNonce());
-    } catch (Exception e) {
-      throw new AtDecryptionException("Failed to decrypt value with shared encryption key", e);
-    }
-  }
-
-  private String _getSharedByOtherWithMe(SharedKey sharedKey) throws AtException {
-    String what;
-    String shareEncryptionKey = getEncryptionKeySharedByOther(sharedKey);
-
-    String command = lookupCommandBuilder().key(sharedKey).operation(all).build();
-    LookupResponse response = getLookupResponse(command);
-
-    what = "decrypt value with shared encryption key";
-    try {
-      return EncryptionUtil.aesDecryptFromBase64(response.data, shareEncryptionKey, response.metaData.ivNonce());
-    } catch (Exception e) {
-      throw new AtDecryptionException("Failed to " + what, e);
-    }
-  }
-
-  private String _put(SharedKey sharedKey, String value) throws AtException {
-    if (!this.atSign.equals(sharedKey.sharedBy())) {
-      throw new AtIllegalArgumentException(
-          "sharedBy is [" + sharedKey.sharedBy() + "] but should be this client's atSign [" + atSign + "]");
-    }
-    String what = "";
-    String cipherText;
-    try {
-      what = "fetch/create shared encryption key";
-      String shareToEncryptionKey = getEncryptionKeySharedByMe(sharedKey);
-
-      what = "encrypt value with shared encryption key";
-      String iv = EncryptionUtil.generateRandomIvBase64(16);
-      sharedKey.updateMissingMetadata(Metadata.builder().ivNonce(iv).build());
-      cipherText = EncryptionUtil.aesEncryptToBase64(value, shareToEncryptionKey, iv);
-    } catch (Exception e) {
-      throw new AtEncryptionException("Failed to " + what, e);
-    }
-
-    String command = updateCommandBuilder().key(sharedKey).value(cipherText).build();
-
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private String _delete(SharedKey sharedKey) throws AtException {
-    String command = deleteCommandBuilder().key(sharedKey).build();
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private String _get(SelfKey key) throws AtException {
-    // 1. build command
-    String command = llookupCommandBuilder().key(key).operation(all).build();
-
-    // 2. execute command
-    LookupResponse fetched = getLookupResponse(command);
-
-    // 3. decrypt the value
-    String decryptedValue;
-    String encryptedValue = fetched.data;
-    String selfEncryptionKey = keys.getSelfEncryptKey();
-    String iv = checkNotNull(fetched.metaData.ivNonce(), "ivNonce is null");
-    decryptedValue = EncryptionUtil.aesDecryptFromBase64(encryptedValue, selfEncryptionKey, iv);
-
-    // 4. update metadata. squash the fetchedMetadata with current key.metadata (fetchedMetadata has higher priority)
-    key.overwriteMetadata(fetched.metaData);
-
-    return decryptedValue;
-  }
-
-  private String _put(SelfKey selfKey, String value) throws AtException {
-    // 1. generate dataSignature
-    Metadata metadata = Metadata.builder()
-        .dataSignature(generateSignature(value))
-        .ivNonce(EncryptionUtil.generateRandomIvBase64(16))
-        .build();
-    selfKey.updateMissingMetadata(metadata);
-    // 2. encrypt data with self encryption key
-    String cipherText = EncryptionUtil.aesEncryptToBase64(value, keys.getSelfEncryptKey(), metadata.ivNonce());
-
-    // 3. update secondary
-    String command = updateCommandBuilder().key(selfKey).value(cipherText).build();
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private String _delete(SelfKey key) throws AtException {
-    // 1. build delete command
-    String command = deleteCommandBuilder().key(key).build();
-
-    // 2. run command
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private String _get(PublicKey key) throws AtException {
-    return _get(key, null);
-  }
-
-  private String _get(PublicKey key, GetRequestOptions getRequestOptions) throws AtException {
-    // 1. build command
-    String command;
-    if (atSign.equals(key.sharedBy())) {
-      command = llookupCommandBuilder().key(key).operation(all).build();
-    } else {
-      boolean bypassCache = getRequestOptions != null && getRequestOptions.isBypassCache();
-      command = plookupCommandBuilder().key(key).bypassCache(bypassCache).operation(all).build();
-    }
-
-    // 2. run the command
-    LookupResponse fetched = getLookupResponse(command);
-
-    // 4. update key object metadata
-    Metadata metadata = fetched.metaData.toBuilder().isCached(fetched.key.contains("cached:")).build();
-    key.overwriteMetadata(metadata);
-
-    // 5. return the AtValue
-    return fetched.data;
-  }
-
-  private String _put(PublicKey publicKey, String value) throws AtException {
-    // 1. generate dataSignature
-    Metadata metadata = Metadata.builder().dataSignature(generateSignature(value)).build();
-    publicKey.updateMissingMetadata(metadata);
-
-    // 2. build command
-    String command = updateCommandBuilder().key(publicKey).value(value).build();
-
-    // 3. run command
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private String _delete(PublicKey key) throws AtException {
-    // 1. build command
-    String command = deleteCommandBuilder().key(key).build();
-
-    // 2. run command
-    try {
-      return secondary.executeCommand(command, true).toString();
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-  }
-
-  private byte[] _getBinary(SharedKey sharedKey) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private byte[] _getBinary(SelfKey selfKey) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private byte[] _getBinary(PublicKey publicKey) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private byte[] _getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private String _put(SharedKey sharedKey, byte[] value) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private String _put(SelfKey selfKey, byte[] value) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private String _put(PublicKey publicKey, byte[] value) throws AtException {
-    throw new RuntimeException("Not Implemented");
-  }
-
-  private List<AtKey> _getAtKeys(String regex, boolean fetchMetadata) throws AtException {
-    String scanCommand = scanCommandBuilder().regex(regex).showHidden(true).build();
-    Response scanRawResponse;
-    try {
-      scanRawResponse = executeCommand(scanCommand, true);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + scanCommand, e);
-    }
-    ResponseTransformers.ScanResponseTransformer scanResponseTransformer =
-        new ResponseTransformers.ScanResponseTransformer(AtClientImpl::isNotManagementKey);
-    List<String> rawArray = scanResponseTransformer.apply(scanRawResponse);
-
-    List<AtKey> atKeys = new ArrayList<>();
-    for (String atKeyRaw : rawArray) {
-      AtKey atKey = Keys.keyBuilder().rawKey(atKeyRaw).build();
-      if (fetchMetadata) {
-        String llookupCommand = llookupCommandBuilder().operation(meta).rawKey(atKeyRaw).build();
-        Response llookupMetaResponse;
-        try {
-          llookupMetaResponse = secondary.executeCommand(llookupCommand, true);
-        } catch (IOException e) {
-          throw new AtSecondaryConnectException("Failed to execute " + llookupCommand, e);
-        }
-        try {
-          // atKey.metadata has priority over llookupMetaRaw.data
-          Metadata responseMetadata = Metadata.fromJson(llookupMetaResponse.getRawDataResponse());
-          atKey.updateMissingMetadata(responseMetadata);
-        } catch (JsonProcessingException e) {
-          throw new AtResponseHandlingException("Failed to parse JSON " + llookupMetaResponse.getRawDataResponse(), e);
-        }
-      }
-      atKeys.add(atKey);
-    }
-    return atKeys;
-  }
-
-  // ============================================================================================================================================
-  // ============================================================================================================================================
-  // ============================================================================================================================================
-
-  //
-  // Internal utility methods. Will move these to another class later, so that other AtClient implementations can easily use them.
-  //
-
-  private LookupResponse getLookupResponse(String command) throws AtException {
-    Response response;
-    try {
-      response = secondary.executeCommand(command, true);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-
-    // 3. transform the data to a LlookupAllResponse object
-    LookupResponse fetched;
-    try {
-      fetched = Json.MAPPER.readValue(response.getRawDataResponse(), LookupResponse.class);
-    } catch (JsonProcessingException e) {
-      throw new AtResponseHandlingException("Failed to parse JSON " + response.getRawDataResponse(), e);
-    }
-    return fetched;
-  }
-
-  private String getEncryptionKeySharedByMe(SharedKey key) throws AtException {
-    Secondary.Response rawResponse;
-    String command = llookupCommandBuilder().keyName(toSharedByMeKeyName(key.sharedWith())).sharedBy(atSign).build();
-    try {
-      rawResponse = secondary.executeCommand(command, false);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-
-    if (rawResponse.isError()) {
-      if (rawResponse.getException() instanceof AtKeyNotFoundException) {
-        // No key found - so we should create one
-        return createSharedEncryptionKey(key);
-      } else {
-        throw rawResponse.getException();
-      }
-    }
-
-    // When we stored it, we encrypted it with our encryption public key; so we need to decrypt it now with our
-    // encryption private key
-    return EncryptionUtil.rsaDecryptFromBase64(rawResponse.getRawDataResponse(), keys.getEncryptPrivateKey());
-  }
-
-  private String getEncryptionKeySharedByOther(SharedKey sharedKey) throws AtException {
-    // Let's see if it's in our in-memory cache
-    String sharedSharedKeyName = AtKeyNames.toSharedWithMeKeyName(sharedKey.sharedBy(), sharedKey.sharedWith());
-
-    String sharedKeyValue = keys.get(sharedSharedKeyName);
-    if (sharedKeyValue != null) {
-      return sharedKeyValue;
-    }
-
-    String what = "";
-
-    // Not in memory so now let's try to fetch from remote - e.g. if I'm @bob, lookup:shared_key@alice
-    String lookupCommand = lookupCommandBuilder().keyName(AtKeyNames.SHARED_KEY).sharedBy(sharedKey.sharedBy()).build();
-    Response rawResponse;
-    try {
-      rawResponse = secondary.executeCommand(lookupCommand, true);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + lookupCommand, e);
-    }
-
-    String sharedSharedKeyDecryptedValue;
-    try {
-      sharedSharedKeyDecryptedValue =
-          EncryptionUtil.rsaDecryptFromBase64(rawResponse.getRawDataResponse(), keys.getEncryptPrivateKey());
-    } catch (Exception e) {
-      throw new AtDecryptionException("Failed to decrypt the shared_key with our encryption private key", e);
-    }
-    keys.put(sharedSharedKeyName, sharedSharedKeyDecryptedValue);
-
-    return sharedSharedKeyDecryptedValue;
-  }
-
-  private String createSharedEncryptionKey(SharedKey sharedKey) throws AtException {
-    // We need their public key
-    String theirPublicEncryptionKey = getPublicEncryptionKey(sharedKey.sharedWith());
-    if (theirPublicEncryptionKey == null) {
-      throw new AtKeyNotFoundException(" public key " + sharedKey.sharedWith()
-          + " not found but service is running - maybe that AtSign has not yet been onboarded");
-    }
-
-    // Cut an AES key
-    String aesKey;
-    try {
-      aesKey = EncryptionUtil.generateAESKeyBase64();
-    } catch (Exception e) {
-      throw new AtEncryptionException("Failed to generate AES key for sharing with " + sharedKey.sharedWith(), e);
-    }
-
-    String what = "";
-    try {
-      // Encrypt key with the other at-sign's publickey and save it @bob:shared_key@alice
-      what = "encrypt new shared key with their public key";
-      String encryptedForOther = EncryptionUtil.rsaEncryptToBase64(aesKey, theirPublicEncryptionKey);
-
-      what = "encrypt new shared key with our public key";
-      // Encrypt key with our publickey and save it shared_key.bob@alice
-      String encryptedForUs = EncryptionUtil.rsaEncryptToBase64(aesKey, keys.getEncryptPublicKey());
-
-      what = "save encrypted shared key for us";
-      String updateForUs = updateCommandBuilder()
-          .keyName(toSharedByMeKeyName(sharedKey.sharedWith()))
-          .sharedBy(sharedKey.sharedBy())
-          .value(encryptedForUs)
-          .build();
-      secondary.executeCommand(updateForUs, true);
-
-      what = "save encrypted shared key for them";
-      String updateForOther = updateCommandBuilder()
-          .keyName(AtKeyNames.SHARED_KEY)
-          .sharedBy(sharedKey.sharedBy())
-          .sharedWith(sharedKey.sharedWith())
-          .ttr(TimeUnit.HOURS.toMillis(24))
-          .value(encryptedForOther)
-          .build();
-      secondary.executeCommand(updateForOther, true);
-    } catch (Exception e) {
-      throw new AtEncryptionException("Failed to " + what, e);
-    }
-
-    return aesKey;
-  }
-
-  private String getPublicEncryptionKey(AtSign sharedWith) throws AtException {
-    Secondary.Response rawResponse;
-
-    String command = plookupCommandBuilder().keyName(AtKeyNames.PUBLIC_ENCRYPT).sharedBy(sharedWith).build();
-    try {
-      rawResponse = secondary.executeCommand(command, false);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Failed to execute " + command, e);
-    }
-
-    if (rawResponse.isError()) {
-      if (rawResponse.getException() instanceof AtKeyNotFoundException) {
-        return null;
-      } else {
-        throw rawResponse.getException();
-      }
-    } else {
-      return rawResponse.getRawDataResponse();
-    }
-  }
-
-  private String generateSignature(String value) throws AtException {
-    String signature;
-    try {
-      signature = EncryptionUtil.signSHA256RSA(value, keys.getEncryptPrivateKey());
-    } catch (Exception e) {
-      throw new AtEncryptionException("Failed to sign value: " + value, e);
-    }
-    return signature;
-  }
-
-  private static boolean isNotManagementKey(String s) {
-    return !s.matches(".+\\.__manage@.+");
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
index f8e03a98..141fec69 100644
--- a/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
+++ b/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
@@ -1,9 +1,6 @@
 package org.atsign.client.api.impl.clients;
 
 import static org.atsign.client.api.AtEvents.AtEventType.decryptedUpdateNotification;
-import static org.atsign.client.connection.protocol.Data.matchData;
-import static org.atsign.client.connection.protocol.Error.matchError;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
 import static org.atsign.client.util.EncryptionUtil.aesDecryptFromBase64;
 import static org.atsign.client.util.EncryptionUtil.rsaDecryptFromBase64;
 import static org.atsign.client.util.Preconditions.checkNotNull;
@@ -20,7 +17,6 @@
 import org.atsign.client.api.AtEvents.AtEventListener;
 import org.atsign.client.api.AtEvents.AtEventType;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.Secondary;
 import org.atsign.client.connection.api.AtClientConnection;
 import org.atsign.client.connection.protocol.*;
 import org.atsign.common.AtException;
@@ -61,6 +57,11 @@ public AtKeys getEncryptionKeys() {
     return keys;
   }
 
+  @Override
+  public AtClientConnection getCommandExecutor() {
+    return connection;
+  }
+
   @Builder
   public DefaultAtClientImpl(AtSign atSign, AtKeys keys, AtClientConnection connection, AtEventBus eventBus) {
     checkNotNull(keys.getEncryptPrivateKey(), "AtKeys have not been fully enrolled");
@@ -115,13 +116,7 @@ public int publishEvent(AtEventType eventType, Map<String, Object> eventData) {
 
   @Override
   public CompletableFuture<String> get(SharedKey sharedKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return SharedKeys.get(connection, atSign, keys, sharedKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+    return wrapAsync(() -> SharedKeys.get(connection, atSign, keys, sharedKey));
   }
 
   @Override
@@ -130,31 +125,18 @@ public CompletableFuture<byte[]> getBinary(SharedKey sharedKey) {
   }
 
   @Override
-  public CompletableFuture<String> put(SharedKey sharedKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        SharedKeys.put(connection, atSign, keys, sharedKey, value);
-        return null;
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+  public CompletableFuture<Void> put(SharedKey sharedKey, String value) {
+    return wrapAsync(() -> SharedKeys.put(connection, atSign, keys, sharedKey, value));
   }
 
   @Override
-  public CompletableFuture<String> delete(SharedKey sharedKey) {
-    return deleteKey(sharedKey);
+  public CompletableFuture<Void> delete(SharedKey sharedKey) {
+    return wrapAsync(() -> Keys.deleteKey(connection, sharedKey));
   }
 
   @Override
   public CompletableFuture<String> get(SelfKey selfKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return SelfKeys.get(connection, keys, selfKey);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+    return wrapAsync(() -> SelfKeys.get(connection, keys, selfKey));
   }
 
   @Override
@@ -163,42 +145,23 @@ public CompletableFuture<byte[]> getBinary(SelfKey selfKey) {
   }
 
   @Override
-  public CompletableFuture<String> put(SelfKey selfKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        SelfKeys.put(connection, keys, selfKey, value);
-        return null;
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+  public CompletableFuture<Void> put(SelfKey selfKey, String value) {
+    return wrapAsync(() -> SelfKeys.put(connection, keys, selfKey, value));
   }
 
   @Override
-  public CompletableFuture<String> delete(SelfKey selfKey) {
-    return deleteKey(selfKey);
+  public CompletableFuture<Void> delete(SelfKey selfKey) {
+    return wrapAsync(() -> Keys.deleteKey(connection, selfKey));
   }
 
   @Override
   public CompletableFuture<String> get(PublicKey publicKey) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return PublicKeys.get(connection, atSign, publicKey, null);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+    return wrapAsync(() -> PublicKeys.get(connection, atSign, publicKey, null));
   }
 
   @Override
   public CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions options) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        return PublicKeys.get(connection, atSign, publicKey, options);
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+    return wrapAsync(() -> PublicKeys.get(connection, atSign, publicKey, options));
   }
 
   @Override
@@ -212,34 +175,27 @@ public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOption
   }
 
   @Override
-  public CompletableFuture<String> put(PublicKey publicKey, String value) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        PublicKeys.put(connection, keys, publicKey, value);
-        return null;
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
+  public CompletableFuture<Void> put(PublicKey publicKey, String value) {
+    return wrapAsync(() -> PublicKeys.put(connection, keys, publicKey, value));
   }
 
   @Override
-  public CompletableFuture<String> delete(PublicKey publicKey) {
-    return deleteKey(publicKey);
+  public CompletableFuture<Void> delete(PublicKey publicKey) {
+    return wrapAsync(() -> Keys.deleteKey(connection, publicKey));
   }
 
   @Override
-  public CompletableFuture<String> put(SharedKey sharedKey, byte[] value) {
+  public CompletableFuture<Void> put(SharedKey sharedKey, byte[] value) {
     throw new UnsupportedOperationException("to be implemented");
   }
 
   @Override
-  public CompletableFuture<String> put(SelfKey selfKey, byte[] value) {
+  public CompletableFuture<Void> put(SelfKey selfKey, byte[] value) {
     throw new UnsupportedOperationException("to be implemented");
   }
 
   @Override
-  public CompletableFuture<String> put(PublicKey publicKey, byte[] value) {
+  public CompletableFuture<Void> put(PublicKey publicKey, byte[] value) {
     throw new UnsupportedOperationException("to be implemented");
   }
 
@@ -259,46 +215,7 @@ public CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetad
     });
   }
 
-  @Override
-  public Response executeCommand(String command, boolean throwExceptionOnErrorResponse)
-      throws AtException, IOException {
-
-    try {
-      String s = connection.sendSync(command);
-      Response response = new Response();
-      if (throwExceptionOnErrorResponse) {
-        response.setRawDataResponse(throwExceptionIfError(matchData(s)));
-      } else {
-        if (s.startsWith("error:")) {
-          response.setRawErrorResponse(matchError(s));
-        } else {
-          response.setRawDataResponse(matchData(s));
-        }
-      }
-      return response;
-    } catch (ExecutionException | InterruptedException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  @Override
-  public Secondary getSecondary() {
-    throw new UnsupportedOperationException("not supported");
-  }
-
-  private CompletableFuture<String> deleteKey(AtKey key) {
-    return CompletableFuture.supplyAsync(() -> {
-      try {
-        Keys.deleteKey(connection, key);
-        return null;
-      } catch (Exception e) {
-        throw new CompletionException(e);
-      }
-    });
-  }
-
-  @Override
-  public void handleEvent(AtEventType eventType, Map<String, Object> eventData) {
+  private void handleEvent(AtEventType eventType, Map<String, Object> eventData) {
     try {
       switch (eventType) {
         case sharedKeyNotification:
@@ -342,4 +259,42 @@ private void onUpdateNotification(Map<String, Object> eventData) throws AtExcept
       eventBus.publishEvent(decryptedUpdateNotification, newEventData);
     }
   }
+
+  /**
+   * A runnable command which returns a value but can throw {@link AtException}s or execution
+   * exceptions
+   */
+  public interface AtCommandThatReturnsString {
+    String run() throws AtException, ExecutionException, InterruptedException;
+  }
+
+  private static CompletableFuture<String> wrapAsync(AtCommandThatReturnsString command) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        return command.run();
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
+  /**
+   * A runnable command which does NOT return a value but can throw {@link AtException}s or execution
+   * exceptions
+   */
+  public interface AtCommandThatReturnsVoid {
+    void run() throws AtException, ExecutionException, InterruptedException;
+  }
+
+  private static CompletableFuture<Void> wrapAsync(AtCommandThatReturnsVoid command) {
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+        command.run();
+        return null;
+      } catch (Exception e) {
+        throw new CompletionException(e);
+      }
+    });
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtConnectionBase.java b/at_client/src/main/java/org/atsign/client/api/impl/connections/AtConnectionBase.java
deleted file mode 100644
index bacd1fa9..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtConnectionBase.java
+++ /dev/null
@@ -1,193 +0,0 @@
-package org.atsign.client.api.impl.connections;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.net.Socket;
-import java.util.Scanner;
-
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLSocketFactory;
-
-import lombok.extern.slf4j.Slf4j;
-import org.atsign.client.api.AtConnection;
-import org.atsign.client.api.AtEvents;
-import org.atsign.common.AtException;
-
-/**
- * Core implementation of an {@link AtConnection} which uses Java NIO. This
- * class contains the implementation of the socket connect / disconnect,
- * writing atprotocol commands and reading atprotocol responses.
- * If the socket becomes disconnected then it will be re-connected as part
- * of sending the next command.
- */
-@Slf4j
-public abstract class AtConnectionBase implements AtConnection {
-
-  private final String url;
-
-  @Override
-  public String getUrl() {
-    return url;
-  }
-
-  private final String host;
-
-  @Override
-  public String getHost() {
-    return host;
-  }
-
-  private final int port;
-
-  @Override
-  public int getPort() {
-    return port;
-  }
-
-  private Socket socket;
-
-  @Override
-  public Socket getSocket() {
-    return socket;
-  }
-
-  private boolean connected = false;
-
-  @Override
-  public boolean isConnected() {
-    return connected;
-  }
-
-  private final boolean autoReconnect;
-
-  @Override
-  public boolean isAutoReconnect() {
-    return autoReconnect;
-  }
-
-  protected boolean verbose;
-
-  @Override
-  public boolean isVerbose() {
-    return verbose;
-  }
-
-  @Override
-  public void setVerbose(boolean verbose) {
-    this.verbose = verbose;
-  }
-
-  protected final Authenticator authenticator;
-
-  public Authenticator getAuthenticator() {
-    return authenticator;
-  }
-
-  protected PrintWriter socketWriter;
-  protected Scanner socketScanner;
-
-  protected final AtEvents.AtEventBus eventBus;
-
-  public AtConnectionBase(AtEvents.AtEventBus eventBus,
-                          String url,
-                          AtConnection.Authenticator authenticator,
-                          boolean autoReconnect,
-                          boolean verbose) {
-    this.eventBus = eventBus;
-    this.url = url;
-    this.host = url.split(":")[0];
-    this.port = Integer.parseInt(url.split(":")[1]);
-    this.autoReconnect = autoReconnect;
-    this.verbose = verbose;
-    this.authenticator = authenticator;
-  }
-
-  @Override
-  public synchronized void disconnect() {
-    if (!isConnected()) {
-      return;
-    }
-    connected = false;
-    try {
-      log.debug("disconnecting from {}:{}", host, port);
-      socket.close();
-      socketScanner.close();
-      socketWriter.close();
-      socket.shutdownInput();
-      socket.shutdownOutput();
-    } catch (Exception ignore) {
-    }
-  }
-
-  @Override
-  public synchronized void connect() throws IOException, AtException {
-    if (isConnected()) {
-      return;
-    }
-    SocketFactory sf = SSLSocketFactory.getDefault();
-    log.debug("connecting to {}:{}...", host, port);
-    this.socket = sf.createSocket(host, port);
-    this.socketWriter = new PrintWriter(socket.getOutputStream());
-    this.socketScanner = new Scanner(socket.getInputStream());
-    log.debug("connected to {}:{}", host, port);
-
-    if (authenticator != null) {
-      authenticator.authenticate(this);
-    }
-    connected = true;
-  }
-
-  protected abstract String parseRawResponse(String rawResponse) throws IOException;
-
-  @Override
-  public final synchronized String executeCommand(String command) throws IOException {
-    return executeCommand(command, autoReconnect, true);
-  }
-
-  protected synchronized String executeCommand(String command, boolean retryOnException, boolean readTheResponse)
-      throws IOException {
-    if (socket.isClosed()) {
-      throw new IOException("executeCommand failed: socket is closed");
-    }
-    try {
-      if (!command.endsWith("\n")) {
-        command = command + "\n";
-      }
-      socketWriter.write(command);
-      socketWriter.flush();
-
-      if (verbose) {
-        log.info("SENT: {}", command);
-      }
-
-      if (readTheResponse) {
-        // Responses are always terminated by newline
-        String rawResponse = socketScanner.nextLine();
-        if (verbose) {
-          log.info("RCVD: {}", rawResponse);
-        }
-
-        return parseRawResponse(rawResponse);
-      } else {
-        return "";
-      }
-    } catch (Exception first) {
-      disconnect();
-
-      if (retryOnException) {
-        log.error("Caught exception {} : reconnecting", first.toString());
-        try {
-          connect();
-          return executeCommand(command, false, true);
-        } catch (Exception second) {
-          log.error("failed on retry", second);
-          throw new IOException("Failed to reconnect after original exception " + first + " : ", second);
-        }
-      } else {
-        connected = false;
-
-        throw new IOException(first);
-      }
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtMonitorConnection.java b/at_client/src/main/java/org/atsign/client/api/impl/connections/AtMonitorConnection.java
deleted file mode 100644
index dc80d9a5..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtMonitorConnection.java
+++ /dev/null
@@ -1,258 +0,0 @@
-package org.atsign.client.api.impl.connections;
-
-import static org.atsign.client.api.AtEvents.AtEventBus;
-import static org.atsign.client.api.AtEvents.AtEventType;
-import static org.atsign.client.api.AtEvents.AtEventType.deleteNotification;
-import static org.atsign.client.api.AtEvents.AtEventType.monitorException;
-import static org.atsign.client.api.AtEvents.AtEventType.monitorHeartbeatAck;
-import static org.atsign.client.api.AtEvents.AtEventType.sharedKeyNotification;
-import static org.atsign.client.api.AtEvents.AtEventType.statsNotification;
-import static org.atsign.client.api.AtEvents.AtEventType.updateNotification;
-
-import java.util.HashMap;
-
-import lombok.extern.slf4j.Slf4j;
-import org.atsign.common.AtSign;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.atsign.common.Json;
-
-/**
- * A {@link AtMonitorConnection} represents a connection to an AtServer which,
- * when started will send the atprotocol monitor command and then processes
- * notifications and heartbeat messages until it is stopped. If the socket disconnects
- * then it will be automatically reconnected.
- */
-@Slf4j
-public class AtMonitorConnection extends AtSecondaryConnection implements Runnable {
-
-  private static final ObjectMapper mapper = Json.MAPPER;
-
-  private long _lastReceivedTime = 0;
-
-  public long getLastReceivedTime() {
-    return _lastReceivedTime;
-  }
-
-  public void setLastReceivedTime(long lastReceivedTime) {
-    this._lastReceivedTime = lastReceivedTime;
-  }
-
-  private boolean running = false;
-
-  public boolean isRunning() {
-    return running;
-  }
-
-  private boolean _shouldBeRunning = false;
-
-  private void setShouldBeRunning(boolean b) {
-    _shouldBeRunning = b;
-  }
-
-  public boolean isShouldBeRunning() {
-    return _shouldBeRunning;
-  }
-
-  public AtMonitorConnection(AtEventBus eventBus,
-                             AtSign atSign,
-                             String secondaryUrl,
-                             Authenticator authenticator,
-                             boolean verbose) {
-    // Note that the Monitor doesn't make use of the auto-reconnect functionality, it does its own thing
-    super(eventBus, atSign, secondaryUrl, authenticator, false, verbose);
-    startHeartbeat();
-  }
-
-  private long lastHeartbeatSentTime = System.currentTimeMillis();
-  private long lastHeartbeatAckTime = System.currentTimeMillis();
-  private final int heartbeatIntervalMillis = 30000;
-
-  private void startHeartbeat() {
-    new Thread(() -> {
-      while (true) {
-        if (isShouldBeRunning()) {
-          if (!isRunning() || lastHeartbeatSentTime - lastHeartbeatAckTime >= heartbeatIntervalMillis) {
-            try {
-              // heartbeats have stopped being acked
-              log.error("Monitor heartbeats not being received");
-              stopMonitor();
-              long waitStartTime = System.currentTimeMillis();
-              while (isRunning() && System.currentTimeMillis() - waitStartTime < 5000) {
-                // wait for monitor to stop
-                try {
-                  // noinspection BusyWait
-                  Thread.sleep(1000);
-                } catch (Exception ignore) {
-                }
-              }
-              if (isRunning()) {
-                log.error("Monitor thread has not stopped, but going to start another one anyway");
-              }
-              startMonitor();
-            } catch (Exception e) {
-              log.error("Monitor restart failed", e);
-            }
-          } else {
-            if (System.currentTimeMillis() - lastHeartbeatSentTime > heartbeatIntervalMillis) {
-              try {
-                executeCommand("noop:0", false, false);
-                lastHeartbeatSentTime = System.currentTimeMillis();
-              } catch (Exception ignore) {
-                // Can't do anything, the heartbeat loop will take care of restarting the monitor connection
-              }
-            }
-          }
-        }
-        try {
-          // noinspection BusyWait
-          Thread.sleep(heartbeatIntervalMillis / 5);
-        } catch (Exception ignore) {
-        }
-      }
-    }).start();
-  }
-
-  /**
-   * @return true if the monitor start request has succeeded, or if the monitor is already running.
-   */
-  @SuppressWarnings("UnusedReturnValue")
-  public synchronized boolean startMonitor() {
-    lastHeartbeatSentTime = lastHeartbeatAckTime = System.currentTimeMillis();
-
-    setShouldBeRunning(true);
-    if (!running) {
-      running = true;
-      if (!isConnected()) {
-        try {
-          connect();
-        } catch (Exception e) {
-          log.error("startMonitor failed to connect to secondary : {}", e.getMessage());
-          running = false;
-          return false;
-        }
-      }
-      new Thread(this).start();
-    }
-    return true;
-  }
-
-  public synchronized void stopMonitor() {
-    setShouldBeRunning(false);
-    lastHeartbeatSentTime = lastHeartbeatAckTime = System.currentTimeMillis();
-    disconnect();
-  }
-
-  /**
-   * Please don't call this directly. Call startMonitor() instead, which starts the monitor in its own
-   * thread
-   */
-  @SuppressWarnings("unchecked")
-  @Override
-  public void run() {
-    String what = "";
-    // call executeCommand("monitor:<time>")
-    //   while scanner.nextLine()
-    //     filter out the things that aren't interesting
-    //     and call the callback
-    //     and when there is an error
-    //     call connect() again
-    //      then call executeCommand("monitor:<time>")
-    //      and go back into the while loop
-    try {
-      String monitorCommand = "monitor:" + getLastReceivedTime();
-      what = "send monitor command " + monitorCommand;
-      executeCommand(monitorCommand, true, false);
-
-      while (isShouldBeRunning() && socketScanner.hasNextLine()) {
-        what = "read from connection";
-        String response = parseRawResponse(socketScanner.nextLine());
-        if (verbose) {
-          log.info("RCVD (MONITOR): {}", response);
-        }
-        AtEventType eventType;
-        HashMap<String, Object> eventData = new HashMap<>();
-        what = "parse monitor message";
-        try {
-          if (response.startsWith("data:ok")) {
-            eventType = monitorHeartbeatAck;
-            eventData.put("key", "__heartbeat__");
-            eventData.put("value", response.substring("data:".length()));
-            lastHeartbeatAckTime = System.currentTimeMillis();
-
-          } else if (response.startsWith("data:")) {
-            eventType = monitorException;
-            eventData.put("key", "__monitorException__");
-            eventData.put("value", response);
-            eventData.put("exception", "Unexpected 'data:' message from server");
-
-          } else if (response.startsWith("error:")) {
-            eventType = monitorException;
-            eventData.put("key", "__monitorException__");
-            eventData.put("value", response);
-            eventData.put("exception", "Unexpected 'error:' message from server");
-
-          } else if (response.startsWith("notification:")) {
-            // if id is -1 then it's a stats update
-            // if id is > 0 then it's a data notification:
-            //   operation will be either 'update' or 'delete'
-            //   key will be the key that has changed
-            //   value will be the value, if available, or null, if not (e.g. when ttr == 0, value is not available)
-            eventData = mapper.readValue(response.substring("notification:".length()), HashMap.class);
-            String id = (String) eventData.get("id");
-            String operation = (String) eventData.get("operation");
-            String key = (String) eventData.get("key");
-            setLastReceivedTime(eventData.containsKey("epochMillis")
-                ? (long) eventData.get("epochMillis")
-                : System.currentTimeMillis());
-
-            if ("-1".equals(id)) {
-              eventType = statsNotification;
-
-            } else if ("update".equals(operation)) {
-              if (key.startsWith(getAtSign() + ":shared_key@")) {
-                eventType = sharedKeyNotification;
-              } else {
-                eventType = updateNotification;
-              }
-
-            } else if ("delete".equals(operation)) {
-              eventType = deleteNotification;
-
-            } else {
-              eventType = monitorException;
-              eventData.put("key", "__monitorException__");
-              eventData.put("value", response);
-              eventData.put("exception", "Unknown notification operation '" + operation);
-            }
-          } else {
-            eventType = monitorException;
-            eventData.put("key", "__monitorException__");
-            eventData.put("value", response);
-            eventData.put("exception", "Malformed response from server");
-
-          }
-        } catch (Exception e) {
-          log.error("monitor exception : {}", e.toString());
-          eventType = monitorException;
-          eventData.put("key", "__monitorException__");
-          eventData.put("value", response);
-          eventData.put("exception", e.toString());
-        }
-        eventBus.publishEvent(eventType, eventData);
-      }
-      log.info("Monitor ending normally - shouldBeRunning is {}", isShouldBeRunning());
-    } catch (Exception e) {
-      if (!isShouldBeRunning()) {
-        log.info("shouldBeRunning is false, and monitor has stopped OK. Exception was : {}", e.getMessage());
-      } else {
-        log.error("Monitor failed to {}", what, e);
-        log.info("Monitor ending. Monitor heartbeat thread should restart the monitor shortly");
-        disconnect();
-      }
-    } finally {
-      running = false;
-      disconnect();
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtRootConnection.java b/at_client/src/main/java/org/atsign/client/api/impl/connections/AtRootConnection.java
deleted file mode 100644
index 538e2bc4..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtRootConnection.java
+++ /dev/null
@@ -1,80 +0,0 @@
-package org.atsign.client.api.impl.connections;
-
-import java.io.IOException;
-
-import org.atsign.client.api.AtEvents;
-import org.atsign.client.api.Secondary;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-
-/**
- * A connection which understands how to talk with the root server.
- *
- * @see org.atsign.client.api.AtConnection
- */
-public class AtRootConnection extends AtConnectionBase implements Secondary.AddressFinder {
-
-  public AtRootConnection(String rootUrl) {
-    this(null, rootUrl);
-  }
-
-  public AtRootConnection(AtEvents.AtEventBus eventBus, String rootUrl) {
-    this(eventBus, rootUrl, true, false);
-  }
-
-  public AtRootConnection(AtEvents.AtEventBus eventBus, String rootUrl, boolean autoReconnect, boolean verbose) {
-    super(eventBus, rootUrl, null, autoReconnect, verbose);
-  }
-
-  @SuppressWarnings("RedundantThrows")
-  @Override
-  protected String parseRawResponse(String rawResponse) throws IOException {
-    // responses from root are either 'null' or <host:port>
-    if (rawResponse.startsWith("@")) {
-      rawResponse = rawResponse.substring(1);
-    }
-    return rawResponse;
-  }
-
-  /**
-   * Looks up the address of the secondary for a given atsign
-   *
-   * @param atSign the AtSign being looked up
-   * @return A {@link Secondary.Address}
-   * @throws IOException if connection to root server is unavailable, encounters an error, or response
-   *         is malformed
-   * @throws AtSecondaryNotFoundException if the root server returns the string 'null' as the lookup
-   *         response, which means that the atsign is not known to the root server
-   */
-  @Override
-  public Secondary.Address findSecondary(AtSign atSign) throws IOException, AtSecondaryNotFoundException {
-    if (!isConnected()) {
-      try {
-        connect();
-      } catch (AtException e) {
-        // connect will only throw an AtException if authentication fails. Root connections do not require authentication.
-        throw new IOException(e);
-      }
-    }
-    String response = executeCommand(atSign.withoutPrefix());
-
-    if ("null".equals(response)) {
-      throw new AtSecondaryNotFoundException("Root lookup returned null for " + atSign);
-    } else {
-      try {
-        return Secondary.Address.fromString(response);
-      } catch (IllegalArgumentException e) {
-        throw new IOException(
-            "Received malformed response " + response + " from lookup of " + atSign + " on root server");
-      }
-    }
-  }
-
-  /**
-   * Wrapper for {@link #findSecondary(AtSign)}
-   */
-  public String lookupAtSign(AtSign atSign) throws IOException, AtSecondaryNotFoundException {
-    return this.findSecondary(atSign).toString();
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtSecondaryConnection.java b/at_client/src/main/java/org/atsign/client/api/impl/connections/AtSecondaryConnection.java
deleted file mode 100644
index bfdd05d3..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/connections/AtSecondaryConnection.java
+++ /dev/null
@@ -1,66 +0,0 @@
-package org.atsign.client.api.impl.connections;
-
-import java.io.Closeable;
-import java.io.IOException;
-
-import org.atsign.client.api.AtConnection;
-import org.atsign.client.api.AtEvents;
-import org.atsign.client.api.Secondary;
-import org.atsign.common.AtSign;
-
-/**
- * A connection which understands how to talk with the secondary server.
- *
- * @see org.atsign.client.api.AtConnection
- */
-public class AtSecondaryConnection extends AtConnectionBase implements Closeable {
-  private final AtSign atSign;
-
-  public AtSign getAtSign() {
-    return atSign;
-  }
-
-  public AtSecondaryConnection(AtEvents.AtEventBus eventBus, AtSign atSign, Secondary.Address secondaryAddress,
-                               AtConnection.Authenticator authenticator, boolean autoReconnect, boolean verbose) {
-    super(eventBus, secondaryAddress.toString(), authenticator, autoReconnect, verbose);
-    this.atSign = atSign;
-  }
-
-  public AtSecondaryConnection(AtEvents.AtEventBus eventBus, AtSign atSign, String secondaryUrl,
-                               AtConnection.Authenticator authenticator, boolean autoReconnect, boolean verbose) {
-    this(eventBus, atSign, Secondary.Address.fromString(secondaryUrl), authenticator, autoReconnect, verbose);
-  }
-
-  @Override
-  protected String parseRawResponse(String rawResponse) throws IOException {
-    // Response can look like this:
-    // @ prompt - or @<atSign>@ if connection has been authenticated
-    // then either
-    //   data:<stuff>
-    //   error:<stuff>
-    //   data:ok (for no-op requests)
-    //   notification:<json> for notifications
-    //
-    // So:
-    //   Find the first colon (exception if none)
-    //   In what's before the colon
-    //     Strip out the @alice@ or the single @
-    int dataPos = rawResponse.indexOf("data:");
-    int errorPos = rawResponse.indexOf("error:");
-    int notificationPos = rawResponse.indexOf("notification:");
-    if (dataPos >= 0) {
-      return rawResponse.substring(dataPos);
-    } else if (errorPos >= 0) {
-      return rawResponse.substring(errorPos);
-    } else if (notificationPos >= 0) {
-      return rawResponse.substring(notificationPos);
-    } else {
-      throw new IOException("Invalid response from server: " + rawResponse);
-    }
-  }
-
-  @Override
-  public void close() throws IOException {
-    disconnect();
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/connections/DefaultAtConnectionFactory.java b/at_client/src/main/java/org/atsign/client/api/impl/connections/DefaultAtConnectionFactory.java
deleted file mode 100644
index 80736fad..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/connections/DefaultAtConnectionFactory.java
+++ /dev/null
@@ -1,49 +0,0 @@
-package org.atsign.client.api.impl.connections;
-
-import org.atsign.client.api.AtConnection;
-import org.atsign.client.api.AtConnectionFactory;
-import org.atsign.client.api.AtEvents;
-import org.atsign.client.api.Secondary;
-import org.atsign.common.AtSign;
-
-/**
- * Standard implementation of {@link AtConnectionFactory} for creating {@link AtSecondaryConnection}
- * and {@link AtRootConnection} instances.
- */
-public class DefaultAtConnectionFactory implements AtConnectionFactory {
-  @Override
-  public AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                                      AtSign atSign,
-                                                      Secondary.Address secondaryAddress,
-                                                      AtConnection.Authenticator authenticator) {
-    return new AtSecondaryConnection(eventBus, atSign, secondaryAddress, authenticator, true, false);
-  }
-
-  @Override
-  public AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                                      AtSign atSign,
-                                                      Secondary.Address secondaryAddress,
-                                                      AtConnection.Authenticator authenticator,
-                                                      boolean verbose) {
-    return new AtSecondaryConnection(eventBus, atSign, secondaryAddress, authenticator, true, verbose);
-  }
-
-  @Override
-  public AtSecondaryConnection getSecondaryConnection(AtEvents.AtEventBus eventBus,
-                                                      AtSign atSign,
-                                                      String secondaryUrl,
-                                                      AtConnection.Authenticator authenticator,
-                                                      boolean verbose) {
-    return new AtSecondaryConnection(eventBus, atSign, secondaryUrl, authenticator, true, verbose);
-  }
-
-  @Override
-  public AtRootConnection getRootConnection(AtEvents.AtEventBus eventBus, String rootUrl) {
-    return new AtRootConnection(eventBus, rootUrl, true, false);
-  }
-
-  @Override
-  public AtRootConnection getRootConnection(AtEvents.AtEventBus eventBus, String rootUrl, boolean verbose) {
-    return new AtRootConnection(eventBus, rootUrl, true, verbose);
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java b/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
deleted file mode 100644
index a9bb108e..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/secondaries/RemoteSecondary.java
+++ /dev/null
@@ -1,197 +0,0 @@
-package org.atsign.client.api.impl.secondaries;
-
-import static org.atsign.client.api.AtEvents.AtEventBus;
-import static org.atsign.client.api.AtEvents.AtEventType;
-
-import java.io.IOException;
-import java.util.Map;
-
-import lombok.extern.slf4j.Slf4j;
-import org.atsign.client.api.AtConnectionFactory;
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.Secondary;
-import org.atsign.client.api.impl.connections.AtMonitorConnection;
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
-import org.atsign.client.util.AuthUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtIllegalArgumentException;
-import org.atsign.common.exceptions.AtInvalidAtKeyException;
-import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
-import org.atsign.common.exceptions.AtUnknownResponseException;
-
-/**
- * Implementation of {@link Secondary} wraps an {@link AtSecondaryConnection} and
- * an {@link AtMonitorConnection}.
- */
-@Slf4j
-public class RemoteSecondary implements Secondary {
-
-  private final AtConnectionFactory connectionFactory;
-  private final AtEventBus eventBus;
-
-  @SuppressWarnings("unused")
-  public AtConnectionFactory getConnectionFactory() {
-    return connectionFactory;
-  }
-
-  private final AtSecondaryConnection connection;
-
-  @SuppressWarnings("unused")
-  public AtSecondaryConnection getConnection() {
-    return connection;
-  }
-
-  private volatile AtMonitorConnection monitorConnection;
-
-  @SuppressWarnings("unused")
-  public AtMonitorConnection getMonitorConnection() {
-    return monitorConnection;
-  }
-
-  private final AtSign atSign;
-
-  public AtSign getAtSign() {
-    return atSign;
-  }
-
-  private final Secondary.Address secondaryAddress;
-
-  @SuppressWarnings("unused")
-  public Secondary.Address getSecondaryAddress() {
-    return secondaryAddress;
-  }
-
-  @SuppressWarnings("unused")
-  public String getSecondaryUrl() {
-    return secondaryAddress.toString();
-  }
-
-  private boolean verbose;
-
-  @SuppressWarnings("unused")
-  public boolean isVerbose() {
-    return verbose;
-  }
-
-  @SuppressWarnings("unused")
-  public void setVerbose(boolean b) {
-    verbose = b;
-    this.connection.setVerbose(b);
-    this.monitorConnection.setVerbose(b);
-  }
-
-  @SuppressWarnings("unused")
-  public RemoteSecondary(AtEventBus eventBus, AtSign atSign, Secondary.Address secondaryAddress,
-                         AtKeys keys, AtConnectionFactory connectionFactory)
-      throws IOException, AtException {
-    this(eventBus, atSign, secondaryAddress, keys, connectionFactory, false);
-  }
-
-  public RemoteSecondary(AtEventBus eventBus, AtSign atSign, Secondary.Address secondaryAddress,
-                         AtKeys keys, AtConnectionFactory connectionFactory,
-                         boolean verbose)
-      throws IOException, AtException {
-    this.eventBus = eventBus;
-    this.atSign = atSign;
-    this.secondaryAddress = secondaryAddress;
-    this.connectionFactory = connectionFactory;
-    this.verbose = verbose;
-
-    this.connection = connectionFactory.getSecondaryConnection(
-                                                               this.eventBus,
-                                                               this.atSign,
-                                                               this.secondaryAddress,
-                                                               connection -> new AuthUtil()
-                                                                   .authenticateWithPkam(connection, atSign, keys),
-                                                               verbose);
-    connection.connect();
-  }
-
-  @Override
-  public Response executeCommand(String command, boolean throwExceptionOnErrorResponse)
-      throws IOException, AtException {
-    Response response = new Response();
-    String rawResponse = connection.executeCommand(command);
-
-    if (rawResponse.startsWith("data:")) {
-      response.setRawDataResponse(rawResponse.substring("data:".length()));
-    } else if (rawResponse.startsWith("error:")) {
-      response.setRawErrorResponse(rawResponse.substring("error:".length()));
-      AtException theServerException = response.getException();
-
-      if (theServerException instanceof AtInvalidSyntaxException
-          || theServerException instanceof AtIllegalArgumentException
-          || theServerException instanceof AtInvalidAtKeyException) {
-        // Secondaries used to close connections for these exceptions so let's disconnect and reconnect
-        connection.disconnect();
-        connection.connect();
-      }
-
-      if (throwExceptionOnErrorResponse) {
-        throw theServerException;
-      }
-    } else {
-      throw new AtUnknownResponseException("Unknown response " + rawResponse + " from command " + command);
-    }
-    return response;
-  }
-
-  @Override
-  public void startMonitor() {
-    ensureMonitorRunning();
-  }
-
-  @Override
-  public void stopMonitor() {
-    ensureMonitorNotRunning();
-  }
-
-  @Override
-  public boolean isMonitorRunning() {
-    return monitorConnection != null && monitorConnection.isRunning();
-  }
-
-  @Override
-  public synchronized void handleEvent(AtEventType eventType, Map<String, Object> eventData) {
-    //        if (eventType == )
-  }
-
-  @Override
-  public void close() throws IOException {
-    ensureMonitorNotRunning();
-    connection.close();
-  }
-
-  private void ensureMonitorRunning() {
-    String what = "";
-    try {
-      if (monitorConnection == null) {
-        what = "construct an AtMonitorConnection";
-        monitorConnection = new AtMonitorConnection(eventBus, atSign, secondaryAddress.toString(),
-            connection.getAuthenticator(), verbose);
-      }
-      if (!monitorConnection.isRunning()) {
-        what = "call monitorConnection.startMonitor()";
-        monitorConnection.startMonitor();
-      }
-    } catch (Exception e) {
-      log.error("SEVERE: failed to {}", what, e);
-    }
-  }
-
-  private void ensureMonitorNotRunning() {
-    String what = "";
-    try {
-      if (monitorConnection == null) {
-        return;
-      }
-      if (monitorConnection.isRunning()) {
-        what = "call monitorConnection.stopMonitor()";
-        monitorConnection.stopMonitor();
-      }
-    } catch (Exception e) {
-      log.error("SEVERE: failed to {}", what, e);
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/cli/Delete.java b/at_client/src/main/java/org/atsign/client/cli/Delete.java
index c52372ab..454089f2 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Delete.java
+++ b/at_client/src/main/java/org/atsign/client/cli/Delete.java
@@ -2,12 +2,15 @@
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 
 import lombok.extern.slf4j.Slf4j;
 
+import static org.atsign.common.AtSign.createAtSign;
+
 /**
  * A command-line interface half-example half-utility to delete something that was previously shared
  */
@@ -23,14 +26,14 @@ public static void main(String[] args) throws Exception {
     }
 
     String rootUrl = args[0];
-    AtSign atSign = new AtSign(args[1]);
-    AtSign otherAtSign = new AtSign(args[2]);
+    AtSign atSign = createAtSign(args[1]);
+    AtSign otherAtSign = createAtSign(args[2]);
     String keyName = args[3];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
     AtKeys keys = KeysUtil.loadKeys(atSign);
 
-    try (AtClient atClient = AtClient.withRemoteSecondary(rootUrl, atSign, keys, true)) {
+    try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
       Keys.SharedKey key = Keys.sharedKeyBuilder()
           .sharedBy(atSign)
@@ -38,9 +41,7 @@ public static void main(String[] args) throws Exception {
           .name(keyName)
           .build();
 
-      String response = atClient.delete(key).get();
-
-      log.info("delete response : {}", response);
+      atClient.delete(key).get();
     }
   }
 }
diff --git a/at_client/src/main/java/org/atsign/client/cli/Get.java b/at_client/src/main/java/org/atsign/client/cli/Get.java
index afc23334..fcc4333c 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Get.java
+++ b/at_client/src/main/java/org/atsign/client/cli/Get.java
@@ -2,12 +2,15 @@
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 
 import lombok.extern.slf4j.Slf4j;
 
+import static org.atsign.common.AtSign.createAtSign;
+
 /**
  * A command-line interface half-example half-utility to get something that was shared by another
  * atSign
@@ -23,14 +26,14 @@ public static void main(String[] args) throws Exception {
     }
 
     String rootUrl = args[0];
-    AtSign atSign = new AtSign(args[1]);
-    AtSign otherAtSign = new AtSign(args[2]);
+    AtSign atSign = createAtSign(args[1]);
+    AtSign otherAtSign = createAtSign(args[2]);
     String keyName = args[3];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
     AtKeys keys = KeysUtil.loadKeys(atSign);
 
-    try (AtClient atClient = AtClient.withRemoteSecondary(rootUrl, atSign, keys, true)) {
+    try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
       Keys.SharedKey key = Keys.sharedKeyBuilder()
           .sharedBy(otherAtSign)
diff --git a/at_client/src/main/java/org/atsign/client/cli/Scan.java b/at_client/src/main/java/org/atsign/client/cli/Scan.java
index 74ec7013..e9d92f7c 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Scan.java
+++ b/at_client/src/main/java/org/atsign/client/cli/Scan.java
@@ -6,6 +6,7 @@
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.client.util.StringUtil;
 import org.atsign.common.AtSign;
@@ -14,6 +15,8 @@
 
 import lombok.extern.slf4j.Slf4j;
 
+import static org.atsign.common.AtSign.createAtSign;
+
 /**
  * A command-line interface for scanning keys in your secondary (must have keys to atSign in keys/)
  */
@@ -27,13 +30,13 @@ public static void main(String[] args) throws Exception {
     }
 
     String rootUrl = args[0];
-    AtSign atSign = new AtSign(args[1]);
+    AtSign atSign = createAtSign(args[1]);
     String regex = args[2];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
     AtKeys keys = KeysUtil.loadKeys(atSign);
 
-    try (AtClient atClient = AtClient.withRemoteSecondary(rootUrl, atSign, keys, true)) {
+    try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
       List<AtKey> response = atClient.getAtKeys(regex).get();
 
diff --git a/at_client/src/main/java/org/atsign/client/cli/Share.java b/at_client/src/main/java/org/atsign/client/cli/Share.java
index f0866d23..7221c691 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Share.java
+++ b/at_client/src/main/java/org/atsign/client/cli/Share.java
@@ -1,7 +1,10 @@
 package org.atsign.client.cli;
 
+import static org.atsign.common.AtSign.createAtSign;
+
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
@@ -22,8 +25,8 @@ public static void main(String[] args) throws Exception {
     }
 
     String rootUrl = args[0];
-    AtSign atSign = new AtSign(args[1]);
-    AtSign otherAtSign = new AtSign(args[2]);
+    AtSign atSign = createAtSign(args[1]);
+    AtSign otherAtSign = createAtSign(args[2]);
     String keyName = args[3];
     String toShare = args[4];
     int ttr = args.length == 6 ? Integer.parseInt(args[5]) : 0;
@@ -31,7 +34,7 @@ public static void main(String[] args) throws Exception {
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
     AtKeys keys = KeysUtil.loadKeys(atSign);
 
-    try (AtClient atClient = AtClient.withRemoteSecondary(rootUrl, atSign, keys, true)) {
+    try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
       Keys.SharedKey key = Keys.sharedKeyBuilder()
           .sharedBy(atSign)
           .sharedWith(otherAtSign)
@@ -40,9 +43,7 @@ public static void main(String[] args) throws Exception {
           .ttr((long) ttr)
           .build();
 
-      String response = atClient.put(key, toShare).get();
-
-      log.info("put response : {}", response);
+      atClient.put(key, toShare).get();
     }
   }
 
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
index 3b015ac6..ae962110 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
+++ b/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
@@ -29,15 +29,15 @@ public class Enroll {
   /**
    * Performs the onboarding workflow which sets up the manage keys for an atserver.
    *
-   * @param connection A connection to an atserver command interface
-   * @param atSign The AtSign that corresponds to the connection
-   * @param keys The {@link AtKeys}
-   * @param cramSecret
-   * @param appName
-   * @param deviceName
-   * @param deleteCramKey
+   * @param connection A connection to an atserver command interface.
+   * @param atSign The AtSign that corresponds to the connection.
+   * @param keys The {@link AtKeys} for the {@link AtSign}.
+   * @param cramSecret The CRAM secret.
+   * @param appName The app name for this first enrollment.
+   * @param deviceName The device name for this first enrollment.
+   * @param deleteCramKey Whether the CRAM key should be removed from the AtServer.
    * @return a new {@link AtKeys} instance that has the enrollment id set
-   * @throws AtException
+   * @throws AtException If the enrollment fails.
    */
   public static AtKeys onboard(AtClientConnection connection,
                                AtSign atSign,
diff --git a/at_client/src/main/java/org/atsign/client/util/ArgsUtil.java b/at_client/src/main/java/org/atsign/client/util/ArgsUtil.java
deleted file mode 100644
index b7bdb249..00000000
--- a/at_client/src/main/java/org/atsign/client/util/ArgsUtil.java
+++ /dev/null
@@ -1,27 +0,0 @@
-package org.atsign.client.util;
-
-import org.atsign.client.api.Secondary;
-import org.atsign.client.api.impl.connections.AtRootConnection;
-
-/**
- * Utility class which contains a method for creating an
- * {@link org.atsign.client.api.Secondary.AddressFinder}
- */
-public class ArgsUtil {
-  public static Secondary.AddressFinder createAddressFinder(String rootUrl) {
-    Secondary.AddressFinder addressFinder;
-    if (rootUrl.startsWith("proxy:")) {
-      String[] proxyParts = rootUrl.split(":");
-      if (proxyParts.length != 3) {
-        System.err.println("When supplying a proxy url, it needs to be in format proxy:<host>:<port>");
-        System.exit(1);
-      }
-      String proxyHost = proxyParts[1];
-      int proxyPort = Integer.parseInt(proxyParts[2]);
-      addressFinder = atSign -> new Secondary.Address(proxyHost, proxyPort);
-    } else {
-      addressFinder = new AtRootConnection(rootUrl);
-    }
-    return addressFinder;
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/util/AtClientValidation.java b/at_client/src/main/java/org/atsign/client/util/AtClientValidation.java
deleted file mode 100644
index 88f98ce7..00000000
--- a/at_client/src/main/java/org/atsign/client/util/AtClientValidation.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.atsign.client.util;
-
-import java.io.IOException;
-
-import org.atsign.client.api.Secondary;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtIllegalArgumentException;
-import org.atsign.common.exceptions.AtSecondaryConnectException;
-
-/**
- * Utility class with key string validation methods
- */
-public class AtClientValidation {
-
-  /**
-   * Checks if an atSign exists on a root server
-   *
-   * @param atSign atSign object to check for existence
-   * @param rootUrl rootUrl of the root server for atSign existence
-   * @throws AtException if atSign does not exist/address could not be found, if atSign object is
-   *         empty,
-   */
-  public static void atSignExists(AtSign atSign, String rootUrl) throws AtException {
-    if (atSign == null || atSign.toString().isEmpty()) {
-      throw new AtIllegalArgumentException("atSign cannot be null or empty");
-    }
-    if (rootUrl == null || rootUrl.isEmpty()) {
-      throw new AtIllegalArgumentException("rootUrl cannot be null or empty");
-    }
-    Secondary.AddressFinder finder = ArgsUtil.createAddressFinder(rootUrl);
-    try {
-      finder.findSecondary(atSign);
-    } catch (IOException e) {
-      throw new AtSecondaryConnectException("Exception while trying to find secondary of atSign: " + atSign, e);
-    }
-  }
-
-}
diff --git a/at_client/src/main/java/org/atsign/client/util/AuthUtil.java b/at_client/src/main/java/org/atsign/client/util/AuthUtil.java
deleted file mode 100644
index 166ed6ed..00000000
--- a/at_client/src/main/java/org/atsign/client/util/AuthUtil.java
+++ /dev/null
@@ -1,128 +0,0 @@
-package org.atsign.client.util;
-
-import static org.atsign.common.VerbBuilders.*;
-
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-
-import org.atsign.client.api.AtConnection;
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.connections.AtSecondaryConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtClientConfigException;
-import org.atsign.common.exceptions.AtEncryptionException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
-
-/**
- * Encapsulates Atsign Platform authentication command response workflows.
- */
-@Deprecated
-public class AuthUtil {
-
-  /**
-   * Sends a from command followed by cram command.
-   *
-   * @param connection connection to an AtServer
-   * @param atSign the AtSign to authenticate
-   * @param cramSecret the secret with which to respond to the authentication challenge
-   * @throws AtException If the authentication fails
-   * @throws IOException Delegated from AtServer
-   */
-  public void authenticateWithCram(AtSecondaryConnection connection, AtSign atSign, String cramSecret)
-      throws AtException, IOException {
-    String fromResponse = connection.executeCommand(fromCommandBuilder().atSign(atSign).build());
-    if (!fromResponse.startsWith("data:")) {
-      throw new AtUnauthenticatedException("Invalid response to 'from': " + fromResponse);
-    }
-
-    String challenge = fromResponse.replaceFirst("data:", "");
-    String cramDigest;
-    try {
-      cramDigest = _getCramDigest(cramSecret, challenge);
-    } catch (NoSuchAlgorithmException e) {
-      throw new AtEncryptionException("Failed to generate cramDigest", e);
-    }
-
-    String cramResponse = connection.executeCommand(cramCommandBuilder().digest(cramDigest).build());
-    if (!cramResponse.startsWith("data:success")) {
-      throw new AtUnauthenticatedException("CRAM command failed: " + cramResponse);
-    }
-  }
-
-  /**
-   * Sends a from command followed by a pkam command.
-   *
-   * @param connection connection to an AtServer
-   * @param atSign the AtSign to authenticate
-   * @param keys AtKeys which contains the PKAM private key and associated {@link EnrollmentId}
-   * @throws AtException If the authentication fails
-   * @throws IOException Delegated from AtServer
-   */
-  public void authenticateWithPkam(AtConnection connection, AtSign atSign, AtKeys keys)
-      throws AtException, IOException {
-    if (!keys.hasPkamKey()) {
-      throw new AtClientConfigException("Cannot authenticate with PKAM: Keys file does not contain PKAM keys");
-    }
-
-    String fromResponse = connection.executeCommand(fromCommandBuilder().atSign(atSign).build());
-
-    String dataPrefix = "data:";
-    if (!fromResponse.startsWith(dataPrefix)) {
-      throw new AtUnauthenticatedException("Invalid response to 'from' command: " + fromResponse);
-    }
-    fromResponse = fromResponse.substring(dataPrefix.length());
-
-    PrivateKey privateKey;
-    try {
-      privateKey = EncryptionUtil._privateKeyFromBase64(keys.getApkamPrivateKey());
-    } catch (Exception e) {
-      throw new AtClientConfigException("Failed to get private key from stored string");
-    }
-
-    String signature;
-    try {
-      signature = EncryptionUtil._signSHA256RSA(fromResponse, privateKey);
-    } catch (Exception e) {
-      throw new AtEncryptionException("Failed to create SHA256 signature");
-    }
-
-    PkamCommandBuilder builder = pkamCommandBuilder();
-    if (keys.hasEnrollmentId()) {
-      builder.signingAlgo(EncryptionUtil.SIGNING_ALGO_RSA);
-      builder.hashingAlgo(EncryptionUtil.HASHING_ALGO_SHA256);
-      builder.enrollmentId(keys.getEnrollmentId());
-    }
-    builder.digest(signature);
-
-    String pkamResponse = connection.executeCommand(builder.build());
-
-    if (!pkamResponse.startsWith("data:success")) {
-      throw new AtUnauthenticatedException("PKAM command failed: " + pkamResponse);
-    }
-  }
-
-  private String _getCramDigest(String cramSecret, String challenge) throws NoSuchAlgorithmException {
-    String digestInput = cramSecret + challenge;
-
-    byte[] digestInputBytes = digestInput.getBytes(StandardCharsets.UTF_8);
-    byte[] digest = MessageDigest.getInstance("SHA-512").digest(digestInputBytes);
-
-    return bytesToHex(digest);
-  }
-
-  private static final char[] HEX_ARRAY = "0123456789abcdef".toCharArray();
-
-  public static String bytesToHex(byte[] bytes) {
-    char[] hexChars = new char[bytes.length * 2];
-    for (int j = 0; j < bytes.length; j++) {
-      int v = bytes[j] & 0xFF;
-      hexChars[j * 2] = HEX_ARRAY[v >>> 4];
-      hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
-    }
-    return new String(hexChars);
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/common/ResponseTransformers.java b/at_client/src/main/java/org/atsign/common/ResponseTransformers.java
deleted file mode 100644
index c546c085..00000000
--- a/at_client/src/main/java/org/atsign/common/ResponseTransformers.java
+++ /dev/null
@@ -1,73 +0,0 @@
-package org.atsign.common;
-
-import java.util.List;
-import java.util.function.Function;
-import java.util.function.Predicate;
-import java.util.stream.Collectors;
-
-import lombok.extern.slf4j.Slf4j;
-import org.atsign.client.api.Secondary.Response;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-/**
- * Parent class for transformers used to convert {@link Response} into fully decoded class instances
- */
-@Slf4j
-public class ResponseTransformers {
-
-  static final ObjectMapper mapper = Json.MAPPER;
-
-  /**
-   * Transformer for scan command responses
-   */
-  public static class ScanResponseTransformer implements Function<Response, List<String>> {
-
-    private final Predicate<String> filter;
-
-    public ScanResponseTransformer(Predicate<String> filter) {
-      this.filter = filter;
-    }
-
-    public ScanResponseTransformer() {
-      this(k -> true);
-    }
-
-    @Override
-    public List<String> apply(Response value) {
-
-      if (value.getRawDataResponse() == null || value.getRawDataResponse().isEmpty()) {
-        return null;
-      }
-
-      try {
-        List<String> keys = mapper.readerForListOf(String.class).readValue(value.getRawDataResponse());
-        return keys.stream().filter(filter).collect(Collectors.toList());
-      } catch (Exception e) {
-        log.error("unexpected exception", e);
-        return null;
-      }
-    }
-
-  }
-
-  /**
-   * Transformer for notify command responses
-   */
-  public static class NotifyResponseTransformer implements Function<Response, String> {
-    @Override
-    public String apply(Response value) {
-      throw new UnsupportedOperationException();
-    }
-  }
-
-  /**
-   * Transformer for notify (status) command responses
-   */
-  public static class NotificationStatusResponseTransformer implements Function<Response, NotificationStatus> {
-    @Override
-    public NotificationStatus apply(Response value) {
-      throw new UnsupportedOperationException();
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java
index 4f34df3c..f9ee5fbf 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java
@@ -3,7 +3,7 @@
 import org.atsign.common.AtException;
 
 /**
- * Occurs if response from {@link org.atsign.client.api.Secondary} cannot be decoded
+ * Occurs if response cannot be decoded
  */
 public class AtResponseHandlingException extends AtException {
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java
index 903438cc..9c7e6593 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java
@@ -3,7 +3,7 @@
 import org.atsign.common.AtException;
 
 /**
- * Occurs when {@link org.atsign.client.api.Secondary} has been paused
+ * Occurs when the AtServer has been paused
  */
 public class AtServerIsPausedException extends AtException {
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java b/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java
index 9de86de1..a06f842d 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java
+++ b/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java
@@ -3,8 +3,7 @@
 import org.atsign.common.AtException;
 
 /**
- * Occurs if response from {@link org.atsign.client.api.Secondary} does not have a recognized
- * structure
+ * Occurs if response does not have a recognized structure
  */
 public class AtUnknownResponseException extends AtException {
   public AtUnknownResponseException(String message) {
diff --git a/at_client/src/test/java/org/atsign/client/api/SecondaryTest.java b/at_client/src/test/java/org/atsign/client/api/SecondaryTest.java
deleted file mode 100644
index fdce2690..00000000
--- a/at_client/src/test/java/org/atsign/client/api/SecondaryTest.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package org.atsign.client.api;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
-
-import org.junit.jupiter.api.Test;
-
-class SecondaryTest {
-
-  @Test
-  public void testSetRawErrorResponseCorrectlyParsesCodeAndMessage() {
-    Secondary.Response response = new Secondary.Response();
-    response.setRawErrorResponse("AT0001-meaning of error code : any other text");
-
-    assertThat(response.isError(), is(true));
-    assertThat(response.getErrorCode(), equalTo("AT0001"));
-    assertThat(response.getErrorText(), equalTo("any other text"));
-  }
-}
diff --git a/at_client/src/test/java/org/atsign/common/AtClientValidationIT.java b/at_client/src/test/java/org/atsign/common/AtClientValidationIT.java
deleted file mode 100644
index fdd270fd..00000000
--- a/at_client/src/test/java/org/atsign/common/AtClientValidationIT.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package org.atsign.common;
-
-import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import org.atsign.client.util.AtClientValidation;
-import org.atsign.common.exceptions.AtSecondaryConnectException;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-import org.atsign.cucumber.helpers.Helpers;
-import org.atsign.virtualenv.VirtualEnv;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-
-public class AtClientValidationIT {
-
-  private static final String VE_ROOT_URL = "vip.ve.atsign.zone:64"; // prod rootUrl
-
-  @BeforeAll
-  public static void classSetup() {
-    if (!Helpers.isHostPortReachable(VE_ROOT_URL, SECONDS.toMillis(2))) {
-      VirtualEnv.setUp();
-    }
-  }
-
-  // atSign exists (uses secondaryaddress.finder)
-  @Test
-  public void atSignExistsTest() {
-
-    // null atSign
-    assertThrows(AtException.class, () -> {
-      AtSign atSign = null;
-      AtClientValidation.atSignExists(atSign, VE_ROOT_URL);
-    });
-
-    // empty atSign
-    assertThrows(AtSecondaryNotFoundException.class, () -> {
-      AtSign atSign = new AtSign("");
-      AtClientValidation.atSignExists(atSign, VE_ROOT_URL);
-    });
-
-    // root does not contain atSign
-    assertThrows(AtSecondaryNotFoundException.class, () -> {
-      AtSign atSign = new AtSign("someAtSignThatDNE456");
-      AtClientValidation.atSignExists(atSign, VE_ROOT_URL);
-    });
-
-    // invalid root
-    assertThrows(AtSecondaryConnectException.class, () -> {
-      AtSign atSign = new AtSign("smoothalligator");
-      AtClientValidation.atSignExists(atSign, "invalidroot:32123");
-    });
-
-  }
-}
diff --git a/at_client/src/test/java/org/atsign/common/FromStringTest.java b/at_client/src/test/java/org/atsign/common/FromStringTest.java
index e2dc639e..1ff4bc22 100644
--- a/at_client/src/test/java/org/atsign/common/FromStringTest.java
+++ b/at_client/src/test/java/org/atsign/common/FromStringTest.java
@@ -1,14 +1,11 @@
 package org.atsign.common;
 
-import org.atsign.client.api.Secondary;
-import org.atsign.common.Keys.AtKey;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import org.junit.jupiter.api.Test;
-
 import static org.atsign.common.AtSign.createAtSign;
 import static org.junit.jupiter.api.Assertions.*;
 
+import org.atsign.common.Keys.AtKey;
+import org.junit.jupiter.api.Test;
+
 public class FromStringTest {
 
 
@@ -26,16 +23,15 @@ public void fromStringTest0() throws AtException {
   }
 
   @Test
-  public void fromStringTest1() throws AtException, JsonProcessingException {
+  public void fromStringTest1() throws Exception {
     String KEY_NAME_STR = "public:publickey@bob";
 
-    Secondary.Response response = new Secondary.Response();
-    response.setRawDataResponse("{\"createdBy\":null,\"updatedBy\":null,"
+    String response = "{\"createdBy\":null,\"updatedBy\":null,"
         + "\"createdAt\":\"2022-07-13 21:54:28.519Z\",\"updatedAt\":\"2022-07-13 21:54:28.519Z\","
         + "\"availableAt\":\"2022-07-13 21:54:28.519Z\",\"expiresAt\":null,"
         + "\"refreshAt\":null,\"status\":\"active\",\"version\":0," + "\"ttl\":0,\"ttb\":0,\"ttr\":null,\"ccd\":null,"
         + "\"isBinary\":false,\"isEncrypted\":false,"
-        + "\"dataSignature\":null,\"sharedKeyEnc\":null,\"pubKeyCS\":null}");
+        + "\"dataSignature\":null,\"sharedKeyEnc\":null,\"pubKeyCS\":null}";
 
     AtKey atKey = fromString(KEY_NAME_STR, response);
 
@@ -61,7 +57,7 @@ public void fromStringTest1() throws AtException, JsonProcessingException {
   }
 
   @Test
-  public void fromStringTest2() throws AtException, JsonProcessingException {
+  public void fromStringTest2() throws Exception {
     String KEY_NAME_STR = "test@bob";
 
     @SuppressWarnings("SpellCheckingInspection")
@@ -72,10 +68,7 @@ public void fromStringTest2() throws AtException, JsonProcessingException {
         + "\"dataSignature\":\"oIq0kHvwQieVrhOs4dJLN61qNP73bNLLNPTRW7tAdapIZF3kSMrNVCcTAWWWyzb2Tyii51uZ7zlIYmHWuS4tIE0lMzrUeXGcfQhOrdjkrxf4qEceNR1qLa7tDjOAb8xuhf/zJ3yaen8NGswfKWwQluga/52SchFClrR99xEI93s=\","
         + "\"sharedKeyEnc\":null,\"pubKeyCS\":null}";
 
-    Secondary.Response response = new Secondary.Response();
-    response.setRawDataResponse(LLOOKUP_META_STR);
-
-    AtKey atKey = fromString(KEY_NAME_STR, response);
+    AtKey atKey = fromString(KEY_NAME_STR, LLOOKUP_META_STR);
 
     assertEquals(KEY_NAME_STR, atKey.toString());
     Metadata metadata = atKey.metadata();
@@ -101,9 +94,8 @@ public void fromStringTest2() throws AtException, JsonProcessingException {
     assertNull(metadata.pubKeyCS());
   }
 
-  public static AtKey fromString(String rawKey, Secondary.Response metadataResponse)
-      throws AtException, JsonProcessingException {
-    Metadata metadata = Metadata.fromJson(metadataResponse.getRawDataResponse());
+  public static AtKey fromString(String rawKey, String metaDataJson) throws Exception {
+    Metadata metadata = Metadata.fromJson(metaDataJson);
     return Keys.keyBuilder()
         .rawKey(rawKey)
         .metadata(metadata)
diff --git a/at_client/src/test/java/org/atsign/common/ResponseTransformerTest.java b/at_client/src/test/java/org/atsign/common/ResponseTransformerTest.java
deleted file mode 100644
index a69cf88c..00000000
--- a/at_client/src/test/java/org/atsign/common/ResponseTransformerTest.java
+++ /dev/null
@@ -1,83 +0,0 @@
-package org.atsign.common;
-
-import java.time.format.DateTimeFormatter;
-
-import org.atsign.client.api.Secondary;
-import org.atsign.common.response_models.LookupResponse;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.Test;
-
-import static org.junit.jupiter.api.Assertions.*;
-
-public class ResponseTransformerTest {
-  final ObjectMapper mapper = Json.MAPPER;
-  final DateTimeFormatter dateTimeFormatter = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSS'Z'");
-
-  @Test
-  public void scanResponseTransformerTest() {
-
-  }
-
-  @Test
-  public void llookupAllResponseTransformerTest() throws JsonProcessingException {
-    // noinspection SpellCheckingInspection
-    String RESPONSE_STR = "{" +
-        "\"key\":\"public:publickey@cooking2\"," +
-        "\"data\":\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz9nTBDDLxLgSxYu4+mDF3anWuTlKysXBBLsp3glrBP9xEXDx4muOHuHZIzuNvFlsjcCDF/mLSAJcvbxUoTsOQp+QD5XMhlNS9TWGsmNks7KHylNEhcqo2Va7RZxNS6MZBRacl+OusnebVKdOXDnbuevoED5fSklOz7mvdm9Mb2wIDAQAB\","
-        +
-        "\"metaData\":{" +
-        "\"createdBy\":null," +
-        "\"updatedBy\":null," +
-        "\"createdAt\":\"2022-08-12 01:50:15.398Z\"," +
-        "\"updatedAt\":\"2022-08-12 01:50:15.398Z\"," +
-        "\"availableAt\":\"2022-08-12 01:50:15.398Z\"," +
-        "\"expiresAt\":null," +
-        "\"refreshAt\":null," +
-        "\"status\":\"active\"," +
-        "\"version\":0," +
-        "\"ttl\":0," +
-        "\"ttb\":0," +
-        "\"ttr\":null," +
-        "\"ccd\":null," +
-        "\"isBinary\":false," +
-        "\"isEncrypted\":false," +
-        "\"dataSignature\":null," +
-        "\"sharedKeyEnc\":null," +
-        "\"pubKeyCS\":null," +
-        "\"encoding\":null" +
-        "}" +
-        "}";
-
-    Secondary.Response response = new Secondary.Response();
-    response.setRawDataResponse(RESPONSE_STR);
-    LookupResponse model = mapper.readValue(response.getRawDataResponse(), LookupResponse.class);
-
-    assertEquals("public:publickey@cooking2", model.key);
-    // noinspection SpellCheckingInspection
-    assertEquals(
-                 "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz9nTBDDLxLgSxYu4+mDF3anWuTlKysXBBLsp3glrBP9xEXDx4muOHuHZIzuNvFlsjcCDF/mLSAJcvbxUoTsOQp+QD5XMhlNS9TWGsmNks7KHylNEhcqo2Va7RZxNS6MZBRacl+OusnebVKdOXDnbuevoED5fSklOz7mvdm9Mb2wIDAQAB",
-                 model.data);
-    assertNull(model.metaData.createdBy());
-    assertNull(model.metaData.updatedBy());
-
-    assertEquals("2022-08-12 01:50:15.398Z", dateTimeFormatter.format(model.metaData.createdAt()));
-    assertEquals("2022-08-12 01:50:15.398Z", dateTimeFormatter.format(model.metaData.updatedAt()));
-    assertEquals("2022-08-12 01:50:15.398Z", dateTimeFormatter.format(model.metaData.availableAt()));
-    assertNull(model.metaData.expiresAt());
-    assertNull(model.metaData.refreshAt());
-    assertEquals("active", model.metaData.status());
-    assertEquals(0, (int) model.metaData.version());
-    assertEquals(0, model.metaData.ttl());
-    assertEquals(0, model.metaData.ttb());
-    assertNull(model.metaData.ttr());
-    assertNull(model.metaData.ccd());
-    assertFalse(model.metaData.isBinary());
-    assertFalse(model.metaData.isEncrypted());
-    assertNull(model.metaData.dataSignature());
-    assertNull(model.metaData.sharedKeyEnc());
-    assertNull(model.metaData.pubKeyCS());
-    assertNull(model.metaData.encoding());
-  }
-}
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
index 59cdcfe6..ad449957 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
@@ -1,7 +1,6 @@
 package org.atsign.cucumber.steps;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.client.connection.protocol.Responses.decodeJsonListOfStrings;
 import static org.atsign.client.util.Preconditions.checkNotNull;
 import static org.atsign.cucumber.helpers.Helpers.isHostPortReachable;
 import static org.awaitility.Awaitility.await;
@@ -10,7 +9,6 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.File;
-import java.io.IOException;
 import java.util.*;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.TimeUnit;
@@ -22,6 +20,7 @@
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.impl.clients.AtClients;
+import org.atsign.client.connection.protocol.Data;
 import org.atsign.client.util.EnrollmentId;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtException;
@@ -452,7 +451,7 @@ private void teardownKeysAndClose(AtClient client) {
     log.debug("teardown for {} deleted {}", lookupQualifiedAtSign(client), keys);
     try {
       client.close();
-    } catch (IOException e) {
+    } catch (Exception e) {
       log.debug("teardown close for {} threw exception : {}", lookupQualifiedAtSign(client), e.getMessage());
     }
   }
@@ -475,7 +474,7 @@ private boolean requiresTeardown(String key) {
 
   private void deleteKeyNoThrow(AtClient client, String key) {
     try {
-      client.executeCommand("delete:" + key, true);
+      client.getCommandExecutor().sendSync("delete:" + key);
     } catch (Exception e) {
       log.error("attempt to delete {} failed : {}", key, e.getMessage());
     }
@@ -483,8 +482,8 @@ private void deleteKeyNoThrow(AtClient client, String key) {
 
   private List<String> scanNoThrow(AtClient client) {
     try {
-      String json = client.executeCommand("scan:showHidden:true .*", true).getRawDataResponse();
-      return decodeJsonListOfStrings(json);
+      String response = client.getCommandExecutor().sendSync("scan:showHidden:true .*");
+      return Data.matchDataJsonListOfStrings(response);
     } catch (Exception e) {
       log.error("failed to scan : {}", e.getMessage());
       return Collections.emptyList();
diff --git a/at_shell/src/main/java/org/atsign/client/cli/REPL.java b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
index 71196c40..334eb8db 100644
--- a/at_shell/src/main/java/org/atsign/client/cli/REPL.java
+++ b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
@@ -4,14 +4,12 @@
 import static org.atsign.client.api.AtEvents.AtEventType.updateNotification;
 import static org.fusesource.jansi.Ansi.ansi;
 
-import java.io.IOException;
 import java.util.*;
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtEvents.AtEventType;
-import org.atsign.client.api.Secondary;
-import org.atsign.client.util.ArgsUtil;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.client.util.KeysUtil;
 import org.atsign.common.AtException;
 import org.atsign.common.AtSign;
@@ -47,14 +45,17 @@ public static void main(String[] args) {
     AtClient atClient;
     try {
       System.out.print(ansi().cursorToColumn(0).bold().fg(Ansi.Color.BLUE).a("Connecting ... ").reset());
-      atClient = AtClient.withRemoteSecondary(atSign, KeysUtil.loadKeys(atSign), ArgsUtil.createAddressFinder(rootUrl),
-                                              verbose);
-
+      atClient = AtClients.builder()
+          .url(rootUrl)
+          .atSign(atSign)
+          .keys(KeysUtil.loadKeys(atSign))
+          .isVerbose(verbose)
+          .build();
       System.out.println(ansi().fg(Ansi.Color.GREEN).a("connected. ").reset().a("Type '/help' to see help").reset());
 
       REPL repl = new REPL(atClient, seeEncryptedNotifications);
       repl.repl();
-    } catch (IOException | AtException e) {
+    } catch (Exception e) {
       System.out.println(ansi().fg(Ansi.Color.RED).a("connection failed: " + e).reset());
       e.printStackTrace();
       System.exit(1);
@@ -86,7 +87,6 @@ public void repl() throws AtException {
       String command = cliScanner.nextLine() + "\n";
       if (!command.trim().isEmpty()) {
         command = command.trim();
-        Secondary.Response response;
         if ("help".equals(command) || command.startsWith("_") || command.startsWith("/") || command.startsWith("\\")) {
           // simple repl for get / put /
           if (!"help".equals(command)) {
@@ -119,14 +119,11 @@ public void repl() throws AtException {
               String value = command.substring(verb.length() + fullKeyName.length() + 2).trim();
               Keys.AtKey key = Keys.keyBuilder().rawKey(fullKeyName).build();
               if (key instanceof PublicKey) {
-                String data = client.put((PublicKey) key, value).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.put((PublicKey) key, value).get();
               } else if (key instanceof SelfKey) {
-                String data = client.put((SelfKey) key, value).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.put((SelfKey) key, value).get();
               } else if (key instanceof SharedKey) {
-                String data = client.put((SharedKey) key, value).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.put((SharedKey) key, value).get();
               } else if (key instanceof Keys.PrivateHiddenKey) {
                 throw new UnsupportedOperationException("PrivateHiddenKey is not implemented yet");
               } else {
@@ -143,14 +140,11 @@ public void repl() throws AtException {
               String fullKeyName = parts[1];
               Keys.AtKey key = Keys.keyBuilder().rawKey(fullKeyName).build();
               if (key instanceof PublicKey) {
-                String data = client.delete((PublicKey) key).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.delete((PublicKey) key).get();
               } else if (key instanceof SelfKey) {
-                String data = client.delete((SelfKey) key).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.delete((SelfKey) key).get();
               } else if (key instanceof SharedKey) {
-                String data = client.delete((SharedKey) key).get();
-                System.out.println("  => \033[31m" + data + "\033[0m");
+                client.delete((SharedKey) key).get();
               } else if (key instanceof Keys.PrivateHiddenKey) {
                 throw new UnsupportedOperationException("PrivateHiddenKey is not implemented yet");
               } else {
@@ -165,9 +159,9 @@ public void repl() throws AtException {
           }
         } else {
           try {
-            response = client.executeCommand(command, true);
-            System.out.println("  => \033[31m" + response.toString() + "\033[0m");
-          } catch (AtException | IOException e) {
+            String response = client.getCommandExecutor().sendSync(command);
+            System.out.println("  => \033[31m" + response + "\033[0m");
+          } catch (Exception e) {
             System.err.println("*** " + e);
           }
         }
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
index 3ee3a1ca..22b5be40 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
@@ -2,18 +2,17 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class PublicKeyDeleteExample {
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
@@ -24,17 +23,22 @@ public static void main(String[] args) {
     // 2. create AtSign instance
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. create AtClient instance using factory methods
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create public key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
 
       // 5. delete the key
-      String response = atClient.delete(pk).get();
-      System.out.println(response);
+      atClient.delete(pk).get();
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println(e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
index 9927ea16..a5410158 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
@@ -1,19 +1,18 @@
 package org.atsign.examples;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 import org.atsign.common.options.GetRequestOptions;
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
 public class PublicKeyGetBypassCacheExample {
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish arguments
     String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@alice"; // atSign that we will pkam auth (must have keys in keys directory)
@@ -24,8 +23,14 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create the key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name(KEY_NAME).build();
@@ -34,7 +39,7 @@ public static void main(String[] args) {
       String response = atClient.get(pk, GetRequestOptions.builder().bypassCache(true).build()).get();
       System.out.println(response);
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
index a904e83d..ffa04ad3 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
@@ -1,18 +1,17 @@
 package org.atsign.examples;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
 public class PublicKeyGetExample {
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish arguments
     String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
@@ -23,8 +22,14 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create the key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
@@ -33,7 +38,7 @@ public static void main(String[] args) {
       String response = atClient.get(pk).get();
       System.out.println(response);
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
index 067e22ae..2d4a02ec 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
@@ -2,18 +2,17 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.PublicKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class PublicKeyPutExample {
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
@@ -25,17 +24,21 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create a new public key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
 
       // 5. put the key
-      String response = atClient.put(pk, VALUE).get();
-      System.out.println(response);
-
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+      atClient.put(pk, VALUE);
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
index 5b5c97e1..545b67b9 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
@@ -2,18 +2,17 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SelfKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SelfKeyDeleteExample {
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
@@ -24,17 +23,22 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create self key
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
 
       // 5. delete the key
-      String response = atClient.delete(sk).get();
-      System.out.println(response);
+      atClient.delete(sk).get();
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
index edf82c04..9900daf8 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
@@ -2,19 +2,18 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SelfKey;
 import org.atsign.common.Metadata;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SelfKeyGetExample {
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
@@ -25,8 +24,14 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create selfkey
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
@@ -36,7 +41,7 @@ public static void main(String[] args) {
       System.out.println(response);
       _printMetadata(sk.metadata());
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
index c4d377b2..4d9752a2 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
@@ -2,19 +2,18 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SelfKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SelfKeyPutExample {
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
@@ -28,17 +27,22 @@ public static void main(String[] args) {
     // 2. create AtSign object
     AtSign atSign = new AtSign(ATSIGN_STR);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, atSign, loadKeys(atSign), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(atSign)
+        .keys(loadKeys(atSign))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create selfkey
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).ttl(ttl).build();
 
       // 5. put the key
-      String response = atClient.put(sk, VALUE).get();
-      System.out.println(response);
+      atClient.put(sk, VALUE).get();
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to connect to remote server " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
index dd8e57c6..fd28d692 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
@@ -2,19 +2,18 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SharedKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SharedKeyDeleteExample {
 
   /// Delete a SharedKey that you shared with another atSign, the key must be on your own secondary server (belonging to the sharedBy atSign)
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // my atSign (sharedBy)
@@ -26,17 +25,22 @@ public static void main(String[] args) {
     AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, sharedBy, loadKeys(sharedBy), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(sharedBy)
+        .keys(loadKeys(sharedBy))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create SharedKey instance
       SharedKey sk = Keys.sharedKeyBuilder().sharedBy(sharedBy).sharedWith(sharedWith).name(KEY_NAME).build();
 
       // 5. delete the key
-      String response = atClient.delete(sk).get();
-      System.out.println(response);
+      atClient.delete(sk).get();
 
-    } catch (AtException | InterruptedException | ExecutionException | IOException e) {
+    } catch (Exception e) {
       System.err.println("Failed to create AtClient instance " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
index 9ab6e8e5..430a8d6b 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
@@ -2,18 +2,17 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SharedKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SharedKeyGetOtherExample {
   /// Get the SharedKey sharedBy another person and sharedWith you
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // their atSign (key is sharedBy this atSign)
@@ -25,8 +24,14 @@ public static void main(String[] args) {
     AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH); // your atSign
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, sharedWith, loadKeys(sharedWith), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(sharedWith)
+        .keys(loadKeys(sharedWith))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create SharedKey instance
       // key is sharedBy the other person and sharedWith you.
@@ -36,7 +41,7 @@ public static void main(String[] args) {
       String response = atClient.get(sk).get();
       System.out.println(response);
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to create AtClient instance " + e);
       e.printStackTrace();
     }
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
index 8012f449..cf2d7322 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
@@ -2,18 +2,17 @@
 
 import static org.atsign.client.util.KeysUtil.loadKeys;
 
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtException;
+import org.atsign.client.api.impl.clients.AtClients;
 import org.atsign.common.AtSign;
 import org.atsign.common.Keys;
 import org.atsign.common.Keys.SharedKey;
+import org.atsign.common.exceptions.AtClientConfigException;
 
 public class SharedKeyGetSelfExample {
   /// Get a SharedKey that you created and shared with another atSign
-  public static void main(String[] args) {
+  public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
     String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // my atSign (sharedBy)
@@ -25,8 +24,14 @@ public static void main(String[] args) {
     AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
 
-    // 3. atClient factory method
-    try (AtClient atClient = AtClient.withRemoteSecondary(ROOT_URL, sharedBy, loadKeys(sharedBy), VERBOSE)) {
+    // 3. build an AtClient
+    AtClients.AtClientsBuilder builder = AtClients.builder()
+        .url(ROOT_URL)
+        .atSign(sharedBy)
+        .keys(loadKeys(sharedBy))
+        .isVerbose(VERBOSE);
+
+    try (AtClient atClient = builder.build()) {
 
       // 4. create SharedKey instance
       SharedKey sk = Keys.sharedKeyBuilder().sharedBy(sharedBy).sharedWith(sharedWith).name(KEY_NAME).build();
@@ -35,7 +40,7 @@ public static void main(String[] args) {
       String response = atClient.get(sk).get();
       System.out.println(response);
 
-    } catch (AtException | IOException | InterruptedException | ExecutionException e) {
+    } catch (Exception e) {
       System.err.println("Failed to create AtClient instance " + e);
       e.printStackTrace();
     }

From 7adfc3e7bc33a0ffe5f2d313191b09c2762ac003 Mon Sep 17 00:00:00 2001
From: akafredperry <fred@atsign.com>
Date: Tue, 10 Mar 2026 17:20:02 +0000
Subject: [PATCH 3/5] feature: class rename and package reorg

---
 at_client/README.md                           |   6 +-
 at_client/pom.xml                             |   5 +
 .../java/org/atsign/client/api/AtClient.java  | 212 +++++++++-
 .../AtCommandExecutor.java}                   |  10 +-
 .../org/atsign/client/api/AtKeyNames.java     |   2 -
 .../java/org/atsign/client/api/AtKeys.java    |  15 +-
 .../atsign/{common => client/api}/AtSign.java |   6 +-
 .../atsign/{common => client/api}/Keys.java   |  18 +-
 .../{common => client/api}/Metadata.java      |  12 +-
 .../client/api/impl/clients/AtClients.java    |  62 ---
 .../org/atsign/client/api/package-info.java   |   4 +
 .../java/org/atsign/client/cli/Register.java  | 288 --------------
 .../connection/api/ReconnectStrategy.java     |  50 ---
 .../netty/NettyAtEndpointSupplier.java        |  60 ---
 .../connection/protocol/Authentication.java   | 104 -----
 .../client/connection/protocol/Data.java      | 117 ------
 .../client/connection/protocol/Keys.java      |  82 ----
 .../client/connection/protocol/Scan.java      |  36 --
 .../connection/protocol/package-info.java     |   8 -
 .../AtClientImpl.java}                        | 146 ++++---
 .../org/atsign/client/impl/AtClients.java     |  58 +++
 .../client/impl/AtCommandExecutors.java       |  72 ++++
 .../api => impl}/AtEndpointSupplier.java      |   6 +-
 .../client/impl/AtEndpointSuppliers.java      |  69 ++++
 .../atsign/client/impl/ReconnectStrategy.java |  90 +++++
 .../client/{ => impl}/cli/AbstractCli.java    |  44 +--
 .../client/{ => impl}/cli/Activate.java       | 110 +++---
 .../atsign/client/{ => impl}/cli/Delete.java  |  14 +-
 .../client/{ => impl}/cli/DumpKeys.java       |  10 +-
 .../org/atsign/client/{ => impl}/cli/Get.java |  14 +-
 .../atsign/client/{ => impl}/cli/Scan.java    |  20 +-
 .../atsign/client/{ => impl}/cli/Share.java   |  14 +-
 .../ActivateAtsignWithSuperApiKey.java        |  28 ++
 .../impl/cli/register}/ApiCallStatus.java     |   2 +-
 .../impl/cli/register}/ConfigReader.java      |   2 +-
 .../cli/register}/Constants.java              |   2 +-
 .../impl/cli/register/GetFreeAtsign.java      |  25 ++
 .../GetFreeAtsignWithSuperApiKey.java         |  24 ++
 .../cli/register}/NotificationStatus.java     |   2 +-
 .../client/impl/cli/register/Register.java    | 121 ++++++
 .../impl/cli/register}/RegisterApiResult.java |   4 +-
 .../impl/cli/register}/RegisterApiTask.java   |   4 +-
 .../impl/cli/register/RegisterAtsign.java     |  25 ++
 .../cli/register}/RegisterUtil.java           |  12 +-
 .../impl/cli/register/RegistrationFlow.java   |  41 ++
 .../client/impl/cli/register/ValidateOtp.java |  50 +++
 .../commands}/AtExceptions.java               |  25 +-
 .../impl/commands/AuthenticationCommands.java | 119 ++++++
 .../impl/commands/CommandBuilders.java}       |  26 +-
 .../client/impl/commands/DataResponses.java   | 193 +++++++++
 .../commands/EnrollCommands.java}             | 151 ++++---
 .../commands/ErrorResponses.java}             |  10 +-
 .../client/impl/commands/KeyCommands.java     |  82 ++++
 .../impl/commands}/LookupResponse.java        |   4 +-
 .../commands}/Notifications.java              |  24 +-
 .../commands/PublicKeyCommands.java}          |  53 ++-
 .../protocol => impl/commands}/Responses.java |  12 +-
 .../client/impl/commands/ScanCommands.java    |  35 ++
 .../commands/SelfKeyCommands.java}            |  40 +-
 .../commands/SharedKeyCommands.java}          | 101 +++--
 .../client/impl/commands/package-info.java    |   5 +
 .../common/CommandElement.java}               |  12 +-
 .../common/CommandQueue.java                  |  50 +--
 .../{util => impl/common}/EnrollmentId.java   |   8 +-
 .../{util => impl/common}/Preconditions.java  |   2 +-
 .../common}/SimpleAtEventBus.java             |   4 +-
 .../common/SimpleReconnectStrategy.java       |   4 +-
 .../{util => impl/common}/TypedString.java    |   6 +-
 .../AtBlockedConnectionException.java         |   4 +-
 .../exceptions/AtBufferOverFlowException.java |   4 +-
 .../exceptions/AtClientConfigException.java   |   4 +-
 .../exceptions/AtDecryptionException.java     |   4 +-
 .../exceptions/AtEncryptionException.java     |   4 +-
 .../impl/exceptions}/AtException.java         |   2 +-
 .../exceptions/AtHandShakeException.java      |   4 +-
 .../AtIllegalArgumentException.java           |   4 +-
 .../AtInboundConnectionLimitException.java    |   4 +-
 .../exceptions/AtInternalServerError.java     |   4 +-
 .../exceptions/AtInternalServerException.java |   4 +-
 .../exceptions/AtInvalidAtKeyException.java   |   4 +-
 .../exceptions}/AtInvalidSyntaxException.java |   4 +-
 .../exceptions/AtKeyNotFoundException.java    |   4 +-
 .../AtNewErrorCodeWhoDisException.java        |   4 +-
 .../impl}/exceptions/AtOnReadyException.java  |   6 +-
 .../AtOutboundConnectionLimitException.java   |   4 +-
 .../exceptions/AtRegistrarException.java      |   4 +-
 .../AtResponseHandlingException.java          |   4 +-
 .../AtSecondaryConnectException.java          |   4 +-
 .../AtSecondaryNotFoundException.java         |   4 +-
 .../exceptions/AtServerIsPausedException.java |   4 +-
 .../exceptions}/AtServerRuntimeException.java |   4 +-
 .../impl}/exceptions/AtTimeoutException.java  |   4 +-
 .../AtUnauthenticatedException.java           |   4 +-
 .../exceptions/AtUnauthorizedException.java   |   4 +-
 .../AtUnknownResponseException.java           |   4 +-
 .../exceptions/MalformedKeyException.java     |   4 +-
 .../netty/NettyAtCommandEncoder.java          |   2 +-
 .../netty/NettyAtCommandExecutor.java}        |  98 ++---
 .../impl/netty/NettyAtEndpointSupplier.java   |  50 +++
 .../netty/NettyAtResponseDecoder.java         |   2 +-
 .../netty/NettyAtThreadFactory.java           |   2 +-
 .../org/atsign/client/impl/package-info.java  |   4 +
 .../util/ByteUtils.java}                      |   4 +-
 .../util/EncryptionUtils.java}                |   8 +-
 .../impl/util/JsonUtils.java}                 |   4 +-
 .../util/KeysUtils.java}                      |  21 +-
 .../util/StringUtils.java}                    |   4 +-
 .../common/options/GetRequestOptions.java     |  14 -
 .../org/atsign/client/api/AtKeyNamesTest.java |   2 +-
 .../org/atsign/client/api/AtKeysTest.java     |   2 +-
 .../{common => client/api}/AtSignTest.java    |   2 +-
 .../{common => client/api}/KeysTest.java      |   4 +-
 .../{common => client/api}/MetadataTest.java  |   2 +-
 .../client/connection/protocol/ErrorTest.java |  39 --
 .../client/{ => impl}/cli/ActivateIT.java     |   6 +-
 .../impl/cli/register}/ConfigReaderTest.java  |   3 +-
 .../commands}/AtExceptionsTest.java           |  43 +-
 .../commands/AuthenticationCommandsTest.java} |  45 ++-
 .../impl/commands/CommandBuildersTest.java}   | 372 +++++++++---------
 .../commands/DataResponsesTest.java}          |  39 +-
 .../commands/EnrollCommandsTest.java}         |  76 ++--
 .../impl/commands/ErrorResponsesTest.java     |  40 ++
 .../commands/KeyCommandsTest.java}            |  32 +-
 .../commands}/NotificationsTest.java          |  34 +-
 .../commands/PublicKeyCommandsTest.java}      |  72 ++--
 .../commands}/ResponsesTest.java              |   2 +-
 .../commands/ScanCommandsTest.java}           |  28 +-
 .../commands/SelfKeyCommandsTest.java}        |  40 +-
 .../commands/SharedKeyCommandsTest.java}      |  49 +--
 .../commands}/TestConnectionBuilder.java      |  12 +-
 .../common/CommandElementTest.java}           |  44 +--
 .../common/CommandQueueTest.java              |  80 ++--
 .../common/SimpleReconnectStrategyTest.java   |   2 +-
 .../netty/NettyAtCommandEncoderTest.java      |   2 +-
 .../netty/NettyAtCommandExecutorIT.java}      |  20 +-
 .../netty/NettyAtCommandExecutorTest.java}    | 230 +++++------
 .../netty/NettyAtEndpointSupplierTest.java    |   6 +-
 .../NettyAtServerResponseDecoderTest.java     |   2 +-
 .../netty/TestServer.java                     |   4 +-
 .../impl/util/ByteUtilsTest.java}             |  27 +-
 .../util/EncryptionUtilsTest.java}            |  12 +-
 .../impl/util}/FromStringTest.java            |   9 +-
 .../client/impl/util/JsonUtilsTest.java       |   5 +
 .../impl/util/KeysUtilsTest.java}             |  34 +-
 .../test/java/org/atsign/common/JsonTest.java |   7 -
 .../atsign/cucumber/helpers/AtDemoData.java   |   2 +-
 .../atsign/cucumber/steps/ActivateSteps.java  |  68 ++--
 .../cucumber/steps/AtClientContext.java       |  32 +-
 .../atsign/cucumber/steps/GetAtKeysSteps.java |   4 +-
 .../atsign/cucumber/steps/MonitorSteps.java   |   2 +-
 .../atsign/cucumber/steps/ParameterTypes.java |   6 +-
 .../cucumber/steps/PublicAtKeySteps.java      |   4 +-
 .../cucumber/steps/QualifiedAtSign.java       |   4 +-
 .../atsign/cucumber/steps/SelfAtKeySteps.java |   4 +-
 .../cucumber/steps/SharedAtKeySteps.java      |   4 +-
 .../main/java/org/atsign/client/cli/REPL.java |  22 +-
 .../org/atsign/client/util/CameraUtil.java    |   4 +-
 .../examples/PublicKeyDeleteExample.java      |  14 +-
 .../PublicKeyGetBypassCacheExample.java       |  16 +-
 .../atsign/examples/PublicKeyGetExample.java  |  14 +-
 .../atsign/examples/PublicKeyPutExample.java  |  14 +-
 .../atsign/examples/SelfKeyDeleteExample.java |  14 +-
 .../atsign/examples/SelfKeyGetExample.java    |  16 +-
 .../atsign/examples/SelfKeyPutExample.java    |  14 +-
 .../examples/SharedKeyDeleteExample.java      |  14 +-
 .../examples/SharedKeyGetOtherExample.java    |  14 +-
 .../examples/SharedKeyGetSelfExample.java     |  14 +-
 pom.xml                                       |  30 ++
 168 files changed, 2829 insertions(+), 2326 deletions(-)
 rename at_client/src/main/java/org/atsign/client/{connection/api/AtClientConnection.java => api/AtCommandExecutor.java} (90%)
 rename at_client/src/main/java/org/atsign/{common => client/api}/AtSign.java (87%)
 rename at_client/src/main/java/org/atsign/{common => client/api}/Keys.java (97%)
 rename at_client/src/main/java/org/atsign/{common => client/api}/Metadata.java (96%)
 delete mode 100644 at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
 create mode 100644 at_client/src/main/java/org/atsign/client/api/package-info.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/cli/Register.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
 rename at_client/src/main/java/org/atsign/client/{api/impl/clients/DefaultAtClientImpl.java => impl/AtClientImpl.java} (62%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/AtClients.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
 rename at_client/src/main/java/org/atsign/client/{connection/api => impl}/AtEndpointSupplier.java (58%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/AbstractCli.java (67%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/Activate.java (67%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/Delete.java (78%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/DumpKeys.java (62%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/Get.java (78%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/Scan.java (90%)
 rename at_client/src/main/java/org/atsign/client/{ => impl}/cli/Share.java (80%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
 rename at_client/src/main/java/org/atsign/{common => client/impl/cli/register}/ApiCallStatus.java (68%)
 rename at_client/src/main/java/org/atsign/{config => client/impl/cli/register}/ConfigReader.java (96%)
 rename at_client/src/main/java/org/atsign/client/{util => impl/cli/register}/Constants.java (90%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsignWithSuperApiKey.java
 rename at_client/src/main/java/org/atsign/{common => client/impl/cli/register}/NotificationStatus.java (70%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/Register.java
 rename at_client/src/main/java/org/atsign/{common => client/impl/cli/register}/RegisterApiResult.java (69%)
 rename at_client/src/main/java/org/atsign/{common => client/impl/cli/register}/RegisterApiTask.java (95%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
 rename at_client/src/main/java/org/atsign/client/{util => impl/cli/register}/RegisterUtil.java (98%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/RegistrationFlow.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
 rename at_client/src/main/java/org/atsign/client/{connection/protocol => impl/commands}/AtExceptions.java (79%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
 rename at_client/src/main/java/org/atsign/{common/VerbBuilders.java => client/impl/commands/CommandBuilders.java} (97%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
 rename at_client/src/main/java/org/atsign/client/{connection/protocol/Enroll.java => impl/commands/EnrollCommands.java} (60%)
 rename at_client/src/main/java/org/atsign/client/{connection/protocol/Error.java => impl/commands/ErrorResponses.java} (82%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
 rename at_client/src/main/java/org/atsign/{common/response_models => client/impl/commands}/LookupResponse.java (78%)
 rename at_client/src/main/java/org/atsign/client/{connection/protocol => impl/commands}/Notifications.java (75%)
 rename at_client/src/main/java/org/atsign/client/{connection/protocol/PublicKeys.java => impl/commands/PublicKeyCommands.java} (54%)
 rename at_client/src/main/java/org/atsign/client/{connection/protocol => impl/commands}/Responses.java (80%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
 rename at_client/src/main/java/org/atsign/client/{connection/protocol/SelfKeys.java => impl/commands/SelfKeyCommands.java} (53%)
 rename at_client/src/main/java/org/atsign/client/{connection/protocol/SharedKeys.java => impl/commands/SharedKeyCommands.java} (58%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/commands/package-info.java
 rename at_client/src/main/java/org/atsign/client/{connection/common/Command.java => impl/common/CommandElement.java} (82%)
 rename at_client/src/main/java/org/atsign/client/{connection => impl}/common/CommandQueue.java (65%)
 rename at_client/src/main/java/org/atsign/client/{util => impl/common}/EnrollmentId.java (65%)
 rename at_client/src/main/java/org/atsign/client/{util => impl/common}/Preconditions.java (97%)
 rename at_client/src/main/java/org/atsign/client/{api/impl/events => impl/common}/SimpleAtEventBus.java (94%)
 rename at_client/src/main/java/org/atsign/client/{connection => impl}/common/SimpleReconnectStrategy.java (94%)
 rename at_client/src/main/java/org/atsign/client/{util => impl/common}/TypedString.java (73%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtBlockedConnectionException.java (78%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtBufferOverFlowException.java (80%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtClientConfigException.java (82%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtDecryptionException.java (72%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtEncryptionException.java (78%)
 rename at_client/src/main/java/org/atsign/{common => client/impl/exceptions}/AtException.java (90%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtHandShakeException.java (78%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtIllegalArgumentException.java (76%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtInboundConnectionLimitException.java (80%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtInternalServerError.java (75%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtInternalServerException.java (77%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtInvalidAtKeyException.java (78%)
 rename at_client/src/main/java/org/atsign/{common/exceptions/AtExceptions => client/impl/exceptions}/AtInvalidSyntaxException.java (74%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtKeyNotFoundException.java (78%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtNewErrorCodeWhoDisException.java (75%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtOnReadyException.java (73%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtOutboundConnectionLimitException.java (81%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtRegistrarException.java (79%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtResponseHandlingException.java (79%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtSecondaryConnectException.java (83%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtSecondaryNotFoundException.java (85%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtServerIsPausedException.java (75%)
 rename at_client/src/main/java/org/atsign/{common/exceptions/AtExceptions => client/impl/exceptions}/AtServerRuntimeException.java (74%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtTimeoutException.java (75%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtUnauthenticatedException.java (80%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtUnauthorizedException.java (77%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/AtUnknownResponseException.java (73%)
 rename at_client/src/main/java/org/atsign/{common => client/impl}/exceptions/MalformedKeyException.java (70%)
 rename at_client/src/main/java/org/atsign/client/{connection => impl}/netty/NettyAtCommandEncoder.java (93%)
 rename at_client/src/main/java/org/atsign/client/{connection/netty/NettyAtClientConnection.java => impl/netty/NettyAtCommandExecutor.java} (84%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
 rename at_client/src/main/java/org/atsign/client/{connection => impl}/netty/NettyAtResponseDecoder.java (98%)
 rename at_client/src/main/java/org/atsign/client/{connection => impl}/netty/NettyAtThreadFactory.java (97%)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/package-info.java
 rename at_client/src/main/java/org/atsign/client/{util/ByteUtil.java => impl/util/ByteUtils.java} (91%)
 rename at_client/src/main/java/org/atsign/client/{util/EncryptionUtil.java => impl/util/EncryptionUtils.java} (97%)
 rename at_client/src/main/java/org/atsign/{common/Json.java => client/impl/util/JsonUtils.java} (96%)
 rename at_client/src/main/java/org/atsign/client/{util/KeysUtil.java => impl/util/KeysUtils.java} (93%)
 rename at_client/src/main/java/org/atsign/client/{util/StringUtil.java => impl/util/StringUtils.java} (79%)
 delete mode 100644 at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
 rename at_client/src/test/java/org/atsign/{common => client/api}/AtSignTest.java (96%)
 rename at_client/src/test/java/org/atsign/{common => client/api}/KeysTest.java (99%)
 rename at_client/src/test/java/org/atsign/{common => client/api}/MetadataTest.java (99%)
 delete mode 100644 at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
 rename at_client/src/test/java/org/atsign/client/{ => impl}/cli/ActivateIT.java (98%)
 rename at_client/src/test/java/org/atsign/{common => client/impl/cli/register}/ConfigReaderTest.java (94%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol => impl/commands}/AtExceptionsTest.java (80%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/AuthenticationTest.java => impl/commands/AuthenticationCommandsTest.java} (58%)
 rename at_client/src/test/java/org/atsign/{common/VerbBuildersTest.java => client/impl/commands/CommandBuildersTest.java} (73%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/DataTest.java => impl/commands/DataResponsesTest.java} (51%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/EnrollTest.java => impl/commands/EnrollCommandsTest.java} (74%)
 create mode 100644 at_client/src/test/java/org/atsign/client/impl/commands/ErrorResponsesTest.java
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/KeysTest.java => impl/commands/KeyCommandsTest.java} (71%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol => impl/commands}/NotificationsTest.java (89%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/PublicKeysTest.java => impl/commands/PublicKeyCommandsTest.java} (59%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol => impl/commands}/ResponsesTest.java (98%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/ScanTest.java => impl/commands/ScanCommandsTest.java} (55%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/SelfKeysTest.java => impl/commands/SelfKeyCommandsTest.java} (62%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol/SharedKeysTest.java => impl/commands/SharedKeyCommandsTest.java} (72%)
 rename at_client/src/test/java/org/atsign/client/{connection/protocol => impl/commands}/TestConnectionBuilder.java (84%)
 rename at_client/src/test/java/org/atsign/client/{connection/common/CommandTest.java => impl/common/CommandElementTest.java} (63%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/common/CommandQueueTest.java (68%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/common/SimpleReconnectStrategyTest.java (99%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/netty/NettyAtCommandEncoderTest.java (96%)
 rename at_client/src/test/java/org/atsign/client/{connection/netty/NettyAtClientConnectionIT.java => impl/netty/NettyAtCommandExecutorIT.java} (72%)
 rename at_client/src/test/java/org/atsign/client/{connection/netty/NettyAtClientConnectionTest.java => impl/netty/NettyAtCommandExecutorTest.java} (75%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/netty/NettyAtEndpointSupplierTest.java (95%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/netty/NettyAtServerResponseDecoderTest.java (99%)
 rename at_client/src/test/java/org/atsign/client/{connection => impl}/netty/TestServer.java (98%)
 rename at_client/src/test/java/org/atsign/{common/ByteUtilTest.java => client/impl/util/ByteUtilsTest.java} (67%)
 rename at_client/src/test/java/org/atsign/client/{util/EncryptionUtilTest.java => impl/util/EncryptionUtilsTest.java} (54%)
 rename at_client/src/test/java/org/atsign/{common => client/impl/util}/FromStringTest.java (94%)
 create mode 100644 at_client/src/test/java/org/atsign/client/impl/util/JsonUtilsTest.java
 rename at_client/src/test/java/org/atsign/{common/KeysUtilTest.java => client/impl/util/KeysUtilsTest.java} (71%)
 delete mode 100644 at_client/src/test/java/org/atsign/common/JsonTest.java

diff --git a/at_client/README.md b/at_client/README.md
index 1a5994a0..639a2f6a 100644
--- a/at_client/README.md
+++ b/at_client/README.md
@@ -70,7 +70,7 @@ The SDK currently depends on the following
 ## Example Usage
 
 The command line classes under
-[src/main/java/org/atsign/client/cli](src/main/java/org/atsign/client/cli)
+[src/main/java/org/atsign/client/cli](src/main/java/org/atsign/client/impl/cli)
 serve as simple examples of how to instantiate an AtClient instance and invoke its
 interface.
 
@@ -135,11 +135,11 @@ mvn exec:java -Dexec.mainClass=org.atsign.client.cli.Delete \
 
 ### Register
 
-The utility **org.atsign.client.cli.Register** can be used to perform
+The utility **org.atsign.client.cli.register.Register** can be used to perform
 registration operations.
 
 ```shell
-mvn exec:java -Dexec.mainClass=org.atsign.client.cli.Register -Dexec.args="--help"
+mvn exec:java -Dexec.mainClass=org.atsign.client.cli.register.Register -Dexec.args="--help"
 ```
 
 When using the SUPER_API Key to register an atsign, the following sequence of
diff --git a/at_client/pom.xml b/at_client/pom.xml
index c33e0527..897b3e3a 100644
--- a/at_client/pom.xml
+++ b/at_client/pom.xml
@@ -17,6 +17,11 @@
   <properties>
     <config.spotless>../config/java-format.xml</config.spotless>
     <config.checkstyle>../config/checkstyle.xml</config.checkstyle>
+
+    <!-- lower for now because cli and register code has no tests -->
+    <coverage.line>0.77</coverage.line>
+    <coverage.branch>0.7</coverage.branch>
+
   </properties>
 
   <build>
diff --git a/at_client/src/main/java/org/atsign/client/api/AtClient.java b/at_client/src/main/java/org/atsign/client/api/AtClient.java
index c2e1a2bd..bbc802ce 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtClient.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtClient.java
@@ -1,67 +1,257 @@
 package org.atsign.client.api;
 
-import static org.atsign.common.Keys.*;
+import static org.atsign.client.api.Keys.*;
 
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtSign;
-import org.atsign.common.options.GetRequestOptions;
+import lombok.Builder;
+import lombok.Value;
 
 /**
- * The primary interface of the AtSign client library.
+ * A core interface which enables users to interact with an AtServer as
+ * a map-like interface (rather than having sending AtProtocol commands).
+ * Users are able to invoke put, get and delete operations for the different key
+ * types ({@link PublicKey}, {@link SelfKey} and {@link SharedKey}).
+ * Users can also subscribe to notifications, an {@link AtClient} is an
+ * {@link org.atsign.client.api.AtEvents.AtEventBus}, allowing users to
+ * register {@link org.atsign.client.api.AtEvents.AtEventListener}s.
+ * {@link AtClient}s are closeable resources and should be treated accordingly.
  */
-@SuppressWarnings("unused")
 public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
+  /**
+   * The methods in this interface are from the perspective of this {@link AtSign}.
+   * For example when executing {@link #put(SelfKey, String)} the {@link SelfKey#sharedBy()}
+   * should be the {@link AtSign} of the {@link AtClient}.
+   *
+   * @return the {@link AtSign} which this {@link AtClient} is representing.
+   */
   AtSign getAtSign();
 
-  AtKeys getEncryptionKeys();
+  /**
+   * Users are able to get this and execute At Protocol commands directly.
+   *
+   * @return The underlying {@link AtCommandExecutor} which this {@link AtClient} is using to interact
+   *         the At Server.
+   */
+  AtCommandExecutor getCommandExecutor();
 
+  /**
+   * Used to get a String associated with a shared key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SharedKey#sharedBy()} or the {@link SharedKey#sharedWith()} for the key.
+   *
+   * @param sharedKey A {@link SharedKey}
+   * @return A {@link CompletableFuture} for the String value associated with this key.
+   */
   CompletableFuture<String> get(SharedKey sharedKey);
 
+  /**
+   * Used to get a byte array associated with a shared key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SharedKey#sharedBy()} or the {@link SharedKey#sharedWith()} for the key.
+   *
+   * @param sharedKey A {@link SharedKey}
+   * @return A {@link CompletableFuture} for the byte array value associated with this key.
+   */
   CompletableFuture<byte[]> getBinary(SharedKey sharedKey);
 
+  /**
+   * Used to associate a String with a shared key.
+   * The {@link AtClient} {@link AtSign} should be the {@link SharedKey#sharedBy()} or the
+   * {@link SharedKey#sharedWith()} for the key.
+   *
+   * @param sharedKey A {@link SharedKey}.
+   * @param value The string value (this cannot be null).
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(SharedKey sharedKey, String value);
 
+  /**
+   * Used to delete a shared key.
+   * The {@link AtClient} {@link AtSign} should be the {@link SharedKey#sharedBy()} for the key.
+   *
+   * @param sharedKey A {@link SharedKey}.
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> delete(SharedKey sharedKey);
 
+  /**
+   * Used to get a String associated with a self key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SelfKey#sharedBy()} for the key.
+   *
+   * @param selfKey A {@link SelfKey}
+   * @return A {@link CompletableFuture} for the String value associated with this key.
+   */
   CompletableFuture<String> get(SelfKey selfKey);
 
+  /**
+   * Used to get a byte array associated with a self key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SelfKey#sharedBy()} for the key.
+   *
+   * @param selfKey A {@link SelfKey}
+   * @return A {@link CompletableFuture} for the byte array value associated with this key.
+   */
   CompletableFuture<byte[]> getBinary(SelfKey selfKey);
 
+  /**
+   * Used to associate a String with a self key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SelfKey#sharedBy()} for the key.
+   *
+   * @param selfKey A {@link SelfKey}.
+   * @param value The string value to be associated with the {@link SelfKey} (this cannot be null).
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(SelfKey selfKey, String value);
 
+  /**
+   * Used to delete a self key.
+   * The {@link AtClient} {@link AtSign} should be the {@link SelfKey#sharedBy()} for the key.
+   *
+   * @param selfKey A {@link SelfKey}.
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> delete(SelfKey selfKey);
 
+  /**
+   * Used to get a String associated with a specific key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<String> get(PublicKey publicKey);
 
-  CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions getRequestOptions);
+  /**
+   * Used to get a String associated with a public key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @param options Can be used to control the caching behavior.
+   * @return A {@link CompletableFuture} for this operation.
+   */
+  CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions options);
 
+  /**
+   * Used to get a byte array associated with a public key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<byte[]> getBinary(PublicKey publicKey);
 
-  CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions);
+  /**
+   * Used to get a byte array associated with a public key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @param options Can be used to control the caching behavior.
+   * @return A {@link CompletableFuture} for this operation.
+   */
+  CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions options);
 
+  /**
+   * Used to associate a String with a public key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link PublicKey#sharedBy()} for the key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @param value The string value associated with the {@link PublicKey} (this cannot be null).
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(PublicKey publicKey, String value);
 
+  /**
+   * Used to delete a public key.
+   * The {@link AtClient} {@link AtSign} should be the {@link PublicKey#sharedBy()} for the key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> delete(PublicKey publicKey);
 
+  /**
+   * Used to associate a byte array with a shared key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SharedKey#sharedBy()} for the key.
+   *
+   * @param sharedKey A {@link SharedKey}.
+   * @param value The byte array to associated with the {@link SharedKey}
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(SharedKey sharedKey, byte[] value);
 
+  /**
+   * Used to associate a byte array with a self key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link SelfKey#sharedBy()} for the key.
+   *
+   * @param selfKey A {@link SelfKey}.
+   * @param value The byte array to associated with the {@link SelfKey}
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(SelfKey selfKey, byte[] value);
 
+  /**
+   * Used to associate a byte array with a public key from the perspective of the
+   * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
+   * {@link PublicKey#sharedBy()} for the key.
+   *
+   * @param publicKey A {@link PublicKey}.
+   * @param value The byte array to associated with the {@link PublicKey}
+   * @return A {@link CompletableFuture} for this operation.
+   */
   CompletableFuture<Void> put(PublicKey publicKey, byte[] value);
 
-  CompletableFuture<List<AtKey>> getAtKeys(String regex);
+  /**
+   * Used to retrieve a list of typed {@link AtKeys} that are visible to this {@link AtClient}'s
+   * {@link AtSign} and have a key name what matches a regular expression.
+   *
+   * @param regex A regular expression String that will be be used to filter the returned keys.
+   * @return list of {@link AtKeys} subclass instances.
+   */
+  default CompletableFuture<List<AtKey>> getAtKeys(String regex) {
+    return getAtKeys(regex, false);
+  }
 
+  /**
+   * Used to retrieve a list of typed {@link AtKeys}, with metadata populated that are visible
+   * to this {@link AtClient}'s {@link AtSign} and have a key name what matches a regular expression.
+   *
+   * @param regex A regular expression String that will be be used to filter the returned keys.
+   * @param fetchMetadata If true then for lookup metadata for every key.
+   * @return list of {@link AtKeys} subclass instances.
+   */
   CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetadata);
 
+  /**
+   * Used to send a monitor command and to ensure notifications are dispatched to registered
+   * {@link org.atsign.client.api.AtEvents.AtEventListener}s.
+   */
   void startMonitor();
 
+  /**
+   * Used to "clear" the monitor command.
+   * {@link org.atsign.client.api.AtEvents.AtEventListener}s.
+   */
   void stopMonitor();
 
+  /**
+   * Used to check if this {@link AtClient} has sent a monitor command.
+   *
+   * @return
+   */
   boolean isMonitorRunning();
 
-  AtClientConnection getCommandExecutor();
+  /**
+   * Data class used to model options to the {@link org.atsign.client.api.AtClient} get methods
+   */
+  @Value
+  @Builder
+  class GetRequestOptions {
+    boolean bypassCache;
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java b/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
similarity index 90%
rename from at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java
rename to at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
index ce34ae4d..454d5e58 100644
--- a/at_client/src/main/java/org/atsign/client/connection/api/AtClientConnection.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
@@ -1,13 +1,15 @@
-package org.atsign.client.connection.api;
+package org.atsign.client.api;
 
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.function.Consumer;
 
 /**
- * Represents a connection to an AtSign server command interface.
+ * A core interface that represents something that is connected to an at server
+ * command interface.
+ * {@link AtCommandExecutor}s are closeable resources and should be treated accordingly.
  */
-public interface AtClientConnection extends AutoCloseable {
+public interface AtCommandExecutor extends AutoCloseable {
 
   /**
    * Asynchronously executes an Atsign Protocol command that is expected to return a response.
@@ -80,5 +82,5 @@ default CompletableFuture<Void> send(String command, Consumer<String> consumer)
    * @param consumer a consumer that will perform commands
    * @return this (to allow chaining / fluent style invocation)
    */
-  AtClientConnection onReady(Consumer<AtClientConnection> consumer);
+  AtCommandExecutor onReady(Consumer<AtCommandExecutor> consumer);
 }
diff --git a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
index b93fe8fc..a1d0181f 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
@@ -1,7 +1,5 @@
 package org.atsign.client.api;
 
-import org.atsign.common.AtSign;
-
 /**
  * Constants and Utility methods for "well known" standard keys
  */
diff --git a/at_client/src/main/java/org/atsign/client/api/AtKeys.java b/at_client/src/main/java/org/atsign/client/api/AtKeys.java
index 3b5171d2..af60c70c 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtKeys.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtKeys.java
@@ -7,10 +7,9 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.atsign.client.util.EnrollmentId;
-
 import lombok.Builder;
 import lombok.Value;
+import org.atsign.client.impl.common.EnrollmentId;
 
 /**
  * An immutable class used to hold an {@link org.atsign.client.api.AtClient}s keys.
@@ -56,13 +55,13 @@ public class AtKeys {
    * request uses this key to encrypt the {@link #selfEncryptKey} and {@link #encryptPrivateKey}
    * in the response that it sends.
    * The process which requested the enrollment can then decrypt and store those keys.
-   * This ensures that all {@link AtKeys} got and {@link org.atsign.common.AtSign} share the same
+   * This ensures that all {@link AtKeys} got and {@link AtSign} share the same
    * {@link #selfEncryptKey} and {@link #encryptPrivateKey}
    */
   String apkamSymmetricKey;
 
   /**
-   * Encryption Key used to encrypt {@link org.atsign.common.Keys.SelfKey}s and the pkam and
+   * Encryption Key used to encrypt {@link Keys.SelfKey}s and the pkam and
    * encryption key pairs
    * when they are externalised as JSON
    */
@@ -70,16 +69,16 @@ public class AtKeys {
 
   /**
    * This is used to encrypt the symmetric keys that are used to encrypt
-   * {@link org.atsign.common.Keys.SharedKey}s
-   * where the shared with {@link org.atsign.common.AtSign} is this {@link org.atsign.common.AtSign}
+   * {@link Keys.SharedKey}s
+   * where the shared with {@link AtSign} is this {@link AtSign}
    */
 
   String encryptPublicKey;
 
   /**
    * This is used to decrypt the symmetric keys that are used to encrypt
-   * {@link org.atsign.common.Keys.SharedKey}s
-   * where the shared with {@link org.atsign.common.AtSign} is this {@link org.atsign.common.AtSign}
+   * {@link Keys.SharedKey}s
+   * where the shared with {@link AtSign} is this {@link AtSign}
    */
   String encryptPrivateKey;
 
diff --git a/at_client/src/main/java/org/atsign/common/AtSign.java b/at_client/src/main/java/org/atsign/client/api/AtSign.java
similarity index 87%
rename from at_client/src/main/java/org/atsign/common/AtSign.java
rename to at_client/src/main/java/org/atsign/client/api/AtSign.java
index 2a3b1eea..af913ee4 100644
--- a/at_client/src/main/java/org/atsign/common/AtSign.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtSign.java
@@ -1,7 +1,7 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
-import org.atsign.client.util.Preconditions;
-import org.atsign.client.util.TypedString;
+import org.atsign.client.impl.common.Preconditions;
+import org.atsign.client.impl.common.TypedString;
 
 
 /**
diff --git a/at_client/src/main/java/org/atsign/common/Keys.java b/at_client/src/main/java/org/atsign/client/api/Keys.java
similarity index 97%
rename from at_client/src/main/java/org/atsign/common/Keys.java
rename to at_client/src/main/java/org/atsign/client/api/Keys.java
index 1c88d0d7..2384c36d 100644
--- a/at_client/src/main/java/org/atsign/common/Keys.java
+++ b/at_client/src/main/java/org/atsign/client/api/Keys.java
@@ -1,9 +1,9 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
 
-import static org.atsign.client.util.Preconditions.*;
-import static org.atsign.common.AtSign.createAtSign;
-import static org.atsign.common.Metadata.*;
+import static org.atsign.client.api.AtSign.createAtSign;
+import static org.atsign.client.api.Metadata.*;
+import static org.atsign.client.impl.common.Preconditions.*;
 
 import java.util.List;
 import java.util.concurrent.atomic.AtomicReference;
@@ -121,13 +121,15 @@ public String namespace() {
     }
 
     /**
-     *
      * @return the name without the namespace component.
      */
     public String nameWithoutNamespace() {
       return stripNamespace(name);
     }
 
+    /**
+     * @return the rawKey.
+     */
     @Override
     public String toString() {
       return rawKey;
@@ -146,7 +148,7 @@ protected String createRawKey() {
   }
 
   /**
-   * Represents a "public key" in the Atsign Platform
+   * Models a "public key" in the Atsign Platform specification.
    */
   public static class PublicKey extends AtKey {
     protected PublicKey(AtSign sharedBy, String name, Metadata metadata) {
@@ -176,7 +178,7 @@ public static PublicKey publicKey(AtSign sharedBy, String name, String namespace
   }
 
   /**
-   * Represents a "self key" in the Atsign Platform
+   * Models a "self key" in the Atsign Platform specification.
    */
   public static class SelfKey extends AtKey {
     protected SelfKey(AtSign sharedBy, AtSign sharedWith, String name, Metadata metadata) {
@@ -207,7 +209,7 @@ public static SelfKey selfKey(AtSign sharedBy, AtSign sharedWith, String name, S
   }
 
   /**
-   * Represents a "shared key" in the Atsign Platform
+   * Models a "shared key" in the Atsign Platform specification.
    */
   public static class SharedKey extends AtKey {
     protected SharedKey(AtSign sharedBy, AtSign sharedWith, String name, Metadata metadata) {
diff --git a/at_client/src/main/java/org/atsign/common/Metadata.java b/at_client/src/main/java/org/atsign/client/api/Metadata.java
similarity index 96%
rename from at_client/src/main/java/org/atsign/common/Metadata.java
rename to at_client/src/main/java/org/atsign/client/api/Metadata.java
index 98f3f4f0..56284640 100644
--- a/at_client/src/main/java/org/atsign/common/Metadata.java
+++ b/at_client/src/main/java/org/atsign/client/api/Metadata.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
 import java.time.OffsetDateTime;
 
@@ -8,6 +8,7 @@
 import lombok.Value;
 import lombok.experimental.Accessors;
 import lombok.extern.jackson.Jacksonized;
+import org.atsign.client.impl.util.JsonUtils;
 
 /**
  * Value class which models key metadata in the Atsign Platform
@@ -46,7 +47,8 @@ public class Metadata {
 
   /**
    * A builder for instantiating {@link Metadata} instances. Note: Metadata is immutable so if you
-   * want create a modified instance then use the toBuilder() method, override the fields and invoke
+   * want to create a modified instance then use the toBuilder() method, override the fields and
+   * invoke
    * build().
    */
   public static class MetadataBuilder {
@@ -54,9 +56,13 @@ public static class MetadataBuilder {
   };
 
   public static Metadata fromJson(String json) throws JsonProcessingException {
-    return Json.MAPPER.readValue(json, Metadata.class);
+    return JsonUtils.MAPPER.readValue(json, Metadata.class);
   }
 
+  /**
+   *
+   * @return the encoded metadata fields as recognized by an at server in an update command.
+   */
   @Override
   public String toString() {
     return new StringBuilder()
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java b/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
deleted file mode 100644
index 9de3f770..00000000
--- a/at_client/src/main/java/org/atsign/client/api/impl/clients/AtClients.java
+++ /dev/null
@@ -1,62 +0,0 @@
-package org.atsign.client.api.impl.clients;
-
-
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import org.atsign.client.api.AtClient;
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.events.SimpleAtEventBus;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.api.AtEndpointSupplier;
-import org.atsign.client.connection.api.ReconnectStrategy;
-import org.atsign.client.connection.common.SimpleReconnectStrategy;
-import org.atsign.client.connection.netty.NettyAtClientConnection;
-import org.atsign.client.connection.netty.NettyAtEndpointSupplier;
-import org.atsign.client.connection.protocol.Authentication;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-
-import lombok.Builder;
-
-/**
- * Utilities for instantiating AtClient implementations
- */
-public class AtClients {
-
-  @Builder(builderClassName = "AtClientsBuilder", builderMethodName = "builder")
-  public static AtClient createAtClient(String url,
-                                        AtSign atSign,
-                                        AtKeys keys,
-                                        ReconnectStrategy reconnect,
-                                        Boolean isVerbose)
-      throws AtException {
-
-    // Netty based connection implementation
-    AtClientConnection connection = NettyAtClientConnection.builder()
-        .endpoint(createEndpointSupplier(url, atSign))
-        .isVerbose(isVerbose)
-        .reconnect(reconnect != null ? reconnect : SimpleReconnectStrategy.builder().build())
-        .onReady(Authentication.pkamAuthenticator(atSign, keys))
-        .build();
-
-    return DefaultAtClientImpl.builder()
-        .atSign(atSign)
-        .keys(keys)
-        .connection(connection)
-        .eventBus(new SimpleAtEventBus())
-        .build();
-  }
-
-  private static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSign) {
-    Matcher matcher = Pattern.compile("proxy:(.+)").matcher(url);
-    if (matcher.matches()) {
-      return () -> matcher.group(1);
-    } else {
-      return NettyAtEndpointSupplier.builder()
-          .rootUrl(url)
-          .atsign(atSign)
-          .build();
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/api/package-info.java b/at_client/src/main/java/org/atsign/client/api/package-info.java
new file mode 100644
index 00000000..b2fb5738
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/api/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * The core interfaces and data types for the AtSign Jaca SDK.
+ */
+package org.atsign.client.api;
diff --git a/at_client/src/main/java/org/atsign/client/cli/Register.java b/at_client/src/main/java/org/atsign/client/cli/Register.java
deleted file mode 100644
index f2f7974c..00000000
--- a/at_client/src/main/java/org/atsign/client/cli/Register.java
+++ /dev/null
@@ -1,288 +0,0 @@
-package org.atsign.client.cli;
-
-import java.io.IOException;
-import java.util.*;
-import java.util.concurrent.Callable;
-
-import org.atsign.client.util.RegisterUtil;
-import org.atsign.common.*;
-import org.atsign.common.exceptions.AtRegistrarException;
-import org.atsign.config.ConfigReader;
-
-import picocli.CommandLine;
-import picocli.CommandLine.Command;
-import picocli.CommandLine.Option;
-
-/**
- * Command line interface to claim a free atsign. Requires one-time-password
- * received on the provided email to validate.
- * Registers the free atsign to provided email
- */
-@Command(name = "register", description = "Get an atsign and register")
-public class Register implements Callable<String> {
-  @Option(names = {"-e", "--email"}, description = "email to register a free atsign using otp-auth")
-  static String email = "";
-
-  @Option(names = {"-k", "--api-key"}, description = "register an atsign using super-API key")
-  static String apiKey = "";
-
-  Map<String, String> params = new HashMap<>();
-  boolean superApiKeyMode = false;
-
-  public static void main(String[] args) throws AtException {
-    int status = new CommandLine(new Register()).execute(args);
-    System.exit(status);
-  }
-
-  /**
-   * contains actual register logic.
-   * main() calls this method with args passed through CLI
-   */
-  @Override
-  public String call() throws Exception {
-
-    readParameters();
-    if (superApiKeyMode) {
-      new RegistrationFlow(params).add(new GetFreeAtsignWithSuperApiKey()).add(new ActivateAtsignWithSuperApiKey())
-          .start();
-
-    } else {
-      // parameter confirmation needs to be manually inserted into the params map
-      params.put("confirmation", "false");
-      new RegistrationFlow(params).add(new GetFreeAtsign()).add(new RegisterAtsign()).add(new ValidateOtp()).start();
-    }
-
-    String[] onboardArgs = new String[] {
-        "onboard",
-        "-r", params.get("rootDomain") + ":" + params.get("rootPort"),
-        "-a", params.get("atSign"),
-        "-c", params.get("cram")};
-    Activate.main(onboardArgs);
-
-    return "Done.";
-  }
-
-  void readParameters() throws IOException {
-
-    // checks to ensure only either of email or super-API key are provided as args.
-    // if super-API key is provided sets superApiKeyMode to true
-    if ("".equals(email) && !"".equals(apiKey)) {
-      superApiKeyMode = true;
-    } else if ("".equals(apiKey) && !"".equals(email)) {
-      superApiKeyMode = false;
-    } else {
-      System.err.println(
-                         "Usage: Register -e <email@email.com> (or)\nRegister -k <Your API Key>"
-                             + "\nNOTE: Use email if you prefer activating using verification code."
-                             + " Use API key option if you have a SuperAPI key. You can NOT use both.");
-      System.exit(1);
-    }
-
-    params.put("rootDomain", ConfigReader.getProperty("rootServer", "domain"));
-    if (params.get("rootDomain") == null) {
-      // reading config from older configuration syntax for backwards compatibility
-      params.put("rootDomain", ConfigReader.getProperty("ROOT_DOMAIN"));
-    }
-
-    params.put("rootPort", ConfigReader.getProperty("rootServer", "port"));
-    if (params.get("rootPort") == null) {
-      // reading config from older configuration syntax for backwards compatibility
-      params.put("rootPort", ConfigReader.getProperty("ROOT_PORT"));
-    }
-    System.out.println("RootServer is " + params.get("rootDomain") + ":" + params.get("rootPort"));
-
-    params.put("registrarUrl", ConfigReader.getProperty("registrarV3", "url"));
-    if (params.get("registrarUrl") == null) {
-      // reading config from older configuration syntax for backwards compatibility
-      params.put("registrarUrl", ConfigReader.getProperty("REGISTRAR_URL"));
-    }
-
-    if (!superApiKeyMode && "".equals(apiKey)) {
-      params.put("apiKey", ConfigReader.getProperty("registrar", "apiKey"));
-      if (params.get("apiKey") == null) {
-        // reading config from older configuration syntax for backwards compatibility
-        params.put("apiKey", ConfigReader.getProperty("API_KEY"));
-      }
-    }
-
-    // adding email/apiKey to params whichever is passed through command line args
-    if (!superApiKeyMode) {
-      params.put("email", email);
-    } else {
-      params.put("apiKey", apiKey);
-    }
-
-    // ensure all required params have been set
-    if (!params.containsKey("rootDomain") || !params.containsKey("rootPort") || !params.containsKey("registrarUrl")
-        || !params.containsKey("apiKey")) {
-      System.err.println(
-                         "Please make sure to set all relevant configuration in src/main/resources/config.yaml");
-      System.exit(1);
-    }
-  }
-}
-
-
-class RegistrationFlow {
-  List<RegisterApiTask<RegisterApiResult<Map<String, String>>>> processFlow = new ArrayList<>();
-  RegisterApiResult<Map<String, String>> result;
-  Map<String, String> params;
-  RegisterUtil registerUtil = new RegisterUtil();
-
-  RegistrationFlow(Map<String, String> params) {
-    this.params = params;
-  }
-
-  RegistrationFlow add(RegisterApiTask<RegisterApiResult<Map<String, String>>> task) {
-    processFlow.add(task);
-    return this;
-  }
-
-  void start() throws Exception {
-    for (RegisterApiTask<RegisterApiResult<Map<String, String>>> task : processFlow) {
-      // initialize each task by passing params to init()
-      task.init(params, registerUtil);
-      result = task.run();
-      if (result.apiCallStatus.equals(ApiCallStatus.retry)) {
-        while (task.shouldRetry()
-            && result.apiCallStatus.equals(ApiCallStatus.retry)) {
-          result = task.run();
-          task.retryCount++;
-        }
-      }
-      if (result.apiCallStatus.equals(ApiCallStatus.success)) {
-        params.putAll(result.data);
-      } else {
-        throw result.atException;
-      }
-    }
-  }
-}
-
-
-class GetFreeAtsign extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
-
-  @Override
-  public RegisterApiResult<Map<String, String>> run() {
-    System.out.println("Fetching free atsign ...");
-    try {
-      result.data.put("atSign",
-                      registerUtil.getFreeAtsign(params.get("registrarUrl"), params.get("apiKey")));
-      result.apiCallStatus = ApiCallStatus.success;
-      System.out.println("\tFetched new atsign: " + "@" + result.data.get("atSign"));
-    } catch (AtRegistrarException e) {
-      result.atException = e;
-    } catch (Exception e) {
-      result.atException = new AtRegistrarException("error while getting free atsign", e);
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    }
-    return result;
-  }
-}
-
-
-class RegisterAtsign extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
-
-  @Override
-  public RegisterApiResult<Map<String, String>> run() {
-    System.out.println("Sending verification code to: " + params.get("email"));
-    try {
-      result.data.put("otpSent",
-                      registerUtil.registerAtsign(params.get("email"), new AtSign(params.get("atSign")),
-                                                  params.get("registrarUrl"), params.get("apiKey"))
-                          .toString());
-      result.apiCallStatus = ApiCallStatus.success;
-    } catch (Exception e) {
-      result.atException = new AtRegistrarException(e.getMessage(), e.getCause());
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    }
-    return result;
-  }
-}
-
-
-class ValidateOtp extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
-  Scanner scanner = new Scanner(System.in);
-
-  @Override
-  public RegisterApiResult<Map<String, String>> run() {
-    try {
-      // only ask for user input the first time. use the otp entry in params map in
-      // subsequent api requests
-      if (!params.containsKey("otp")) {
-        System.out.println("Enter verification code received on " + params.get("email")
-            + " [verification code is case sensitive]");
-        params.put("otp", scanner.nextLine());
-        System.out.println("Validating verification code ...");
-      }
-      String apiResponse = registerUtil.validateOtp(params.get("email"), new AtSign(params.get("atSign")),
-                                                    params.get("otp"), params.get("registrarUrl"), params.get("apiKey"),
-                                                    Boolean.parseBoolean(params.get("confirmation")));
-      if ("retry".equals(apiResponse)) {
-        System.err.println("Incorrect OTP!!! Please re-enter your OTP");
-        params.put("otp", scanner.nextLine());
-        result.apiCallStatus = ApiCallStatus.retry;
-        result.atException = new AtRegistrarException("Only 3 retries allowed to re-enter OTP - Incorrect OTP entered");
-      } else if ("follow-up".equals(apiResponse)) {
-        params.put("confirmation", "true");
-        result.apiCallStatus = ApiCallStatus.retry;
-      } else if (apiResponse.startsWith("@")) {
-        result.data.put("cram", apiResponse.split(":")[1]);
-        System.out.println("\tRCVD cram: " + result.data.get("cram"));
-        System.out.println("Done.");
-        result.apiCallStatus = ApiCallStatus.success;
-        scanner.close();
-      }
-    } catch (AtRegistrarException e) {
-      result.atException = e;
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    } catch (Exception e) {
-      result.atException = new AtRegistrarException("Failed while validating OTP", e);
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    }
-    return result;
-  }
-}
-
-
-class GetFreeAtsignWithSuperApiKey extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
-  @Override
-  public RegisterApiResult<Map<String, String>> run() {
-    System.out.println("Getting atSign ...");
-    try {
-      result.data.putAll(registerUtil.getAtsignWithSuperApiKey(params.get("registrarUrl"), params.get("apiKey")));
-      System.out.println("Got atsign: " + result.data.get("atSign"));
-      result.apiCallStatus = ApiCallStatus.success;
-    } catch (AtRegistrarException e) {
-      result.atException = e;
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    } catch (Exception e) {
-      result.atException = new AtRegistrarException("Failed while getting atSign", e);
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    }
-    return result;
-  }
-}
-
-
-class ActivateAtsignWithSuperApiKey extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
-  @Override
-  public RegisterApiResult<Map<String, String>> run() {
-    try {
-      result.data.put(
-                      "cram", registerUtil
-                          .activateAtsignWithSuperApiKey(params.get("registrarUrl"), params.get("apiKey"),
-                                                         new AtSign(params.get("atSign")), params.get("ActivationKey"))
-                          .split(":")[1]);
-      result.apiCallStatus = ApiCallStatus.success;
-      System.out.println("Your cram secret: " + result.data.get("cram"));
-    } catch (AtRegistrarException e) {
-      result.atException = e;
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    } catch (Exception e) {
-      result.atException = new AtRegistrarException("Failed while activating atSign", e);
-      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
-    }
-    return result;
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
deleted file mode 100644
index e19ff0e4..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/api/ReconnectStrategy.java
+++ /dev/null
@@ -1,50 +0,0 @@
-package org.atsign.client.connection.api;
-
-/**
- * A strategy for controlling re-connection behavior
- */
-public interface ReconnectStrategy {
-
-  boolean isReconnectSupported();
-
-  void onConnectFailure(Throwable ex);
-
-  void onConnect();
-
-  void onDisconnect(Throwable ex);
-
-  long getReconnectPauseMillis();
-
-  boolean isReresolveEndpoint();
-
-  /**
-   * A strategy where no reconnection is required
-   */
-  ReconnectStrategy NONE = new ReconnectStrategy() {
-
-    @Override
-    public boolean isReconnectSupported() {
-      return false;
-    }
-
-    @Override
-    public void onConnectFailure(Throwable ex) {}
-
-    @Override
-    public void onConnect() {}
-
-    @Override
-    public void onDisconnect(Throwable ex) {}
-
-    @Override
-    public long getReconnectPauseMillis() {
-      return 0;
-    }
-
-    @Override
-    public boolean isReresolveEndpoint() {
-      return false;
-    }
-  };
-
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
deleted file mode 100644
index d8ae2cc3..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtEndpointSupplier.java
+++ /dev/null
@@ -1,60 +0,0 @@
-package org.atsign.client.connection.netty;
-
-import org.atsign.client.connection.api.AtEndpointSupplier;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-
-import lombok.Builder;
-
-import javax.net.ssl.SSLContext;
-
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import static org.atsign.client.util.Preconditions.checkNotNull;
-
-/**
- * An implementation that uses a {@link NettyAtClientConnection} to connect to the
- * root / directory server and resolve the endpoint for a specific {@link AtSign}
- */
-public class NettyAtEndpointSupplier implements AtEndpointSupplier {
-
-  private final AtSign atsign;
-
-  private final NettyAtClientConnection.NettyAtClientConnectionBuilder connectionBuilder;
-
-  @Builder
-  public NettyAtEndpointSupplier(String rootUrl, AtSign atsign, Long timeoutMillis, SSLContext sslContext) {
-    this.atsign = checkNotNull(atsign, "atSign not set");
-    String hostAndPort = defaultPort(checkNotNull(rootUrl, "rootUrl not set"));
-    this.connectionBuilder = NettyAtClientConnection.builder()
-        .endpoint(() -> hostAndPort)
-        .timeoutMillis(timeoutMillis)
-        .sslContext(sslContext);
-  }
-
-  @Override
-  public String get() throws AtSecondaryNotFoundException {
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      return checkNotBlank(connection.sendSync(atsign.withoutPrefix()));
-    } catch (Exception e) {
-      throw new AtSecondaryNotFoundException("unable to resolve the endpoint for " + atsign, e);
-    }
-  }
-
-  private static String checkNotBlank(String s) throws AtSecondaryNotFoundException {
-    if (s == null || s.isBlank() || "null".equals(s)) {
-      throw new AtSecondaryNotFoundException("unable to resolve the endpoint");
-    }
-    return s;
-  }
-
-  private static String defaultPort(String hostAndPort) {
-    Matcher matcher = Pattern.compile("([^:]+):(\\d+)").matcher(hostAndPort);
-    if (matcher.matches()) {
-      return hostAndPort;
-    } else {
-      return hostAndPort + ":" + 64;
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
deleted file mode 100644
index 44dace2d..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Authentication.java
+++ /dev/null
@@ -1,104 +0,0 @@
-package org.atsign.client.connection.protocol;
-
-import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
-import static org.atsign.client.connection.protocol.Data.matchDataStringNoWhitespace;
-import static org.atsign.client.connection.protocol.Data.matchDataSuccess;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.concurrent.ExecutionException;
-import java.util.function.Consumer;
-
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.util.EncryptionUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.VerbBuilders;
-import org.atsign.common.exceptions.AtEncryptionException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
-
-/**
- * Utility methods for handling authentication within the AtSign protocol
- */
-public class Authentication {
-
-  public static Consumer<AtClientConnection> pkamAuthenticator(AtSign atSign, AtKeys keys) {
-    return throwOnReadyException(connection -> authenticateWithPkam(connection, atSign, keys));
-  }
-
-  public static void authenticateWithPkam(AtClientConnection connection, AtSign atSign, AtKeys keys)
-      throws AtException {
-    try {
-
-      // send a from command and expect to receive a challenge
-      String fromCommand = VerbBuilders.fromCommandBuilder().atSign(atSign).build();
-      String fromResponse = connection.sendSync(fromCommand);
-      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
-
-      // send a pkam command with the signed challenge
-      String signature = EncryptionUtil.signSHA256RSA(challenge, keys.getApkamPrivateKey());
-      VerbBuilders.PkamCommandBuilder pkamCommandBuilder = VerbBuilders.pkamCommandBuilder();
-      if (keys.hasEnrollmentId()) {
-        pkamCommandBuilder.signingAlgo(EncryptionUtil.SIGNING_ALGO_RSA);
-        pkamCommandBuilder.hashingAlgo(EncryptionUtil.HASHING_ALGO_SHA256);
-        pkamCommandBuilder.enrollmentId(keys.getEnrollmentId());
-      }
-      pkamCommandBuilder.digest(signature);
-      String pkamCommand = pkamCommandBuilder.build();
-      String pkamResponse = connection.sendSync(pkamCommand);
-
-      // verify that pkam has succeeded
-      matchDataSuccess(throwExceptionIfError(pkamResponse));
-    } catch (RuntimeException | ExecutionException | InterruptedException e) {
-      throw new AtUnauthenticatedException("PKAM command failed : " + e.getMessage());
-    }
-  }
-
-  public static void authenticateWithCram(AtClientConnection connection, AtSign atSign, String cramSecret)
-      throws AtException {
-    try {
-
-      // send a from command and expect to receive a challenge
-      String fromCommand = VerbBuilders.fromCommandBuilder().atSign(atSign).build();
-      String fromResponse = connection.sendSync(fromCommand);
-      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
-
-      // send a cram command
-      String cramDigest = createDigest(cramSecret, challenge);
-      String cramCommand = VerbBuilders.cramCommandBuilder().digest(cramDigest).build();
-      String cramResponse = connection.sendSync(cramCommand);
-
-      // verify that cram succeeded
-      matchDataSuccess(throwExceptionIfError(cramResponse));
-
-    } catch (RuntimeException | ExecutionException | InterruptedException e) {
-      throw new AtUnauthenticatedException("CRAM command failed : " + e.getMessage());
-    }
-  }
-
-  private static String createDigest(String cramSecret, String challenge) throws AtEncryptionException {
-    try {
-      String digestInput = cramSecret + challenge;
-      byte[] digestInputBytes = digestInput.getBytes(StandardCharsets.UTF_8);
-      byte[] digest = MessageDigest.getInstance("SHA-512").digest(digestInputBytes);
-      return bytesToHex(digest);
-    } catch (RuntimeException | NoSuchAlgorithmException e) {
-      throw new AtEncryptionException("failed to generate cramDigest", e);
-    }
-  }
-
-  private static final char[] HEX_ARRAY = "0123456789abcdef".toCharArray();
-
-  public static String bytesToHex(byte[] bytes) {
-    char[] hexChars = new char[bytes.length * 2];
-    for (int j = 0; j < bytes.length; j++) {
-      int v = bytes[j] & 0xFF;
-      hexChars[j * 2] = HEX_ARRAY[v >>> 4];
-      hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
-    }
-    return new String(hexChars);
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
deleted file mode 100644
index ccb84969..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Data.java
+++ /dev/null
@@ -1,117 +0,0 @@
-package org.atsign.client.connection.protocol;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import org.atsign.common.Json;
-import org.atsign.common.Metadata;
-import org.atsign.common.response_models.LookupResponse;
-
-import java.util.List;
-import java.util.Map;
-import java.util.regex.Pattern;
-
-/**
- * Utilities for handling data responses in the AtSign protocol
- */
-public class Data {
-
-  /**
-   * models server response string which is non-empty JSON map
-   */
-  protected static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
-
-  /**
-   * models server response string which is JSON map
-   */
-  protected static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
-
-  /**
-   * models server response string which is non-empty JSON list
-   */
-  protected static final Pattern DATA_JSON_LIST = Pattern.compile("data:(\\[.*])");
-
-  /**
-   * models server response string which is integer
-   */
-  protected static final Pattern DATA_INT = Pattern.compile("data:(-?\\d+)");
-
-  /**
-   * models server response string containing no whitespace
-   */
-  public static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
-
-  /**
-   * models server data response
-   */
-  public static final Pattern DATA = Pattern.compile("data:(.+)");
-
-  /**
-   * models server response string containing no whitespace
-   */
-  public static final Pattern DATA_SUCCESS = Pattern.compile("data:(success)");
-
-  public static String matchDataSuccess(String input) {
-    return Responses.match(input, DATA_SUCCESS);
-  }
-
-  public static String matchDataStringNoWhitespace(String input) {
-    return Responses.match(input, DATA_NON_WHITESPACE);
-  }
-
-  public static String matchData(String input) {
-    return Responses.match(input, DATA);
-  }
-
-  public static int matchDataInt(String input) {
-    return Responses.match(input, DATA_INT, Integer::parseInt);
-  }
-
-  public static List<Object> matchDataJsonList(String input) {
-    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonList);
-  }
-
-  public static List<String> matchDataJsonListOfStrings(String input) {
-    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonListOfStrings);
-  }
-
-  public static Map<String, String> matchDataJsonMapOfStrings(String input, boolean allowEmpty) {
-    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
-                           Responses::decodeJsonMapOfStrings);
-  }
-
-  public static Map<String, Object> matchDataJsonMapOfObjects(String input, boolean allowEmpty) {
-    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
-                           Responses::decodeJsonMapOfObjects);
-  }
-
-  public static Map<String, String> matchDataJsonMapOfStrings(String input) {
-    return matchDataJsonMapOfStrings(input, false);
-  }
-
-  public static Map<String, Object> matchDataJsonMapOfObjects(String input) {
-    return matchDataJsonMapOfObjects(input, false);
-  }
-
-  public static LookupResponse matchLookupResponse(String s) {
-    return Responses.match(s, DATA_JSON_NON_EMPTY_MAP, Data::toLookupResponse);
-  }
-
-  public static LookupResponse toLookupResponse(String s) {
-    try {
-      return Json.MAPPER.readValue(s, LookupResponse.class);
-    } catch (JsonProcessingException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  public static Metadata matchMetadata(String s) {
-    return Responses.match(s, DATA_JSON_NON_EMPTY_MAP, Data::toMetaData);
-  }
-
-  public static Metadata toMetaData(String s) {
-    try {
-      return Json.MAPPER.readValue(s, Metadata.class);
-    } catch (JsonProcessingException e) {
-      throw new RuntimeException(e);
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
deleted file mode 100644
index b77f1867..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Keys.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package org.atsign.client.connection.protocol;
-
-import static org.atsign.client.connection.protocol.Data.*;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-import static org.atsign.common.VerbBuilders.LookupOperation.meta;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.ExecutionException;
-
-import org.atsign.client.api.AtKeyNames;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.Keys.AtKey;
-import org.atsign.common.Metadata;
-import org.atsign.common.VerbBuilders;
-
-import lombok.extern.slf4j.Slf4j;
-
-/**
- * Atsign Protocol utility code that relates to keys (the records) that are managed by an
- * atserver.
- *
- */
-@Slf4j
-public class Keys {
-
-  public static void deleteKey(AtClientConnection connection, String rawKey) throws AtException {
-    try {
-
-      // send a delete command
-      String deleteCommand = VerbBuilders.deleteCommandBuilder().rawKey(rawKey).build();
-      String deleteResponse = connection.sendSync(deleteCommand);
-
-      // verify command succeeded
-      Data.matchDataInt(throwExceptionIfError(deleteResponse));
-
-    } catch (ExecutionException | InterruptedException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  public static void deleteKey(AtClientConnection conn, AtKey key) throws AtException {
-    deleteKey(conn, key.rawKey());
-  }
-
-  public static List<AtKey> getKeys(AtClientConnection conn, String regex, boolean fetchMetadata) throws AtException {
-
-    try {
-
-      // send scan command and decode response
-      String scanCommand = VerbBuilders.scanCommandBuilder().regex(regex).showHidden(true).build();
-      String scanResponse = conn.sendSync(scanCommand);
-      List<String> keyNames = matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
-
-      // build typed key instances from each key name (optionally looking up metadata)
-      List<AtKey> atKeys = new ArrayList<>();
-      for (String keyName : keyNames) {
-        if (!AtKeyNames.isManagementKeyName(keyName)) {
-          Metadata metadata = fetchMetadata ? fetchMetadata(conn, keyName) : null;
-          AtKey atKey = org.atsign.common.Keys.keyBuilder()
-              .rawKey(keyName)
-              .metadata(metadata)
-              .build();
-          atKeys.add(atKey);
-        }
-      }
-
-      return atKeys;
-
-    } catch (ExecutionException | InterruptedException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  private static Metadata fetchMetadata(AtClientConnection conn, String keyName)
-      throws ExecutionException, InterruptedException, AtException {
-    String llookupCommand = VerbBuilders.llookupCommandBuilder().operation(meta).rawKey(keyName).build();
-    String llookupResponse = conn.sendSync(llookupCommand);
-    return matchMetadata(throwExceptionIfError(llookupResponse));
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java b/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
deleted file mode 100644
index ac1697bf..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Scan.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package org.atsign.client.connection.protocol;
-
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-
-import java.util.List;
-import java.util.concurrent.ExecutionException;
-
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.VerbBuilders;
-
-/**
- * Atsign protocol utility code that relates querying the keys in an atserver.
- *
- */
-
-public class Scan {
-
-  public static List<String> scan(AtClientConnection connection, boolean showHidden, String regex) throws AtException {
-    try {
-
-      // send scan command
-      String scanCommand = VerbBuilders.scanCommandBuilder()
-          .showHidden(showHidden)
-          .regex(regex)
-          .build();
-      String scanResponse = connection.sendSync(scanCommand);
-
-      // return unmarshalled key names
-      return Data.matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
-
-    } catch (ExecutionException | InterruptedException e) {
-      throw new RuntimeException(e);
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java b/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
deleted file mode 100644
index 295e5094..00000000
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/**
- * Utilities which given an {@link org.atsign.client.connection.api.AtClientConnection}
- * can perform common functions such as authentication, atsign onboarding and
- * enrollment. In some case these are simply sending the appropriate At Protocol command
- * and verifying the response. Other scenarios such as those relating shared keys
- * require some workflow.
- */
-package org.atsign.client.connection.protocol;
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
similarity index 62%
rename from at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
rename to at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
index 141fec69..8fab116f 100644
--- a/at_client/src/main/java/org/atsign/client/api/impl/clients/DefaultAtClientImpl.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
@@ -1,11 +1,10 @@
-package org.atsign.client.api.impl.clients;
+package org.atsign.client.impl;
 
 import static org.atsign.client.api.AtEvents.AtEventType.decryptedUpdateNotification;
-import static org.atsign.client.util.EncryptionUtil.aesDecryptFromBase64;
-import static org.atsign.client.util.EncryptionUtil.rsaDecryptFromBase64;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+import static org.atsign.client.impl.util.EncryptionUtils.aesDecryptFromBase64;
+import static org.atsign.client.impl.util.EncryptionUtils.rsaDecryptFromBase64;
 
-import java.io.IOException;
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
@@ -13,36 +12,49 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.atsign.client.api.AtClient;
+import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtEvents.AtEventBus;
 import org.atsign.client.api.AtEvents.AtEventListener;
 import org.atsign.client.api.AtEvents.AtEventType;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.protocol.*;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys.AtKey;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.AtDecryptionException;
-import org.atsign.common.options.GetRequestOptions;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys.AtKey;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.commands.*;
+import org.atsign.client.impl.exceptions.AtDecryptionException;
+import org.atsign.client.impl.exceptions.AtException;
 
 import lombok.Builder;
 import lombok.extern.slf4j.Slf4j;
 
 /**
- * Implementation of an {@link AtClient} which wraps a
- * {@link org.atsign.client.connection.api.AtClientConnection}
- * in order to implement the "map like" features of the {@link AtClient} interface
+ * Implementation of an {@link AtClient} which uses a {@link AtCommandExecutor} and
+ * the "composite" AtPlatform Protocol commands in {@link org.atsign.client.impl.commands}
+ * with an embedded {@link AtEventBus}.
+ * Example usage:
+ *
+ * <pre>
+ * AtClientImplBuilder builder = AtClientImpl.builder()
+ *     .atSign(createAtSign("colin"))
+ *     .keys(...)
+ *     .executor(...)
+ *     .eventBus(...);
+ *
+ * try (AtClient client = builder.build()) {
+ *     client.startMonitor();
+ *     client.put(...);
+ *     client.get(...);
+ * }
+ * </pre>
  */
-@SuppressWarnings({"RedundantThrows", "unused"})
 @Slf4j
-public class DefaultAtClientImpl implements AtClient {
+public class AtClientImpl implements AtClient {
 
   private final AtSign atSign;
   private final AtKeys keys;
-  private final AtClientConnection connection;
+  private final AtCommandExecutor executor;
   private final AtEventBus eventBus;
   private final AtomicBoolean isMonitoring = new AtomicBoolean();
   private final Notifications.EventBusBridge eventBusBridge;
@@ -53,45 +65,36 @@ public AtSign getAtSign() {
   }
 
   @Override
-  public AtKeys getEncryptionKeys() {
-    return keys;
-  }
-
-  @Override
-  public AtClientConnection getCommandExecutor() {
-    return connection;
+  public AtCommandExecutor getCommandExecutor() {
+    return executor;
   }
 
   @Builder
-  public DefaultAtClientImpl(AtSign atSign, AtKeys keys, AtClientConnection connection, AtEventBus eventBus) {
+  public AtClientImpl(AtSign atSign, AtKeys keys, AtCommandExecutor executor, AtEventBus eventBus) {
     checkNotNull(keys.getEncryptPrivateKey(), "AtKeys have not been fully enrolled");
     this.atSign = atSign;
     this.keys = keys;
-    this.connection = connection;
+    this.executor = executor;
     this.eventBus = eventBus;
     this.eventBus.addEventListener(this::handleEvent, EnumSet.allOf(AtEventType.class));
     this.eventBusBridge = new Notifications.EventBusBridge(eventBus, atSign);
   }
 
   @Override
-  public void close() throws IOException {
-    try {
-      connection.close();
-    } catch (Exception e) {
-      throw new IOException(e);
-    }
+  public void close() throws Exception {
+    executor.close();
   }
 
   @Override
   public void startMonitor() {
     isMonitoring.compareAndSet(false, true);
-    connection.onReady(Notifications.monitor(atSign, keys, eventBusBridge::accept));
+    executor.onReady(Notifications.monitor(atSign, keys, eventBusBridge::accept));
   }
 
   @Override
   public void stopMonitor() {
     isMonitoring.compareAndSet(true, false);
-    connection.onReady(Authentication.pkamAuthenticator(atSign, keys));
+    executor.onReady(AuthenticationCommands.pkamAuthenticator(atSign, keys));
   }
 
   @Override
@@ -116,7 +119,8 @@ public int publishEvent(AtEventType eventType, Map<String, Object> eventData) {
 
   @Override
   public CompletableFuture<String> get(SharedKey sharedKey) {
-    return wrapAsync(() -> SharedKeys.get(connection, atSign, keys, sharedKey));
+    checkAtSignCanGet(atSign, sharedKey);
+    return wrapAsync(() -> SharedKeyCommands.get(executor, atSign, keys, sharedKey));
   }
 
   @Override
@@ -126,17 +130,20 @@ public CompletableFuture<byte[]> getBinary(SharedKey sharedKey) {
 
   @Override
   public CompletableFuture<Void> put(SharedKey sharedKey, String value) {
-    return wrapAsync(() -> SharedKeys.put(connection, atSign, keys, sharedKey, value));
+    checkAtSignCanPut(atSign, sharedKey);
+    return wrapAsync(() -> SharedKeyCommands.put(executor, atSign, keys, sharedKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(SharedKey sharedKey) {
-    return wrapAsync(() -> Keys.deleteKey(connection, sharedKey));
+    checkAtSignCanPut(atSign, sharedKey);
+    return wrapAsync(() -> KeyCommands.deleteKey(executor, sharedKey));
   }
 
   @Override
   public CompletableFuture<String> get(SelfKey selfKey) {
-    return wrapAsync(() -> SelfKeys.get(connection, keys, selfKey));
+    checkAtSignCanGet(atSign, selfKey);
+    return wrapAsync(() -> SelfKeyCommands.get(executor, keys, selfKey));
   }
 
   @Override
@@ -146,22 +153,24 @@ public CompletableFuture<byte[]> getBinary(SelfKey selfKey) {
 
   @Override
   public CompletableFuture<Void> put(SelfKey selfKey, String value) {
-    return wrapAsync(() -> SelfKeys.put(connection, keys, selfKey, value));
+    checkAtSignCanPut(atSign, selfKey);
+    return wrapAsync(() -> SelfKeyCommands.put(executor, keys, selfKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(SelfKey selfKey) {
-    return wrapAsync(() -> Keys.deleteKey(connection, selfKey));
+    checkAtSignCanPut(atSign, selfKey);
+    return wrapAsync(() -> KeyCommands.deleteKey(executor, selfKey));
   }
 
   @Override
   public CompletableFuture<String> get(PublicKey publicKey) {
-    return wrapAsync(() -> PublicKeys.get(connection, atSign, publicKey, null));
+    return wrapAsync(() -> PublicKeyCommands.get(executor, atSign, publicKey, null));
   }
 
   @Override
   public CompletableFuture<String> get(PublicKey publicKey, GetRequestOptions options) {
-    return wrapAsync(() -> PublicKeys.get(connection, atSign, publicKey, options));
+    return wrapAsync(() -> PublicKeyCommands.get(executor, atSign, publicKey, options));
   }
 
   @Override
@@ -170,18 +179,20 @@ public CompletableFuture<byte[]> getBinary(PublicKey publicKey) {
   }
 
   @Override
-  public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions getRequestOptions) {
+  public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOptions options) {
     throw new UnsupportedOperationException("to be implemented");
   }
 
   @Override
   public CompletableFuture<Void> put(PublicKey publicKey, String value) {
-    return wrapAsync(() -> PublicKeys.put(connection, keys, publicKey, value));
+    checkAtSignCanPut(atSign, publicKey);
+    return wrapAsync(() -> PublicKeyCommands.put(executor, keys, publicKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(PublicKey publicKey) {
-    return wrapAsync(() -> Keys.deleteKey(connection, publicKey));
+    checkAtSignCanPut(atSign, publicKey);
+    return wrapAsync(() -> KeyCommands.deleteKey(executor, publicKey));
   }
 
   @Override
@@ -208,7 +219,7 @@ public CompletableFuture<List<AtKey>> getAtKeys(String regex) {
   public CompletableFuture<List<AtKey>> getAtKeys(String regex, boolean fetchMetadata) {
     return CompletableFuture.supplyAsync(() -> {
       try {
-        return Keys.getKeys(connection, regex, fetchMetadata);
+        return KeyCommands.getKeys(executor, regex, fetchMetadata);
       } catch (Exception e) {
         throw new CompletionException(e);
       }
@@ -251,8 +262,8 @@ private void onUpdateNotification(Map<String, Object> eventData) throws AtExcept
       String encryptedValue = (String) eventData.get("value");
       Map<String, Object> metadata = (Map<String, Object>) eventData.get("metadata");
       String ivNonce = (String) metadata.get("ivNonce");
-      SharedKey sk = org.atsign.common.Keys.sharedKeyBuilder().rawKey(key).build();
-      String encryptKeySharedByOther = SharedKeys.getEncryptKeySharedByOther(connection, keys, sk);
+      SharedKey sk = org.atsign.client.api.Keys.sharedKeyBuilder().rawKey(key).build();
+      String encryptKeySharedByOther = SharedKeyCommands.getEncryptKeySharedByOther(executor, keys, sk);
       String decryptedValue = aesDecryptFromBase64(encryptedValue, encryptKeySharedByOther, ivNonce);
       HashMap<String, Object> newEventData = new HashMap<>(eventData);
       newEventData.put("decryptedValue", decryptedValue);
@@ -297,4 +308,35 @@ private static CompletableFuture<Void> wrapAsync(AtCommandThatReturnsVoid comman
     });
   }
 
+  public static void checkAtSignCanPut(AtSign atSign, PublicKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+  public static void checkAtSignCanGet(AtSign atSign, SelfKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+  public static void checkAtSignCanPut(AtSign atSign, SelfKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+  public static void checkAtSignCanGet(AtSign atSign, SharedKey key) {
+    if (!key.sharedBy().equals(atSign) && !key.sharedWith().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is neither the sharedBy or sharedWith of " + key);
+    }
+  }
+
+  public static void checkAtSignCanPut(AtSign atSign, SharedKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtClients.java b/at_client/src/main/java/org/atsign/client/impl/AtClients.java
new file mode 100644
index 00000000..975dd1ab
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/AtClients.java
@@ -0,0 +1,58 @@
+package org.atsign.client.impl;
+
+import org.atsign.client.api.AtClient;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.common.SimpleAtEventBus;
+import org.atsign.client.impl.exceptions.AtException;
+
+import lombok.Builder;
+
+/**
+ * Utility methods / builders for instantiating {@link AtClient} implementations
+ * that are included in this library.
+ * Example usage:
+ *
+ * <pre>
+ * AtClientBuilder builder = AtClients.builder()
+ *     .url("vip.ve.atsign.zone:64")
+ *     .atSign(createAtSign("colin"))
+ *     .keys(...);
+ *
+ * try (AtClient client = builder.build()) {
+ *     client.startMonitor();
+ *     client.put(...);
+ *     client.get(...);
+ * }
+ * </pre>
+ *
+ */
+public class AtClients {
+
+  @Builder(builderClassName = "AtClientBuilder")
+  public static AtClient createAtClient(String url,
+                                        AtSign atSign,
+                                        AtKeys keys,
+                                        ReconnectStrategy reconnect,
+                                        Boolean isVerbose)
+      throws AtException {
+
+    AtCommandExecutor executor = AtCommandExecutors.builder()
+        .url(url)
+        .keys(keys)
+        .atSign(atSign)
+        .reconnect(reconnect)
+        .isVerbose(isVerbose)
+        .build();
+
+    SimpleAtEventBus eventBus = new SimpleAtEventBus();
+
+    return AtClientImpl.builder()
+        .atSign(atSign)
+        .keys(keys)
+        .executor(executor)
+        .eventBus(eventBus)
+        .build();
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
new file mode 100644
index 00000000..330454ca
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
@@ -0,0 +1,72 @@
+package org.atsign.client.impl;
+
+
+import java.util.function.Consumer;
+
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.commands.AuthenticationCommands;
+import org.atsign.client.impl.common.SimpleReconnectStrategy;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor;
+
+import lombok.Builder;
+
+/**
+ * Utility methods / builders for instantiating {@link AtCommandExecutor} implementations
+ * that are included in this library.
+ * Example usage:
+ *
+ * <pre>
+ * AtCommandExecutorBuilder builder = AtCommandExecutors.builder()
+ *     .url("vip.ve.atsign.zone:64")
+ *     .atSign(createAtSign("colin"))
+ *     .keys(...);
+ *
+ * try (AtCommandExecutor executor = builder.build()) {
+ *     client.sendSync(...);
+ * }
+ * </pre>
+ *
+ * <b>NOTE:</b> If the url is prefixed with proxy (e.g. proxy:host:port) then the builder
+ * will automatically attempt to connect to an at server at host:port.
+ * <b>NOTE:</b> If atSign and keys are provided then the builder
+ * will automatically configure the {@link AtCommandExecutor} to authenticate with PKAM.
+ * <b>NOTE:</b> If reconnect is not set then the builder will default to a
+ * {@link SimpleReconnectStrategy}
+ */
+public class AtCommandExecutors {
+
+  @Builder(builderClassName = "AtCommandExecutorBuilder")
+  public static AtCommandExecutor createCommandExecutor(String url,
+                                                        AtSign atSign,
+                                                        AtKeys keys,
+                                                        ReconnectStrategy reconnect,
+                                                        Boolean isVerbose)
+      throws AtException {
+
+    return NettyAtCommandExecutor.builder()
+        .endpoint(AtEndpointSuppliers.builder().url(url).atSign(atSign).build())
+        .isVerbose(isVerbose)
+        .reconnect(defaultIfNotSet(reconnect))
+        .onReady(createOnReady(atSign, keys))
+        .build();
+  }
+
+  private static Consumer<AtCommandExecutor> createOnReady(AtSign atSign, AtKeys keys) {
+    Consumer<AtCommandExecutor> onReady;
+    if (atSign != null && keys != null) {
+      onReady = AuthenticationCommands.pkamAuthenticator(atSign, keys);
+    } else {
+      onReady = c -> {
+      };
+    }
+    return onReady;
+  }
+
+  private static ReconnectStrategy defaultIfNotSet(ReconnectStrategy reconnect) {
+    return reconnect != null ? reconnect : SimpleReconnectStrategy.builder().build();
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSupplier.java
similarity index 58%
rename from at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java
rename to at_client/src/main/java/org/atsign/client/impl/AtEndpointSupplier.java
index ee9fa6af..d141db40 100644
--- a/at_client/src/main/java/org/atsign/client/connection/api/AtEndpointSupplier.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSupplier.java
@@ -1,9 +1,9 @@
-package org.atsign.client.connection.api;
+package org.atsign.client.impl;
 
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
 
 /**
- * Something that is capable of supplying an endpoint string
+ * Something that is capable of supplying an endpoint string (e.g. tcp://host:port).
  */
 public interface AtEndpointSupplier {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
new file mode 100644
index 00000000..53cf1011
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
@@ -0,0 +1,69 @@
+package org.atsign.client.impl;
+
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.common.SimpleReconnectStrategy;
+import org.atsign.client.impl.netty.NettyAtEndpointSupplier;
+
+import lombok.Builder;
+
+/**
+ * Utility methods / builders for instantiating {@link AtEndpointSupplier} implementations
+ * that are included in this library.
+ * Example usage:
+ *
+ * <pre>
+ * AtEndpointSupplierBuilder builder = AtEndpointSupplier.builder()
+ *     .url("vip.ve.atsign.zone:64")
+ *     .atSign(createAtSign("colin"));
+ *
+ * try (AtEndpointSupplier endpoint = builder.build()) {
+ *   return endpoint.get();
+ * }
+ * </pre>
+ *
+ * <b>NOTE:</b> If the url is proxy:host:port then the {@link AtEndpointSupplier} will always be
+ * host:port.
+ * <b>NOTE:</b> If the url is host:port then the {@link AtEndpointSupplier} will assume that is the
+ * endpoint
+ * for the root server, and will resolve the {@link AtSign} endpoint via the root server.
+ * <b>NOTE:</b> If port is not specified then it will default to {@link #ROOT_SERVER_PORT}
+ * {@link SimpleReconnectStrategy}
+ */
+public class AtEndpointSuppliers {
+
+  private static final Pattern PATTERN_PROXY_URL = Pattern.compile("proxy:(.+)");
+
+  private static final Pattern PATTERN_ROOT_URL = Pattern.compile("([^:]+)(?::(\\d+))?");
+  public static final int ROOT_SERVER_PORT = 64;
+
+  @Builder
+  public static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSign) {
+    checkNotNull(url, "url not set");
+
+    Matcher proxyMatcher = PATTERN_PROXY_URL.matcher(url);
+    if (proxyMatcher.matches()) {
+      checkNotNull(atSign, "atSign must be set for a proxy url");
+      checkNotNull(atSign, "keys must be set for a proxy url");
+      return () -> proxyMatcher.group(1);
+    }
+
+    Matcher directoryServerMatcher = PATTERN_ROOT_URL.matcher(url);
+    if (directoryServerMatcher.matches()) {
+      checkNotNull(atSign, "atSign must be set to resolve at server endpoint from " + url);
+      String hostname = directoryServerMatcher.group(1);
+      String port = directoryServerMatcher.group(2);
+      return NettyAtEndpointSupplier.builder()
+          .rootUrl(hostname + ":" + (port != null ? port : ROOT_SERVER_PORT))
+          .atsign(atSign)
+          .build();
+    }
+
+    throw new IllegalArgumentException("url is invalid");
+  }
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java
new file mode 100644
index 00000000..94e22acc
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java
@@ -0,0 +1,90 @@
+package org.atsign.client.impl;
+
+/**
+ * A strategy for controlling re-connection behavior for
+ * {@link org.atsign.client.api.AtCommandExecutor} implementations where there is
+ * a connection.
+ */
+public interface ReconnectStrategy {
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} implementation to determine
+   * whether it should attempt to reconnect when it fails to connect or becomes disconnected.
+   *
+   * @return true if a {@link org.atsign.client.api.AtCommandExecutor} should ever attempt to
+   *         reconnect
+   */
+  boolean isReconnectSupported();
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} if the implementation
+   * fails to connect. Can be used to maintain state / context that influences behavior.
+   *
+   * @param ex A throwable that indicated the connection failure.
+   */
+  void onConnectFailure(Throwable ex);
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} if the implementation
+   * successfully connects. Can be used to maintain state / context that influences behavior.
+   *
+   */
+  void onConnect();
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} if the implementation
+   * becomes disconnected. i.e. It was connect and now it is not connected.
+   * Can be used to maintain state / context that influences behavior.
+   *
+   * @param ex A throwable that indicated the disconnection.
+   */
+  void onDisconnect(Throwable ex);
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} implementation to determine
+   * how long it should pause for before attempting ro reconnect.
+   *
+   * @return number of millis seconds to pause (less than 1 = no pause).
+   */
+  long getReconnectPauseMillis();
+
+  /**
+   * Invoked by the {@link org.atsign.client.api.AtCommandExecutor} implementation to determine
+   * whether it should re-resolve the connection endpoint (typically via {@link AtEndpointSupplier}
+   * prior to a reconnect attempt.
+   *
+   * @return true if a {@link org.atsign.client.api.AtCommandExecutor} should re-resolve.
+   */
+  boolean isReresolveEndpoint();
+
+  /**
+   * A strategy where no reconnection is required
+   */
+  ReconnectStrategy NONE = new ReconnectStrategy() {
+
+    @Override
+    public boolean isReconnectSupported() {
+      return false;
+    }
+
+    @Override
+    public void onConnectFailure(Throwable ex) {}
+
+    @Override
+    public void onConnect() {}
+
+    @Override
+    public void onDisconnect(Throwable ex) {}
+
+    @Override
+    public long getReconnectPauseMillis() {
+      return 0;
+    }
+
+    @Override
+    public boolean isReresolveEndpoint() {
+      return false;
+    }
+  };
+
+}
diff --git a/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java b/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
similarity index 67%
rename from at_client/src/main/java/org/atsign/client/cli/AbstractCli.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
index d14e2e54..df271ee8 100644
--- a/at_client/src/main/java/org/atsign/client/cli/AbstractCli.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
@@ -1,21 +1,21 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.io.File;
 import java.util.concurrent.TimeUnit;
 
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.common.SimpleReconnectStrategy;
-import org.atsign.client.connection.netty.NettyAtClientConnection;
-import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
-import org.atsign.client.connection.netty.NettyAtEndpointSupplier;
-import org.atsign.client.connection.protocol.Authentication;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.commands.AuthenticationCommands;
+import org.atsign.client.impl.common.SimpleReconnectStrategy;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
+import org.atsign.client.impl.netty.NettyAtEndpointSupplier;
+import org.atsign.client.impl.util.KeysUtils;
 
 import picocli.CommandLine.ITypeConverter;
 import picocli.CommandLine.Option;
@@ -80,7 +80,7 @@ protected static File checkExists(File f) {
   }
 
   protected static File getAtKeysFile(File keysFile, AtSign atSign) {
-    return keysFile != null ? keysFile : KeysUtil.getKeysFile(atSign);
+    return keysFile != null ? keysFile : KeysUtils.getKeysFile(atSign);
   }
 
 
@@ -88,19 +88,19 @@ protected static String ensureNotNull(String value, String defaultValue) {
     return value != null ? value : defaultValue;
   }
 
-  protected AtClientConnection createConnection(String rootUrl, AtSign atSign, int retries) throws AtException {
-    return creatConnectionBuilder(rootUrl, atSign, retries, verbose).build();
+  protected AtCommandExecutor createConnection(String rootUrl, AtSign atSign, int retries) throws AtException {
+    return createCommandExecutorBuilder(rootUrl, atSign, retries, verbose).build();
   }
 
-  protected AtClientConnection createAuthenticatedConnection(String rootUrl, AtSign atSign, int retries)
+  protected AtCommandExecutor createAuthenticatedConnection(String rootUrl, AtSign atSign, int retries)
       throws AtException {
-    return creatConnectionBuilder(rootUrl, atSign, retries, verbose)
-        .onReady(Authentication.pkamAuthenticator(atSign, getKeys()))
+    return createCommandExecutorBuilder(rootUrl, atSign, retries, verbose)
+        .onReady(AuthenticationCommands.pkamAuthenticator(atSign, getKeys()))
         .build();
   }
 
-  private static NettyAtClientConnectionBuilder creatConnectionBuilder(String rootUrl, AtSign atSign, int retries,
-                                                                       boolean verbose) {
+  private static NettyAtCommandExecutorBuilder createCommandExecutorBuilder(String rootUrl, AtSign atSign, int retries,
+                                                                            boolean verbose) {
     NettyAtEndpointSupplier endpoint = NettyAtEndpointSupplier.builder()
         .rootUrl(checkNotNull(rootUrl, "root server endpoint not set"))
         .atsign(checkNotNull(atSign, "atsign not set"))
@@ -109,7 +109,7 @@ private static NettyAtClientConnectionBuilder creatConnectionBuilder(String root
         .maxReconnectRetries(retries)
         .reconnectPauseMillis(TimeUnit.SECONDS.toMillis(2))
         .build();
-    return NettyAtClientConnection.builder()
+    return NettyAtCommandExecutor.builder()
         .endpoint(endpoint)
         .reconnect(reconnect)
         .isVerbose(verbose);
@@ -118,7 +118,7 @@ private static NettyAtClientConnectionBuilder creatConnectionBuilder(String root
   protected AtKeys getKeys() {
     try {
       File file = checkExists(getAtKeysFile(keysFile, atSign));
-      return KeysUtil.loadKeys(file);
+      return KeysUtils.loadKeys(file);
     } catch (AtClientConfigException e) {
       throw new RuntimeException(e);
     }
diff --git a/at_client/src/main/java/org/atsign/client/cli/Activate.java b/at_client/src/main/java/org/atsign/client/impl/cli/Activate.java
similarity index 67%
rename from at_client/src/main/java/org/atsign/client/cli/Activate.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/Activate.java
index 2e5d31e2..5bf2cc40 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Activate.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Activate.java
@@ -1,9 +1,9 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
-import static org.atsign.client.util.EncryptionUtil.generateAESKeyBase64;
-import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
-import static org.atsign.client.util.KeysUtil.saveKeys;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.util.EncryptionUtils.generateAESKeyBase64;
+import static org.atsign.client.impl.util.EncryptionUtils.generateRSAKeyPair;
+import static org.atsign.client.impl.util.KeysUtils.saveKeys;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.io.File;
 import java.util.LinkedHashMap;
@@ -13,13 +13,13 @@
 import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.protocol.Enroll;
-import org.atsign.client.connection.protocol.Scan;
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.exceptions.AtEncryptionException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.commands.EnrollCommands;
+import org.atsign.client.impl.commands.ScanCommands;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.impl.exceptions.AtEncryptionException;
+import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
 
 import picocli.CommandLine;
 import picocli.CommandLine.Command;
@@ -180,24 +180,24 @@ public Activate addNamespace(String namespace, String accessControl) {
   }
 
   public EnrollmentId onboard() throws Exception {
-    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
-      return onboard(connection);
+    try (AtCommandExecutor executor = createConnection(rootUrl, atSign, connectionRetries)) {
+      return onboard(executor);
     }
   }
 
-  public EnrollmentId onboard(AtClientConnection connection) throws Exception {
+  public EnrollmentId onboard(AtCommandExecutor executor) throws Exception {
     File file = getAtKeysFile(keysFile, atSign);
     if (!overwriteKeysFile) {
       checkNotExists(file);
     }
     AtKeys keys = generateAtKeys(true);
-    keys = Enroll.onboard(connection,
-                          atSign,
-                          keys,
-                          cramSecret,
-                          ensureNotNull(appName, DEFAULT_FIRST_APP),
-                          ensureNotNull(deviceName, DEFAULT_FIRST_DEVICE),
-                          deleteCramKey);
+    keys = EnrollCommands.onboard(executor,
+                                  atSign,
+                                  keys,
+                                  cramSecret,
+                                  ensureNotNull(appName, DEFAULT_FIRST_APP),
+                                  ensureNotNull(deviceName, DEFAULT_FIRST_DEVICE),
+                                  deleteCramKey);
     saveKeys(keys, file);
     return enrollmentId;
   }
@@ -207,8 +207,8 @@ public List<EnrollmentId> list() throws Exception {
   }
 
   public List<EnrollmentId> list(String status) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      return Enroll.list(connection, status);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      return EnrollCommands.list(executor, status);
     }
   }
 
@@ -217,8 +217,8 @@ public void approve() throws Exception {
   }
 
   public void approve(EnrollmentId enrollmentId) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      Enroll.approve(connection, getKeys(), enrollmentId);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      EnrollCommands.approve(executor, getKeys(), enrollmentId);
     }
   }
 
@@ -227,8 +227,8 @@ public void deny() throws Exception {
   }
 
   public void deny(EnrollmentId enrollmentId) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      Enroll.deny(connection, enrollmentId);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      EnrollCommands.deny(executor, enrollmentId);
     }
   }
 
@@ -237,8 +237,8 @@ public void revoke() throws Exception {
   }
 
   public void revoke(EnrollmentId enrollmentId) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      Enroll.revoke(connection, enrollmentId);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      EnrollCommands.revoke(executor, enrollmentId);
     }
   }
 
@@ -247,76 +247,76 @@ public void unrevoke() throws Exception {
   }
 
   public void unrevoke(EnrollmentId enrollmentId) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      Enroll.unrevoke(connection, enrollmentId);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      EnrollCommands.unrevoke(executor, enrollmentId);
     }
   }
 
   public void delete(EnrollmentId enrollmentId) throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      delete(connection, enrollmentId);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      delete(executor, enrollmentId);
     }
   }
 
-  public static void delete(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
-    Enroll.delete(connection, enrollmentId);
+  public static void delete(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
+    EnrollCommands.delete(executor, enrollmentId);
   }
 
   public String otp() throws Exception {
-    try (AtClientConnection connection = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
-      return Enroll.otp(connection);
+    try (AtCommandExecutor executor = createAuthenticatedConnection(rootUrl, atSign, connectionRetries)) {
+      return EnrollCommands.otp(executor);
     }
   }
 
   public List<String> scan() throws Exception {
-    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
-      return Scan.scan(connection, true, ".*");
+    try (AtCommandExecutor executor = createConnection(rootUrl, atSign, connectionRetries)) {
+      return ScanCommands.scan(executor, true, ".*");
     }
   }
 
   public EnrollmentId enroll() throws Exception {
-    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
-      return enroll(connection);
+    try (AtCommandExecutor executor = createConnection(rootUrl, atSign, connectionRetries)) {
+      return enroll(executor);
     }
   }
 
-  public EnrollmentId enroll(AtClientConnection connection) throws Exception {
+  public EnrollmentId enroll(AtCommandExecutor executor) throws Exception {
     File file = keysFile;
     if (!overwriteKeysFile) {
       checkNotExists(file);
     }
     AtKeys keys = generateAtKeys(false);
-    keys = Enroll.enroll(connection, atSign, keys, otp, appName, deviceName, namespaces);
-    KeysUtil.saveKeys(keys, keysFile);
+    keys = EnrollCommands.enroll(executor, atSign, keys, otp, appName, deviceName, namespaces);
+    KeysUtils.saveKeys(keys, keysFile);
     return keys.getEnrollmentId();
   }
 
   public void complete() throws Exception {
-    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
-      complete(connection);
+    try (AtCommandExecutor executor = createConnection(rootUrl, atSign, connectionRetries)) {
+      complete(executor);
     }
   }
 
-  public void complete(AtClientConnection connection) throws Exception {
-    AtKeys keys = KeysUtil.loadKeys(keysFile);
-    keys = Enroll.complete(connection, atSign, keys);
-    KeysUtil.saveKeys(keys, keysFile);
+  public void complete(AtCommandExecutor executor) throws Exception {
+    AtKeys keys = KeysUtils.loadKeys(keysFile);
+    keys = EnrollCommands.complete(executor, atSign, keys);
+    KeysUtils.saveKeys(keys, keysFile);
   }
 
   public void complete(int retries, long sleepDuration, TimeUnit sleepUnit) throws Exception {
-    try (AtClientConnection connection = createConnection(rootUrl, atSign, connectionRetries)) {
-      complete(connection, retries, sleepDuration, sleepUnit);
+    try (AtCommandExecutor executor = createConnection(rootUrl, atSign, connectionRetries)) {
+      complete(executor, retries, sleepDuration, sleepUnit);
     }
   }
 
-  public void complete(AtClientConnection connection, int retries, long sleepDuration, TimeUnit sleepUnit)
+  public void complete(AtCommandExecutor executor, int retries, long sleepDuration, TimeUnit sleepUnit)
       throws Exception {
     Exception exception;
     int remainingRetries = retries;
     do {
       Thread.sleep(sleepUnit.toMillis(sleepDuration));
       try {
-        complete(connection);
+        complete(executor);
         return;
       } catch (AtUnauthenticatedException e) {
         exception = e.getMessage().contains("is pending") ? null : e;
diff --git a/at_client/src/main/java/org/atsign/client/cli/Delete.java b/at_client/src/main/java/org/atsign/client/impl/cli/Delete.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/client/cli/Delete.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/Delete.java
index 454089f2..88545ee1 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Delete.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Delete.java
@@ -1,15 +1,15 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import lombok.extern.slf4j.Slf4j;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 /**
  * A command-line interface half-example half-utility to delete something that was previously shared
@@ -31,7 +31,7 @@ public static void main(String[] args) throws Exception {
     String keyName = args[3];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
-    AtKeys keys = KeysUtil.loadKeys(atSign);
+    AtKeys keys = KeysUtils.loadKeys(atSign);
 
     try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
diff --git a/at_client/src/main/java/org/atsign/client/cli/DumpKeys.java b/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
similarity index 62%
rename from at_client/src/main/java/org/atsign/client/cli/DumpKeys.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
index 735cd200..e65f7f03 100644
--- a/at_client/src/main/java/org/atsign/client/cli/DumpKeys.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
@@ -1,9 +1,9 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
 import lombok.extern.slf4j.Slf4j;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtSign;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.api.AtSign;
 
 /**
  * Utility which, given an {@link AtSign} will load {@link AtKeys} from the
@@ -13,7 +13,7 @@
 public class DumpKeys {
   public static void main(String[] args) throws Exception {
     AtSign atSign = new AtSign(args[0]);
-    AtKeys keys = KeysUtil.loadKeys(atSign);
-    System.out.println(KeysUtil.dump(keys));
+    AtKeys keys = KeysUtils.loadKeys(atSign);
+    System.out.println(KeysUtils.dump(keys));
   }
 }
diff --git a/at_client/src/main/java/org/atsign/client/cli/Get.java b/at_client/src/main/java/org/atsign/client/impl/cli/Get.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/client/cli/Get.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/Get.java
index fcc4333c..0f83ed66 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Get.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Get.java
@@ -1,15 +1,15 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import lombok.extern.slf4j.Slf4j;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 /**
  * A command-line interface half-example half-utility to get something that was shared by another
@@ -31,7 +31,7 @@ public static void main(String[] args) throws Exception {
     String keyName = args[3];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
-    AtKeys keys = KeysUtil.loadKeys(atSign);
+    AtKeys keys = KeysUtils.loadKeys(atSign);
 
     try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
diff --git a/at_client/src/main/java/org/atsign/client/cli/Scan.java b/at_client/src/main/java/org/atsign/client/impl/cli/Scan.java
similarity index 90%
rename from at_client/src/main/java/org/atsign/client/cli/Scan.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/Scan.java
index e9d92f7c..90eef338 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Scan.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Scan.java
@@ -1,4 +1,4 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
 import java.io.PrintStream;
 import java.util.List;
@@ -6,16 +6,16 @@
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.client.util.StringUtil;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys.AtKey;
-import org.atsign.common.Metadata;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.impl.util.StringUtils;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys.AtKey;
+import org.atsign.client.api.Metadata;
 
 import lombok.extern.slf4j.Slf4j;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 /**
  * A command-line interface for scanning keys in your secondary (must have keys to atSign in keys/)
@@ -34,7 +34,7 @@ public static void main(String[] args) throws Exception {
     String regex = args[2];
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
-    AtKeys keys = KeysUtil.loadKeys(atSign);
+    AtKeys keys = KeysUtils.loadKeys(atSign);
 
     try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
 
@@ -46,7 +46,7 @@ public static void main(String[] args) throws Exception {
         System.out.println();
         System.out.println("Enter index you want to llookup (l to list, q to quit):");
         input = scanner.nextLine();
-        if (StringUtil.isNumeric(input)) {
+        if (StringUtils.isNumeric(input)) {
           int index = Integer.parseInt(input);
           if (index < response.size()) {
             printKeyInfo(response.get(index), System.out);
diff --git a/at_client/src/main/java/org/atsign/client/cli/Share.java b/at_client/src/main/java/org/atsign/client/impl/cli/Share.java
similarity index 80%
rename from at_client/src/main/java/org/atsign/client/cli/Share.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/Share.java
index 7221c691..7cba0362 100644
--- a/at_client/src/main/java/org/atsign/client/cli/Share.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Share.java
@@ -1,13 +1,13 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -32,7 +32,7 @@ public static void main(String[] args) throws Exception {
     int ttr = args.length == 6 ? Integer.parseInt(args[5]) : 0;
 
     // all AtClients require AtKeys, this loads them based on the AtSign from the default location
-    AtKeys keys = KeysUtil.loadKeys(atSign);
+    AtKeys keys = KeysUtils.loadKeys(atSign);
 
     try (AtClient atClient = AtClients.builder().url(rootUrl).atSign(atSign).keys(keys).build()) {
       Keys.SharedKey key = Keys.sharedKeyBuilder()
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
new file mode 100644
index 00000000..c18c810d
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
@@ -0,0 +1,28 @@
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtRegistrarException;
+
+import java.util.Map;
+
+class ActivateAtsignWithSuperApiKey extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
+  @Override
+  public RegisterApiResult<Map<String, String>> run() {
+    try {
+      result.data.put(
+                      "cram", registerUtil
+                          .activateAtsignWithSuperApiKey(params.get("registrarUrl"), params.get("apiKey"),
+                                                         new AtSign(params.get("atSign")), params.get("ActivationKey"))
+                          .split(":")[1]);
+      result.apiCallStatus = ApiCallStatus.success;
+      System.out.println("Your cram secret: " + result.data.get("cram"));
+    } catch (AtRegistrarException e) {
+      result.atException = e;
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    } catch (Exception e) {
+      result.atException = new AtRegistrarException("Failed while activating atSign", e);
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    }
+    return result;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/ApiCallStatus.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ApiCallStatus.java
similarity index 68%
rename from at_client/src/main/java/org/atsign/common/ApiCallStatus.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/ApiCallStatus.java
index af18a7f6..ccada8f3 100644
--- a/at_client/src/main/java/org/atsign/common/ApiCallStatus.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ApiCallStatus.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.impl.cli.register;
 
 /**
  * Registrar API call status
diff --git a/at_client/src/main/java/org/atsign/config/ConfigReader.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ConfigReader.java
similarity index 96%
rename from at_client/src/main/java/org/atsign/config/ConfigReader.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/ConfigReader.java
index c36f63fa..6bb792bc 100644
--- a/at_client/src/main/java/org/atsign/config/ConfigReader.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ConfigReader.java
@@ -1,4 +1,4 @@
-package org.atsign.config;
+package org.atsign.client.impl.cli.register;
 
 import java.io.IOException;
 import java.io.InputStream;
diff --git a/at_client/src/main/java/org/atsign/client/util/Constants.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/Constants.java
similarity index 90%
rename from at_client/src/main/java/org/atsign/client/util/Constants.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/Constants.java
index 7f993ede..fd1c19f4 100644
--- a/at_client/src/main/java/org/atsign/client/util/Constants.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/Constants.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.cli.register;
 
 /**
  * Atsign Platform constants
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
new file mode 100644
index 00000000..c807e458
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
@@ -0,0 +1,25 @@
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.impl.exceptions.AtRegistrarException;
+
+import java.util.Map;
+
+class GetFreeAtsign extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
+
+  @Override
+  public RegisterApiResult<Map<String, String>> run() {
+    System.out.println("Fetching free atsign ...");
+    try {
+      result.data.put("atSign",
+                      registerUtil.getFreeAtsign(params.get("registrarUrl"), params.get("apiKey")));
+      result.apiCallStatus = ApiCallStatus.success;
+      System.out.println("\tFetched new atsign: " + "@" + result.data.get("atSign"));
+    } catch (AtRegistrarException e) {
+      result.atException = e;
+    } catch (Exception e) {
+      result.atException = new AtRegistrarException("error while getting free atsign", e);
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    }
+    return result;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsignWithSuperApiKey.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsignWithSuperApiKey.java
new file mode 100644
index 00000000..1f3c011c
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsignWithSuperApiKey.java
@@ -0,0 +1,24 @@
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.impl.exceptions.AtRegistrarException;
+
+import java.util.Map;
+
+class GetFreeAtsignWithSuperApiKey extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
+  @Override
+  public RegisterApiResult<Map<String, String>> run() {
+    System.out.println("Getting atSign ...");
+    try {
+      result.data.putAll(registerUtil.getAtsignWithSuperApiKey(params.get("registrarUrl"), params.get("apiKey")));
+      System.out.println("Got atsign: " + result.data.get("atSign"));
+      result.apiCallStatus = ApiCallStatus.success;
+    } catch (AtRegistrarException e) {
+      result.atException = e;
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    } catch (Exception e) {
+      result.atException = new AtRegistrarException("Failed while getting atSign", e);
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    }
+    return result;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/NotificationStatus.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/NotificationStatus.java
similarity index 70%
rename from at_client/src/main/java/org/atsign/common/NotificationStatus.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/NotificationStatus.java
index 94ae4931..f966e692 100644
--- a/at_client/src/main/java/org/atsign/common/NotificationStatus.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/NotificationStatus.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.impl.cli.register;
 
 /**
  * Notification status
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/Register.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/Register.java
new file mode 100644
index 00000000..0a54be68
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/Register.java
@@ -0,0 +1,121 @@
+package org.atsign.client.impl.cli.register;
+
+import java.io.IOException;
+import java.util.*;
+import java.util.concurrent.Callable;
+
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.cli.Activate;
+
+import picocli.CommandLine;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+/**
+ * Command line interface to claim a free atsign. Requires one-time-password
+ * received on the provided email to validate.
+ * Registers the free atsign to provided email
+ */
+@Command(name = "register", description = "Get an atsign and register")
+public class Register implements Callable<String> {
+  @Option(names = {"-e", "--email"}, description = "email to register a free atsign using otp-auth")
+  static String email = "";
+
+  @Option(names = {"-k", "--api-key"}, description = "register an atsign using super-API key")
+  static String apiKey = "";
+
+  Map<String, String> params = new HashMap<>();
+  boolean superApiKeyMode = false;
+
+  public static void main(String[] args) throws AtException {
+    int status = new CommandLine(new Register()).execute(args);
+    System.exit(status);
+  }
+
+  /**
+   * contains actual register logic.
+   * main() calls this method with args passed through CLI
+   */
+  @Override
+  public String call() throws Exception {
+
+    readParameters();
+    if (superApiKeyMode) {
+      new RegistrationFlow(params).add(new GetFreeAtsignWithSuperApiKey()).add(new ActivateAtsignWithSuperApiKey())
+          .start();
+
+    } else {
+      // parameter confirmation needs to be manually inserted into the params map
+      params.put("confirmation", "false");
+      new RegistrationFlow(params).add(new GetFreeAtsign()).add(new RegisterAtsign()).add(new ValidateOtp()).start();
+    }
+
+    String[] onboardArgs = new String[] {
+        "onboard",
+        "-r", params.get("rootDomain") + ":" + params.get("rootPort"),
+        "-a", params.get("atSign"),
+        "-c", params.get("cram")};
+    Activate.main(onboardArgs);
+
+    return "Done.";
+  }
+
+  void readParameters() throws IOException {
+
+    // checks to ensure only either of email or super-API key are provided as args.
+    // if super-API key is provided sets superApiKeyMode to true
+    if ("".equals(email) && !"".equals(apiKey)) {
+      superApiKeyMode = true;
+    } else if ("".equals(apiKey) && !"".equals(email)) {
+      superApiKeyMode = false;
+    } else {
+      System.err.println(
+                         "Usage: Register -e <email@email.com> (or)\nRegister -k <Your API Key>"
+                             + "\nNOTE: Use email if you prefer activating using verification code."
+                             + " Use API key option if you have a SuperAPI key. You can NOT use both.");
+      System.exit(1);
+    }
+
+    params.put("rootDomain", ConfigReader.getProperty("rootServer", "domain"));
+    if (params.get("rootDomain") == null) {
+      // reading config from older configuration syntax for backwards compatibility
+      params.put("rootDomain", ConfigReader.getProperty("ROOT_DOMAIN"));
+    }
+
+    params.put("rootPort", ConfigReader.getProperty("rootServer", "port"));
+    if (params.get("rootPort") == null) {
+      // reading config from older configuration syntax for backwards compatibility
+      params.put("rootPort", ConfigReader.getProperty("ROOT_PORT"));
+    }
+    System.out.println("RootServer is " + params.get("rootDomain") + ":" + params.get("rootPort"));
+
+    params.put("registrarUrl", ConfigReader.getProperty("registrarV3", "url"));
+    if (params.get("registrarUrl") == null) {
+      // reading config from older configuration syntax for backwards compatibility
+      params.put("registrarUrl", ConfigReader.getProperty("REGISTRAR_URL"));
+    }
+
+    if (!superApiKeyMode && "".equals(apiKey)) {
+      params.put("apiKey", ConfigReader.getProperty("registrar", "apiKey"));
+      if (params.get("apiKey") == null) {
+        // reading config from older configuration syntax for backwards compatibility
+        params.put("apiKey", ConfigReader.getProperty("API_KEY"));
+      }
+    }
+
+    // adding email/apiKey to params whichever is passed through command line args
+    if (!superApiKeyMode) {
+      params.put("email", email);
+    } else {
+      params.put("apiKey", apiKey);
+    }
+
+    // ensure all required params have been set
+    if (!params.containsKey("rootDomain") || !params.containsKey("rootPort") || !params.containsKey("registrarUrl")
+        || !params.containsKey("apiKey")) {
+      System.err.println(
+                         "Please make sure to set all relevant configuration in src/main/resources/config.yaml");
+      System.exit(1);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/RegisterApiResult.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiResult.java
similarity index 69%
rename from at_client/src/main/java/org/atsign/common/RegisterApiResult.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiResult.java
index 65c0775c..3b6bce68 100644
--- a/at_client/src/main/java/org/atsign/common/RegisterApiResult.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiResult.java
@@ -1,4 +1,6 @@
-package org.atsign.common;
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.impl.exceptions.AtException;
 
 /**
  * Registrar API response record
diff --git a/at_client/src/main/java/org/atsign/common/RegisterApiTask.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiTask.java
similarity index 95%
rename from at_client/src/main/java/org/atsign/common/RegisterApiTask.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiTask.java
index 62f58dae..d7f6c563 100644
--- a/at_client/src/main/java/org/atsign/common/RegisterApiTask.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterApiTask.java
@@ -1,10 +1,8 @@
-package org.atsign.common;
+package org.atsign.client.impl.cli.register;
 
 import java.util.HashMap;
 import java.util.Map;
 
-import org.atsign.client.util.RegisterUtil;
-
 /**
  * Represents a task in an AtSign registration cycle
  *
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
new file mode 100644
index 00000000..a6f7806a
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
@@ -0,0 +1,25 @@
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtRegistrarException;
+
+import java.util.Map;
+
+class RegisterAtsign extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
+
+  @Override
+  public RegisterApiResult<Map<String, String>> run() {
+    System.out.println("Sending verification code to: " + params.get("email"));
+    try {
+      result.data.put("otpSent",
+                      registerUtil.registerAtsign(params.get("email"), new AtSign(params.get("atSign")),
+                                                  params.get("registrarUrl"), params.get("apiKey"))
+                          .toString());
+      result.apiCallStatus = ApiCallStatus.success;
+    } catch (Exception e) {
+      result.atException = new AtRegistrarException(e.getMessage(), e.getCause());
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    }
+    return result;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/util/RegisterUtil.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
similarity index 98%
rename from at_client/src/main/java/org/atsign/client/util/RegisterUtil.java
rename to at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
index 8b932cfd..540d88a6 100644
--- a/at_client/src/main/java/org/atsign/client/util/RegisterUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.cli.register;
 
 import static java.util.AbstractMap.SimpleEntry;
 import static java.util.stream.Collectors.toMap;
@@ -16,19 +16,19 @@
 
 import javax.net.ssl.HttpsURLConnection;
 
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.Json;
-import org.atsign.common.exceptions.AtRegistrarException;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtRegistrarException;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.atsign.client.impl.util.JsonUtils;
 
 /**
  * Utility class for obtaining a new {@link AtSign}
  */
 public class RegisterUtil {
 
-  ObjectMapper objectMapper = Json.MAPPER;
+  ObjectMapper objectMapper = JsonUtils.MAPPER;
 
   /**
    * Calls API to get atsigns which are ready to be claimed. Returns a free atsign.
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegistrationFlow.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegistrationFlow.java
new file mode 100644
index 00000000..67df5dfa
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegistrationFlow.java
@@ -0,0 +1,41 @@
+package org.atsign.client.impl.cli.register;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+class RegistrationFlow {
+  List<RegisterApiTask<RegisterApiResult<Map<String, String>>>> processFlow = new ArrayList<>();
+  RegisterApiResult<Map<String, String>> result;
+  Map<String, String> params;
+  RegisterUtil registerUtil = new RegisterUtil();
+
+  RegistrationFlow(Map<String, String> params) {
+    this.params = params;
+  }
+
+  RegistrationFlow add(RegisterApiTask<RegisterApiResult<Map<String, String>>> task) {
+    processFlow.add(task);
+    return this;
+  }
+
+  void start() throws Exception {
+    for (RegisterApiTask<RegisterApiResult<Map<String, String>>> task : processFlow) {
+      // initialize each task by passing params to init()
+      task.init(params, registerUtil);
+      result = task.run();
+      if (result.apiCallStatus.equals(ApiCallStatus.retry)) {
+        while (task.shouldRetry()
+            && result.apiCallStatus.equals(ApiCallStatus.retry)) {
+          result = task.run();
+          task.retryCount++;
+        }
+      }
+      if (result.apiCallStatus.equals(ApiCallStatus.success)) {
+        params.putAll(result.data);
+      } else {
+        throw result.atException;
+      }
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
new file mode 100644
index 00000000..ef11fd32
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
@@ -0,0 +1,50 @@
+package org.atsign.client.impl.cli.register;
+
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtRegistrarException;
+
+import java.util.Map;
+import java.util.Scanner;
+
+class ValidateOtp extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
+  Scanner scanner = new Scanner(System.in);
+
+  @Override
+  public RegisterApiResult<Map<String, String>> run() {
+    try {
+      // only ask for user input the first time. use the otp entry in params map in
+      // subsequent api requests
+      if (!params.containsKey("otp")) {
+        System.out.println("Enter verification code received on " + params.get("email")
+            + " [verification code is case sensitive]");
+        params.put("otp", scanner.nextLine());
+        System.out.println("Validating verification code ...");
+      }
+      String apiResponse = registerUtil.validateOtp(params.get("email"), new AtSign(params.get("atSign")),
+                                                    params.get("otp"), params.get("registrarUrl"), params.get("apiKey"),
+                                                    Boolean.parseBoolean(params.get("confirmation")));
+      if ("retry".equals(apiResponse)) {
+        System.err.println("Incorrect OTP!!! Please re-enter your OTP");
+        params.put("otp", scanner.nextLine());
+        result.apiCallStatus = ApiCallStatus.retry;
+        result.atException = new AtRegistrarException("Only 3 retries allowed to re-enter OTP - Incorrect OTP entered");
+      } else if ("follow-up".equals(apiResponse)) {
+        params.put("confirmation", "true");
+        result.apiCallStatus = ApiCallStatus.retry;
+      } else if (apiResponse.startsWith("@")) {
+        result.data.put("cram", apiResponse.split(":")[1]);
+        System.out.println("\tRCVD cram: " + result.data.get("cram"));
+        System.out.println("Done.");
+        result.apiCallStatus = ApiCallStatus.success;
+        scanner.close();
+      }
+    } catch (AtRegistrarException e) {
+      result.atException = e;
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    } catch (Exception e) {
+      result.atException = new AtRegistrarException("Failed while validating OTP", e);
+      result.apiCallStatus = retryCount < maxRetries ? ApiCallStatus.retry : ApiCallStatus.failure;
+    }
+    return result;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java b/at_client/src/main/java/org/atsign/client/impl/commands/AtExceptions.java
similarity index 79%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/AtExceptions.java
index 2c0da9e9..cbb81f88 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/AtExceptions.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/AtExceptions.java
@@ -1,10 +1,7 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.exceptions.*;
-import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.*;
 
 import java.util.concurrent.ExecutionException;
 import java.util.function.Consumer;
@@ -60,26 +57,26 @@ public static AtException toTypedException(String code, String text) {
    * A Command / Runnable that may throw exceptions.
    */
   public interface AtClientConnectionCommand {
-    void run(AtClientConnection connection) throws AtException, ExecutionException, InterruptedException;
+    void run(AtCommandExecutor executor) throws AtException, ExecutionException, InterruptedException;
   }
 
   /**
    * Wraps an {@link AtClientConnectionCommand}, typically an
-   * {@link AtClientConnection#onReady(Consumer)}
+   * {@link AtCommandExecutor#onReady(Consumer)}
    * command, such that AtExceptions are caught and rethrown as {@link AtOnReadyException}.
-   * NOTE: {@link AtOnReadyException}s are regarded as fatal, i.e. the {@link AtClientConnection} is
+   * NOTE: {@link AtOnReadyException}s are regarded as fatal, i.e. the {@link AtCommandExecutor} is
    * unusable.
    *
    * @param command A command/runnable thatmay throw exceptions.
    * @return a consumer that is designed to be passed as an argument to
-   *         {@link AtClientConnection#onReady(Consumer)}
+   *         {@link AtCommandExecutor#onReady(Consumer)}
    */
-  public static Consumer<AtClientConnection> throwOnReadyException(AtClientConnectionCommand command) {
-    return connection -> {
+  public static Consumer<AtCommandExecutor> throwOnReadyException(AtClientConnectionCommand command) {
+    return executor -> {
       try {
-        command.run(connection);
+        command.run(executor);
       } catch (AtException e) {
-        // AtOnReadyExceptions are fatal for the connection
+        // AtOnReadyExceptions are fatal for the executor
         throw new AtOnReadyException(e.getMessage(), e);
       } catch (ExecutionException | InterruptedException e) {
         throw new RuntimeException(e);
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
new file mode 100644
index 00000000..02339b8c
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
@@ -0,0 +1,119 @@
+package org.atsign.client.impl.commands;
+
+import static org.atsign.client.impl.commands.AtExceptions.throwOnReadyException;
+import static org.atsign.client.impl.commands.DataResponses.matchDataStringNoWhitespace;
+import static org.atsign.client.impl.commands.DataResponses.matchDataSuccess;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
+
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.util.EncryptionUtils;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtEncryptionException;
+import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
+
+/**
+ * Utility methods for handling authentication within the AtSign protocol
+ */
+public class AuthenticationCommands {
+
+  public static Consumer<AtCommandExecutor> pkamAuthenticator(AtSign atSign, AtKeys keys) {
+    return throwOnReadyException(executor -> authenticateWithPkam(executor, atSign, keys));
+  }
+
+  /**
+   * Implements the protocol workflow / sequence for PKAM authentication.
+   *
+   * @param executor The executor with which to send the commands.
+   * @param atSign The asign to authenticate.
+   * @param keys The keys to use to authenticate.
+   * @throws AtException If authentication fails.
+   */
+  public static void authenticateWithPkam(AtCommandExecutor executor, AtSign atSign, AtKeys keys)
+      throws AtException {
+    try {
+
+      // send a from command and expect to receive a challenge
+      String fromCommand = CommandBuilders.fromCommandBuilder().atSign(atSign).build();
+      String fromResponse = executor.sendSync(fromCommand);
+      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
+
+      // send a pkam command with the signed challenge
+      String signature = EncryptionUtils.signSHA256RSA(challenge, keys.getApkamPrivateKey());
+      CommandBuilders.PkamCommandBuilder pkamCommandBuilder = CommandBuilders.pkamCommandBuilder();
+      if (keys.hasEnrollmentId()) {
+        pkamCommandBuilder.signingAlgo(EncryptionUtils.SIGNING_ALGO_RSA);
+        pkamCommandBuilder.hashingAlgo(EncryptionUtils.HASHING_ALGO_SHA256);
+        pkamCommandBuilder.enrollmentId(keys.getEnrollmentId());
+      }
+      pkamCommandBuilder.digest(signature);
+      String pkamCommand = pkamCommandBuilder.build();
+      String pkamResponse = executor.sendSync(pkamCommand);
+
+      // verify that pkam has succeeded
+      matchDataSuccess(throwExceptionIfError(pkamResponse));
+    } catch (RuntimeException | ExecutionException | InterruptedException e) {
+      throw new AtUnauthenticatedException("PKAM command failed : " + e.getMessage());
+    }
+  }
+
+  /**
+   * Implements the protocol workflow / sequence for CRAM authentication.
+   *
+   * @param executor The executor with which to send the commands.
+   * @param atSign The asign to authenticate.
+   * @param cramSecret The cramSecret that was assigned during at server provisioning.
+   * @throws AtException If authentication fails.
+   */
+  public static void authenticateWithCram(AtCommandExecutor executor, AtSign atSign, String cramSecret)
+      throws AtException {
+    try {
+
+      // send a from command and expect to receive a challenge
+      String fromCommand = CommandBuilders.fromCommandBuilder().atSign(atSign).build();
+      String fromResponse = executor.sendSync(fromCommand);
+      String challenge = matchDataStringNoWhitespace(throwExceptionIfError(fromResponse));
+
+      // send a cram command
+      String cramDigest = createDigest(cramSecret, challenge);
+      String cramCommand = CommandBuilders.cramCommandBuilder().digest(cramDigest).build();
+      String cramResponse = executor.sendSync(cramCommand);
+
+      // verify that cram succeeded
+      matchDataSuccess(throwExceptionIfError(cramResponse));
+
+    } catch (RuntimeException | ExecutionException | InterruptedException e) {
+      throw new AtUnauthenticatedException("CRAM command failed : " + e.getMessage());
+    }
+  }
+
+  private static String createDigest(String cramSecret, String challenge) throws AtEncryptionException {
+    try {
+      String digestInput = cramSecret + challenge;
+      byte[] digestInputBytes = digestInput.getBytes(StandardCharsets.UTF_8);
+      byte[] digest = MessageDigest.getInstance("SHA-512").digest(digestInputBytes);
+      return bytesToHex(digest);
+    } catch (RuntimeException | NoSuchAlgorithmException e) {
+      throw new AtEncryptionException("failed to generate cramDigest", e);
+    }
+  }
+
+  private static final char[] HEX_ARRAY = "0123456789abcdef".toCharArray();
+
+  public static String bytesToHex(byte[] bytes) {
+    char[] hexChars = new char[bytes.length * 2];
+    for (int j = 0; j < bytes.length; j++) {
+      int v = bytes[j] & 0xFF;
+      hexChars[j * 2] = HEX_ARRAY[v >>> 4];
+      hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
+    }
+    return new String(hexChars);
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/VerbBuilders.java b/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
similarity index 97%
rename from at_client/src/main/java/org/atsign/common/VerbBuilders.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
index 9da7ef66..64e60c18 100644
--- a/at_client/src/main/java/org/atsign/common/VerbBuilders.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
@@ -1,18 +1,22 @@
-package org.atsign.common;
+package org.atsign.client.impl.commands;
 
 import static java.util.Collections.singletonList;
 import static java.util.Collections.singletonMap;
-import static org.atsign.client.util.Preconditions.*;
-import static org.atsign.client.util.StringUtil.isBlank;
-import static org.atsign.common.Metadata.*;
+import static org.atsign.client.impl.common.Preconditions.*;
+import static org.atsign.client.impl.util.StringUtils.isBlank;
+import static org.atsign.client.api.Metadata.*;
 
 import java.util.LinkedHashMap;
 import java.util.Map;
 
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.client.util.TypedString;
-import org.atsign.common.Keys.AtKey;
-import org.atsign.common.Metadata.MetadataBuilder;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Metadata;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.util.JsonUtils;
+import org.atsign.client.impl.common.TypedString;
+import org.atsign.client.api.Keys.AtKey;
+import org.atsign.client.api.Metadata.MetadataBuilder;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 
@@ -20,10 +24,10 @@
 
 /**
  *
- * Contains builders for composing Atsign protocol command strings
+ * Builders for composing Atsign protocol command strings.
  *
  */
-public class VerbBuilders {
+public class CommandBuilders {
 
   private static final Metadata EMPTY_METADATA = Metadata.builder().build();
 
@@ -666,7 +670,7 @@ protected static Map<String, Object> toObjectMap(Object... nameValuePairs) {
 
   protected static String encodeAsJson(Object o) {
     try {
-      return Json.MAPPER.writeValueAsString(o);
+      return JsonUtils.MAPPER.writeValueAsString(o);
     } catch (JsonProcessingException e) {
       throw new IllegalArgumentException("json encoding exception", e);
     }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java b/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
new file mode 100644
index 00000000..0b8fcdbd
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
@@ -0,0 +1,193 @@
+package org.atsign.client.impl.commands;
+
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import org.atsign.client.api.Metadata;
+import org.atsign.client.impl.util.JsonUtils;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+
+/**
+ * Utilities for handling data responses in the AtSign protocol.
+ */
+public class DataResponses {
+
+  /**
+   * models server response string which is non-empty JSON map
+   */
+  protected static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
+
+  /**
+   * models server response string which is JSON map
+   */
+  protected static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
+
+  /**
+   * models server response string which is non-empty JSON list
+   */
+  protected static final Pattern DATA_JSON_LIST = Pattern.compile("data:(\\[.*])");
+
+  /**
+   * models server response string which is integer
+   */
+  protected static final Pattern DATA_INT = Pattern.compile("data:(-?\\d+)");
+
+  /**
+   * models server response string containing no whitespace
+   */
+  public static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
+
+  /**
+   * models server data response
+   */
+  public static final Pattern DATA = Pattern.compile("data:(.+)");
+
+  /**
+   * models server response string containing no whitespace
+   */
+  public static final Pattern DATA_SUCCESS = Pattern.compile("data:(success)");
+
+  /**
+   * Use this to verify a "data:success" response.
+   *
+   * @param input The at server response to verify.
+   * @return "success" if this matches.
+   */
+  public static String matchDataSuccess(String input) {
+    return Responses.match(input, DATA_SUCCESS);
+  }
+
+  /**
+   * Use this to verify a "data:xxxxx" response (no whitespace in the value).
+   *
+   * @param input The at server response to verify.
+   * @return The value after the "data:" prefix.
+   */
+  public static String matchDataStringNoWhitespace(String input) {
+    return Responses.match(input, DATA_NON_WHITESPACE);
+  }
+
+  /**
+   * Use this to verify a "data:x xx xx" response (whitespace permitted).
+   *
+   * @param input The at server response to verify.
+   * @return The value after the "data:" prefix.
+   */
+  public static String matchData(String input) {
+    return Responses.match(input, DATA);
+  }
+
+  /**
+   * Use this to verify a "data:123" response (negative numbers permitted).
+   *
+   * @param input The at server response to verify.
+   * @return The value after the "data:" prefix.
+   */
+  public static int matchDataInt(String input) {
+    return Responses.match(input, DATA_INT, Integer::parseInt);
+  }
+
+  /**
+   * Use this to verify a "data:[...]" response where the value is a JSON encoded list.
+   *
+   * @param input The at server response to verify.
+   * @return The {@link List} after the "data:" prefix.
+   */
+  public static List<Object> matchDataJsonList(String input) {
+    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonList);
+  }
+
+  /**
+   * Use this to verify a "data:[...]" response where the value is a JSON encoded list of Strings.
+   *
+   * @param input The at server response to verify.
+   * @return The {@link List} after the "data:" prefix.
+   */
+  public static List<String> matchDataJsonListOfStrings(String input) {
+    return Responses.match(input, DATA_JSON_LIST, Responses::decodeJsonListOfStrings);
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded map of Strings.
+   *
+   * @param input The at server response to verify.
+   * @param allowEmpty If true then empty map is permitted.
+   * @return The {@link Map} after the "data:" prefix.
+   */
+  public static Map<String, String> matchDataJsonMapOfStrings(String input, boolean allowEmpty) {
+    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
+                           Responses::decodeJsonMapOfStrings);
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded map of objects.
+   *
+   * @param input The at server response to verify.
+   * @param allowEmpty If true then empty map is permitted.
+   * @return The {@link Map} after the "data:" prefix.
+   */
+  public static Map<String, Object> matchDataJsonMapOfObjects(String input, boolean allowEmpty) {
+    return Responses.match(input, allowEmpty ? DATA_JSON_MAP : DATA_JSON_NON_EMPTY_MAP,
+                           Responses::decodeJsonMapOfObjects);
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded map of Strings.
+   *
+   * @param input The at server response to verify.
+   * @return The {@link Map} after the "data:" prefix.
+   */
+  public static Map<String, String> matchDataJsonMapOfStrings(String input) {
+    return matchDataJsonMapOfStrings(input, false);
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded map of objects.
+   *
+   * @param input The at server response to verify.
+   * @return The {@link Map} after the "data:" prefix.
+   */
+  public static Map<String, Object> matchDataJsonMapOfObjects(String input) {
+    return matchDataJsonMapOfObjects(input, false);
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded
+   * {@link LookupResponse}
+   *
+   * @param input The at server response to verify.
+   * @return The {@link LookupResponse} after the "data:" prefix.
+   */
+  public static LookupResponse matchLookupResponse(String input) {
+    return Responses.match(input, DATA_JSON_NON_EMPTY_MAP, DataResponses::toLookupResponse);
+  }
+
+  private static LookupResponse toLookupResponse(String input) {
+    try {
+      return JsonUtils.MAPPER.readValue(input, LookupResponse.class);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /**
+   * Use this to verify a "data:{...}" response where the value is a JSON encoded
+   * {@link Metadata}
+   *
+   * @param input The at server response to verify.
+   * @return The {@link Metadata} after the "data:" prefix.
+   */
+  public static Metadata matchMetadata(String input) {
+    return Responses.match(input, DATA_JSON_NON_EMPTY_MAP, DataResponses::toMetaData);
+  }
+
+  private static Metadata toMetaData(String input) {
+    try {
+      return JsonUtils.MAPPER.readValue(input, Metadata.class);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java b/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
similarity index 60%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
index ae962110..6f43e629 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Enroll.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
@@ -1,11 +1,11 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.connection.protocol.Data.*;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
-import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.common.VerbBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY;
+import static org.atsign.client.impl.commands.DataResponses.*;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+import static org.atsign.client.impl.commands.CommandBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY;
 
 import java.util.List;
 import java.util.Map;
@@ -15,22 +15,21 @@
 
 import org.atsign.client.api.AtKeyNames;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.VerbBuilders;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
 
 /**
  * Atsign Protocol utilitiy code that relates to onboarding and enrolling atsigns.
  */
-public class Enroll {
+public class EnrollCommands {
 
   /**
    * Performs the onboarding workflow which sets up the manage keys for an atserver.
    *
-   * @param connection A connection to an atserver command interface.
-   * @param atSign The AtSign that corresponds to the connection.
+   * @param executor A executor to an atserver command interface.
+   * @param atSign The AtSign that corresponds to the executor.
    * @param keys The {@link AtKeys} for the {@link AtSign}.
    * @param cramSecret The CRAM secret.
    * @param appName The app name for this first enrollment.
@@ -39,7 +38,7 @@ public class Enroll {
    * @return a new {@link AtKeys} instance that has the enrollment id set
    * @throws AtException If the enrollment fails.
    */
-  public static AtKeys onboard(AtClientConnection connection,
+  public static AtKeys onboard(AtCommandExecutor executor,
                                AtSign atSign,
                                AtKeys keys,
                                String cramSecret,
@@ -49,25 +48,25 @@ public static AtKeys onboard(AtClientConnection connection,
       throws AtException {
     try {
 
-      // verify that the connection is connected to the atsigns atserver
-      String scanCommand = VerbBuilders.scanCommandBuilder().build();
-      String scanResponse = throwExceptionIfError(connection.sendSync(scanCommand));
+      // verify that the executor is connected to the atsigns atserver
+      String scanCommand = CommandBuilders.scanCommandBuilder().build();
+      String scanResponse = throwExceptionIfError(executor.sendSync(scanCommand));
       List<String> rawKeys = matchDataJsonListOfStrings(scanResponse);
       if (!rawKeys.contains("signing_publickey" + atSign)) {
         throw new IllegalStateException("not connected to the atsign's at server");
       }
 
       // authenticate with CRAM
-      Authentication.authenticateWithCram(connection, atSign, cramSecret);
+      AuthenticationCommands.authenticateWithCram(executor, atSign, cramSecret);
 
       // send an enroll request which should automatically be approved after CRAM authentication
-      String requestCommand = VerbBuilders.enrollCommandBuilder()
-          .operation(VerbBuilders.EnrollOperation.request)
+      String requestCommand = CommandBuilders.enrollCommandBuilder()
+          .operation(CommandBuilders.EnrollOperation.request)
           .appName(appName)
           .deviceName(deviceName)
           .apkamPublicKey(keys.getApkamPublicKey())
           .build();
-      String requestResponse = connection.sendSync(requestCommand);
+      String requestResponse = executor.sendSync(requestCommand);
       Map<String, String> response = matchDataJsonMapOfStrings(throwExceptionIfError(requestResponse));
       checkStatus(response, "approved");
 
@@ -77,20 +76,20 @@ public static AtKeys onboard(AtClientConnection connection,
           .build();
 
       // authenticate with PKAM
-      Authentication.authenticateWithPkam(connection, atSign, keys);
+      AuthenticationCommands.authenticateWithPkam(executor, atSign, keys);
 
       // explicitly store the public encryption key in the atserver
-      String updateCommand = VerbBuilders.updateCommandBuilder()
+      String updateCommand = CommandBuilders.updateCommandBuilder()
           .sharedBy(atSign)
           .keyName(AtKeyNames.PUBLIC_ENCRYPT)
           .isPublic(true)
           .value(keys.getEncryptPublicKey())
           .build();
-      String updateResponse = connection.sendSync(updateCommand);
+      String updateResponse = executor.sendSync(updateCommand);
       matchDataInt(throwExceptionIfError(updateResponse));
 
       if (deleteCramKey) {
-        deleteCramSecret(connection);
+        deleteCramSecret(executor);
       }
 
     } catch (ExecutionException | InterruptedException e) {
@@ -99,26 +98,26 @@ public static AtKeys onboard(AtClientConnection connection,
     return keys;
   }
 
-  public static void deleteCramSecret(AtClientConnection connection) throws AtException {
-    Keys.deleteKey(connection, AtKeyNames.PRIVATE_AT_SECRET);
+  public static void deleteCramSecret(AtCommandExecutor executor) throws AtException {
+    KeyCommands.deleteKey(executor, AtKeyNames.PRIVATE_AT_SECRET);
   }
 
-  public static String otp(AtClientConnection connection) throws AtException {
+  public static String otp(AtCommandExecutor executor) throws AtException {
     try {
 
       // send otp command
-      String otpCommand = VerbBuilders.otpCommandBuilder().build();
-      String otpResponse = connection.sendSync(otpCommand);
+      String otpCommand = CommandBuilders.otpCommandBuilder().build();
+      String otpResponse = executor.sendSync(otpCommand);
 
       // verify that response is an OTP
-      return Data.matchDataStringNoWhitespace(throwExceptionIfError(otpResponse));
+      return matchDataStringNoWhitespace(throwExceptionIfError(otpResponse));
 
     } catch (ExecutionException | InterruptedException e) {
       throw new RuntimeException(e);
     }
   }
 
-  public static AtKeys enroll(AtClientConnection connection,
+  public static AtKeys enroll(AtCommandExecutor executor,
                               AtSign atSign,
                               AtKeys keys,
                               String otp,
@@ -131,16 +130,16 @@ public static AtKeys enroll(AtClientConnection connection,
     checkNotNull(keys.getApkamSymmetricKey(), "apkam symmetric key not set");
 
     // lookup the public encryption key for the atserver's atsign, this will have been set during onboarding
-    String lookupCommand = VerbBuilders.lookupCommandBuilder()
+    String lookupCommand = CommandBuilders.lookupCommandBuilder()
         .keyName(AtKeyNames.PUBLIC_ENCRYPT)
         .sharedBy(atSign)
         .build();
-    String lookupResponse = connection.sendSync(lookupCommand);
+    String lookupResponse = executor.sendSync(lookupCommand);
     String publicKey = matchDataStringNoWhitespace(throwExceptionIfError(lookupResponse));
 
     // send an enroll request and verify that the status is pending
-    String requestCommand = VerbBuilders.enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.request)
+    String requestCommand = CommandBuilders.enrollCommandBuilder()
+        .operation(CommandBuilders.EnrollOperation.request)
         .appName(appName)
         .deviceName(deviceName)
         .apkamPublicKey(keys.getApkamPublicKey())
@@ -148,7 +147,7 @@ public static AtKeys enroll(AtClientConnection connection,
         .otp(otp)
         .namespaces(namespaces)
         .build();
-    String requestResponse = connection.sendSync(requestCommand);
+    String requestResponse = executor.sendSync(requestCommand);
     Map<String, String> map = matchDataJsonMapOfStrings(throwExceptionIfError(requestResponse));
     checkStatus(map, "pending");
 
@@ -159,14 +158,14 @@ public static AtKeys enroll(AtClientConnection connection,
         .build();
   }
 
-  public static AtKeys complete(AtClientConnection connection, AtSign atSign, AtKeys keys) throws AtException {
+  public static AtKeys complete(AtCommandExecutor executor, AtSign atSign, AtKeys keys) throws AtException {
 
     // attempt to authenticate with PKAM, this will succeed once the enroll request is approved
-    Authentication.authenticateWithPkam(connection, atSign, keys);
+    AuthenticationCommands.authenticateWithPkam(executor, atSign, keys);
 
     // Use the keys:get command to obtain the private encryption key and self encryption key
-    String selfEncryptKey = keysGetSelfEncryptKey(connection, atSign, keys);
-    String encryptPrivateKey = keysGetEncryptPrivateKey(connection, atSign, keys);
+    String selfEncryptKey = keysGetSelfEncryptKey(executor, atSign, keys);
+    String encryptPrivateKey = keysGetEncryptPrivateKey(executor, atSign, keys);
 
     // return a copy of the provided AtKeys with the private encryption key and self encryption key set
     return keys.toBuilder()
@@ -176,20 +175,20 @@ public static AtKeys complete(AtClientConnection connection, AtSign atSign, AtKe
 
   }
 
-  public static List<EnrollmentId> list(AtClientConnection connection, String status) throws AtException {
+  public static List<EnrollmentId> list(AtCommandExecutor executor, String status) throws AtException {
     try {
 
       // get the list of enrollment requests that have the status
-      String listCommand = VerbBuilders.enrollCommandBuilder()
-          .operation(VerbBuilders.EnrollOperation.list)
+      String listCommand = CommandBuilders.enrollCommandBuilder()
+          .operation(CommandBuilders.EnrollOperation.list)
           .status(status)
           .build();
-      String listResponse = connection.sendSync(listCommand);
+      String listResponse = executor.sendSync(listCommand);
       Map<String, Object> map = matchDataJsonMapOfObjects(throwExceptionIfError(listResponse), true);
 
       // return the list enrollment ids, extracted from the keys
       return map.keySet().stream()
-          .map(Enroll::inferEnrollmentId)
+          .map(EnrollCommands::inferEnrollmentId)
           .collect(Collectors.toList());
 
     } catch (ExecutionException | InterruptedException e) {
@@ -197,15 +196,15 @@ public static List<EnrollmentId> list(AtClientConnection connection, String stat
     }
   }
 
-  public static void approve(AtClientConnection connection, AtKeys keys, EnrollmentId enrollmentId) throws AtException {
+  public static void approve(AtCommandExecutor executor, AtKeys keys, EnrollmentId enrollmentId) throws AtException {
     try {
 
       // fetch the request and decrypt the apkam symmetric key that will be used encrypt the shared keys
-      String fetchCommand = VerbBuilders.enrollCommandBuilder()
-          .operation(VerbBuilders.EnrollOperation.fetch)
+      String fetchCommand = CommandBuilders.enrollCommandBuilder()
+          .operation(CommandBuilders.EnrollOperation.fetch)
           .enrollmentId(enrollmentId)
           .build();
-      String fetchResponse = connection.sendSync(fetchCommand);
+      String fetchResponse = executor.sendSync(fetchCommand);
       Map<String, Object> request = matchDataJsonMapOfObjects(throwExceptionIfError(fetchResponse));
       checkStatus(request, "pending");
       String encryptedApkamSymmetricKey = (String) request.get(ENCRYPTED_APKAM_SYMMETRIC_KEY);
@@ -218,15 +217,15 @@ public static void approve(AtClientConnection connection, AtKeys keys, Enrollmen
       String selfEncryptKey = aesEncryptToBase64(keys.getSelfEncryptKey(), key, selfEncryptKeyIv);
 
       // approve the request
-      String approveCommand = VerbBuilders.enrollCommandBuilder()
-          .operation(VerbBuilders.EnrollOperation.approve)
+      String approveCommand = CommandBuilders.enrollCommandBuilder()
+          .operation(CommandBuilders.EnrollOperation.approve)
           .enrollmentId(enrollmentId)
           .encryptPrivateKey(encryptPrivateKey)
           .encryptPrivateKeyIv(privateKeyIv)
           .selfEncryptKey(selfEncryptKey)
           .selfEncryptKeyIv(selfEncryptKeyIv)
           .build();
-      String approveResponse = connection.sendSync(approveCommand);
+      String approveResponse = executor.sendSync(approveCommand);
 
       // check the response
       Map<String, String> response = matchDataJsonMapOfStrings(throwExceptionIfError(approveResponse));
@@ -238,32 +237,32 @@ public static void approve(AtClientConnection connection, AtKeys keys, Enrollmen
 
   }
 
-  public static void deny(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "deny", enrollmentId, "denied");
+  public static void deny(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(executor, "deny", enrollmentId, "denied");
   }
 
-  public static void revoke(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "revoke", enrollmentId, "revoked");
+  public static void revoke(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(executor, "revoke", enrollmentId, "revoked");
   }
 
-  public static void unrevoke(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "unrevoke", enrollmentId, "approved");
+  public static void unrevoke(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(executor, "unrevoke", enrollmentId, "approved");
   }
 
-  public static void delete(AtClientConnection connection, EnrollmentId enrollmentId) throws Exception {
-    singleArgEnrollAction(connection, "delete", enrollmentId, "deleted");
+  public static void delete(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
+    singleArgEnrollAction(executor, "delete", enrollmentId, "deleted");
   }
 
-  private static void singleArgEnrollAction(AtClientConnection connection,
+  private static void singleArgEnrollAction(AtCommandExecutor executor,
                                             String action,
                                             EnrollmentId enrollmentId,
                                             String expectedStatus)
       throws Exception {
-    String actionCommand = VerbBuilders.enrollCommandBuilder()
-        .operation(VerbBuilders.EnrollOperation.valueOf(action))
+    String actionCommand = CommandBuilders.enrollCommandBuilder()
+        .operation(CommandBuilders.EnrollOperation.valueOf(action))
         .enrollmentId(enrollmentId)
         .build();
-    String actionResponse = connection.sendSync(actionCommand);
+    String actionResponse = executor.sendSync(actionCommand);
     Map<String, String> map = matchDataJsonMapOfStrings(actionResponse);
     checkStatus(map, expectedStatus);
   }
@@ -284,30 +283,30 @@ private static void checkStatus(Map<String, ? extends Object> map, String expect
     }
   }
 
-  private static String keysGetSelfEncryptKey(AtClientConnection connection, AtSign atSign, AtKeys keys)
+  private static String keysGetSelfEncryptKey(AtCommandExecutor executor, AtSign atSign, AtKeys keys)
       throws AtException {
     String keyName = keys.getEnrollmentId() + "." + "default_self_enc_key" + ".__manage" + atSign;
-    return keysGet(connection, keyName, keys.getApkamSymmetricKey());
+    return keysGet(executor, keyName, keys.getApkamSymmetricKey());
   }
 
-  private static String keysGetEncryptPrivateKey(AtClientConnection connection, AtSign atSign, AtKeys keys)
+  private static String keysGetEncryptPrivateKey(AtCommandExecutor executor, AtSign atSign, AtKeys keys)
       throws AtException {
     String keyName = keys.getEnrollmentId() + "." + "default_enc_private_key" + ".__manage" + atSign;
-    return keysGet(connection, keyName, keys.getApkamSymmetricKey());
+    return keysGet(executor, keyName, keys.getApkamSymmetricKey());
   }
 
-  private static String keysGet(AtClientConnection connection, String keyName, String keyBase64) throws AtException {
+  private static String keysGet(AtCommandExecutor executor, String keyName, String keyBase64) throws AtException {
     try {
 
       // send a key:get command
-      String keysGetCommand = VerbBuilders.keysCommandBuilder()
-          .operation(VerbBuilders.KeysOperation.get)
+      String keysGetCommand = CommandBuilders.keysCommandBuilder()
+          .operation(CommandBuilders.KeysOperation.get)
           .keyName(keyName)
           .build();
-      String keyGetResponse = connection.sendSync(keysGetCommand);
+      String keyGetResponse = executor.sendSync(keysGetCommand);
 
       // unmarshall the encrypted value and the encryption iv that was used
-      Map<String, String> map = matchDataJsonMapOfStrings(Error.throwExceptionIfError(keyGetResponse));
+      Map<String, String> map = matchDataJsonMapOfStrings(throwExceptionIfError(keyGetResponse));
       String encryptedKey = map.get("value");
       String iv = map.get("iv");
 
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Error.java b/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
similarity index 82%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/Error.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
index f7b227ab..c0ce8942 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Error.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
@@ -1,17 +1,17 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.connection.protocol.AtExceptions.toTypedException;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.commands.AtExceptions.toTypedException;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.atsign.common.AtException;
+import org.atsign.client.impl.exceptions.AtException;
 
 /**
  * Utility methods for handling error responses in the AtSign protocol
  */
-public class Error {
+public class ErrorResponses {
 
   /**
    * models server data response
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
new file mode 100644
index 00000000..7a3baf25
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
@@ -0,0 +1,82 @@
+package org.atsign.client.impl.commands;
+
+import static org.atsign.client.impl.commands.DataResponses.*;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.meta;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.AtKeyNames;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.Keys.AtKey;
+import org.atsign.client.api.Metadata;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Atsign Protocol utility code that relates to keys (the records) that are managed by an
+ * atserver.
+ *
+ */
+@Slf4j
+public class KeyCommands {
+
+  public static void deleteKey(AtCommandExecutor executor, String rawKey) throws AtException {
+    try {
+
+      // send a delete command
+      String deleteCommand = CommandBuilders.deleteCommandBuilder().rawKey(rawKey).build();
+      String deleteResponse = executor.sendSync(deleteCommand);
+
+      // verify command succeeded
+      DataResponses.matchDataInt(throwExceptionIfError(deleteResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static void deleteKey(AtCommandExecutor executor, AtKey key) throws AtException {
+    deleteKey(executor, key.rawKey());
+  }
+
+  public static List<AtKey> getKeys(AtCommandExecutor executor, String regex, boolean fetchMetadata)
+      throws AtException {
+
+    try {
+
+      // send scan command and decode response
+      String scanCommand = CommandBuilders.scanCommandBuilder().regex(regex).showHidden(true).build();
+      String scanResponse = executor.sendSync(scanCommand);
+      List<String> keyNames = matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
+
+      // build typed key instances from each key name (optionally looking up metadata)
+      List<AtKey> atKeys = new ArrayList<>();
+      for (String keyName : keyNames) {
+        if (!AtKeyNames.isManagementKeyName(keyName)) {
+          Metadata metadata = fetchMetadata ? fetchMetadata(executor, keyName) : null;
+          AtKey atKey = org.atsign.client.api.Keys.keyBuilder()
+              .rawKey(keyName)
+              .metadata(metadata)
+              .build();
+          atKeys.add(atKey);
+        }
+      }
+
+      return atKeys;
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Metadata fetchMetadata(AtCommandExecutor executor, String keyName)
+      throws ExecutionException, InterruptedException, AtException {
+    String llookupCommand = CommandBuilders.llookupCommandBuilder().operation(meta).rawKey(keyName).build();
+    String llookupResponse = executor.sendSync(llookupCommand);
+    return matchMetadata(throwExceptionIfError(llookupResponse));
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/common/response_models/LookupResponse.java b/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/response_models/LookupResponse.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
index 7a354baf..3ee3e612 100644
--- a/at_client/src/main/java/org/atsign/common/response_models/LookupResponse.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
@@ -1,6 +1,6 @@
-package org.atsign.common.response_models;
+package org.atsign.client.impl.commands;
 
-import org.atsign.common.Metadata;
+import org.atsign.client.api.Metadata;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java b/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
similarity index 75%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
index d64fa8d2..8813cd42 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Notifications.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
@@ -1,8 +1,8 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.atsign.client.api.AtEvents.AtEventType.*;
-import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
-import static org.atsign.client.connection.protocol.Authentication.authenticateWithPkam;
+import static org.atsign.client.impl.commands.AtExceptions.throwOnReadyException;
+import static org.atsign.client.impl.commands.AuthenticationCommands.authenticateWithPkam;
 
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
@@ -13,9 +13,9 @@
 import lombok.extern.slf4j.Slf4j;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
 
 /**
  * Utility methods for managing notifications within the AtSign protocol
@@ -27,19 +27,19 @@ public class Notifications {
    */
   protected static final Pattern NOTIFICATION_JSON_NON_EMPTY_MAP = Pattern.compile("notification:\\s*(\\{.+})");
 
-  public static Consumer<AtClientConnection> monitor(AtSign atSign, AtKeys keys, Consumer<String> consumer) {
-    return throwOnReadyException(connection -> monitor(connection, atSign, keys, consumer));
+  public static Consumer<AtCommandExecutor> monitor(AtSign atSign, AtKeys keys, Consumer<String> consumer) {
+    return throwOnReadyException(executor -> monitor(executor, atSign, keys, consumer));
   }
 
-  public static void monitor(AtClientConnection connection, AtSign atSign, AtKeys keys, Consumer<String> consumer)
+  public static void monitor(AtCommandExecutor executor, AtSign atSign, AtKeys keys, Consumer<String> consumer)
       throws AtException {
     try {
 
       // authenticate
-      authenticateWithPkam(connection, atSign, keys);
+      authenticateWithPkam(executor, atSign, keys);
 
       // send monitor command
-      connection.sendSync("monitor", consumer);
+      executor.sendSync("monitor", consumer);
 
     } catch (ExecutionException | InterruptedException e) {
       throw new RuntimeException(e);
@@ -52,7 +52,7 @@ public static Map<String, Object> matchNotification(String s) {
 
   /**
    * A {@link Consumer} that "bridges" to the {@link AtEvents.AtEventBus} api. This is intended
-   * to be used for invoking {@link AtClientConnection#send(String, Consumer, CompletableFuture)}
+   * to be used for invoking {@link AtCommandExecutor#send(String, Consumer, CompletableFuture)}
    *
    */
   @Slf4j
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java b/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
similarity index 54%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
index 68000c28..a3b75128 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/PublicKeys.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
@@ -1,47 +1,45 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.connection.protocol.Data.matchDataInt;
-import static org.atsign.client.connection.protocol.Data.matchLookupResponse;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-import static org.atsign.client.util.EncryptionUtil.signSHA256RSA;
-import static org.atsign.common.VerbBuilders.LookupOperation.all;
+import static org.atsign.client.impl.commands.DataResponses.matchDataInt;
+import static org.atsign.client.impl.commands.DataResponses.matchLookupResponse;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+import static org.atsign.client.impl.util.EncryptionUtils.signSHA256RSA;
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 
 import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.Metadata;
-import org.atsign.common.VerbBuilders;
-import org.atsign.common.options.GetRequestOptions;
-import org.atsign.common.response_models.LookupResponse;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.api.Metadata;
+import org.atsign.client.api.AtClient.GetRequestOptions;
 
 /**
  * Atsign protocol utility code that relates to "public keys"
  *
  */
-public class PublicKeys {
+public class PublicKeyCommands {
 
-  public static String get(AtClientConnection conn, AtSign atSign, PublicKey key, GetRequestOptions options)
+  public static String get(AtCommandExecutor executor, AtSign atSign, PublicKey key, GetRequestOptions options)
       throws AtException {
     if (atSign.equals(key.sharedBy())) {
-      return getSharedByMe(conn, key);
+      return getSharedByMe(executor, key);
     } else {
-      return getSharedByOther(conn, key, options);
+      return getSharedByOther(executor, key, options);
     }
   }
 
-  public static String getSharedByMe(AtClientConnection conn, PublicKey publicKey) throws AtException {
+  public static String getSharedByMe(AtCommandExecutor executor, PublicKey publicKey) throws AtException {
     try {
 
       // send a local lookup command and decode the response
-      String llookupCommand = VerbBuilders.llookupCommandBuilder()
+      String llookupCommand = CommandBuilders.llookupCommandBuilder()
           .key(publicKey)
           .operation(all)
           .build();
-      String llookupResponse = conn.sendSync(llookupCommand);
+      String llookupResponse = executor.sendSync(llookupCommand);
       LookupResponse response = matchLookupResponse(throwExceptionIfError(llookupResponse));
 
       // set isCached in metadata
@@ -58,17 +56,17 @@ public static String getSharedByMe(AtClientConnection conn, PublicKey publicKey)
     }
   }
 
-  public static String getSharedByOther(AtClientConnection conn, PublicKey publicKey, GetRequestOptions options)
+  public static String getSharedByOther(AtCommandExecutor executor, PublicKey publicKey, GetRequestOptions options)
       throws AtException {
     try {
 
       // send public lookup command and decode the response
-      String plookupCommand = VerbBuilders.plookupCommandBuilder()
+      String plookupCommand = CommandBuilders.plookupCommandBuilder()
           .key(publicKey)
           .bypassCache(options != null ? options.isBypassCache() : null)
           .operation(all)
           .build();
-      String plookupResponse = conn.sendSync(plookupCommand);
+      String plookupResponse = executor.sendSync(plookupCommand);
       LookupResponse response = matchLookupResponse(throwExceptionIfError(plookupResponse));
 
       // set isCached in metadata
@@ -85,7 +83,8 @@ public static String getSharedByOther(AtClientConnection conn, PublicKey publicK
     }
   }
 
-  public static void put(AtClientConnection conn, AtKeys keys, PublicKey publicKey, String value) throws AtException {
+  public static void put(AtCommandExecutor executor, AtKeys keys, PublicKey publicKey, String value)
+      throws AtException {
     try {
 
       // add a signature to the metadata
@@ -95,8 +94,8 @@ public static void put(AtClientConnection conn, AtKeys keys, PublicKey publicKey
       publicKey.updateMissingMetadata(metadata);
 
       // send and update command
-      String updateCommand = VerbBuilders.updateCommandBuilder().key(publicKey).value(value).build();
-      String updateResponse = conn.sendSync(updateCommand);
+      String updateCommand = CommandBuilders.updateCommandBuilder().key(publicKey).value(value).build();
+      String updateResponse = executor.sendSync(updateCommand);
 
       // verify the response
       matchDataInt(throwExceptionIfError(updateResponse));
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java b/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
similarity index 80%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
index 8d6a3416..d6238927 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/Responses.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import com.fasterxml.jackson.core.type.TypeReference;
-import org.atsign.common.Json;
+import org.atsign.client.impl.util.JsonUtils;
 
 import java.util.List;
 import java.util.Map;
@@ -18,7 +18,7 @@ public class Responses {
 
   public static Map<String, String> decodeJsonMapOfStrings(String json) {
     try {
-      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
@@ -26,7 +26,7 @@ public static Map<String, String> decodeJsonMapOfStrings(String json) {
 
   public static Map<String, Object> decodeJsonMapOfObjects(String json) {
     try {
-      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
@@ -34,7 +34,7 @@ public static Map<String, Object> decodeJsonMapOfObjects(String json) {
 
   public static List<Object> decodeJsonList(String json) {
     try {
-      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
@@ -42,7 +42,7 @@ public static List<Object> decodeJsonList(String json) {
 
   public static List<String> decodeJsonListOfStrings(String json) {
     try {
-      return Json.MAPPER.readValue(json, new TypeReference<>() {});
+      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
new file mode 100644
index 00000000..8c39dffe
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
@@ -0,0 +1,35 @@
+package org.atsign.client.impl.commands;
+
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
+
+/**
+ * Atsign protocol utility code that relates querying the keys in an atserver.
+ *
+ */
+
+public class ScanCommands {
+
+  public static List<String> scan(AtCommandExecutor executor, boolean showHidden, String regex) throws AtException {
+    try {
+
+      // send scan command
+      String scanCommand = CommandBuilders.scanCommandBuilder()
+          .showHidden(showHidden)
+          .regex(regex)
+          .build();
+      String scanResponse = executor.sendSync(scanCommand);
+
+      // return unmarshalled key names
+      return DataResponses.matchDataJsonListOfStrings(throwExceptionIfError(scanResponse));
+
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java b/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
similarity index 53%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
index 121f89f1..8b423b5c 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/SelfKeys.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
@@ -1,35 +1,33 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtException;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Metadata;
-import org.atsign.common.VerbBuilders;
-import org.atsign.common.response_models.LookupResponse;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.api.Metadata;
 
 import java.util.concurrent.ExecutionException;
 
-import static org.atsign.client.connection.protocol.Data.matchDataInt;
-import static org.atsign.client.connection.protocol.Data.matchLookupResponse;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.client.util.EncryptionUtil.aesEncryptToBase64;
-import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.common.VerbBuilders.LookupOperation.all;
+import static org.atsign.client.impl.commands.DataResponses.matchDataInt;
+import static org.atsign.client.impl.commands.DataResponses.matchLookupResponse;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+import static org.atsign.client.impl.util.EncryptionUtils.aesEncryptToBase64;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 
 /**
  * Atsign protocol utility code that relates to "self keys"
  *
  */
-public class SelfKeys {
+public class SelfKeyCommands {
 
-  public static String get(AtClientConnection conn, AtKeys keys, SelfKey key) throws AtException {
+  public static String get(AtCommandExecutor executor, AtKeys keys, SelfKey key) throws AtException {
     try {
 
       // send local lookup command and decode response
-      String llookupCommand = VerbBuilders.llookupCommandBuilder().key(key).operation(all).build();
-      String llookupResponse = conn.sendSync(llookupCommand);
+      String llookupCommand = CommandBuilders.llookupCommandBuilder().key(key).operation(all).build();
+      String llookupResponse = executor.sendSync(llookupCommand);
       LookupResponse response = matchLookupResponse(throwExceptionIfError(llookupResponse));
 
       // decrypt with my self encrypt key
@@ -46,7 +44,7 @@ public static String get(AtClientConnection conn, AtKeys keys, SelfKey key) thro
     }
   }
 
-  public static void put(AtClientConnection conn, AtKeys keys, SelfKey key, String value) throws AtException {
+  public static void put(AtCommandExecutor executor, AtKeys keys, SelfKey key, String value) throws AtException {
     try {
 
       // add signature and iv
@@ -60,11 +58,11 @@ public static void put(AtClientConnection conn, AtKeys keys, SelfKey key, String
       String encrypted = aesEncryptToBase64(value, keys.getSelfEncryptKey(), metadata.ivNonce());
 
       // send update command to store encrypted value
-      String updateCommand = VerbBuilders.updateCommandBuilder()
+      String updateCommand = CommandBuilders.updateCommandBuilder()
           .key(key)
           .value(encrypted)
           .build();
-      String updateResponse = conn.sendSync(updateCommand);
+      String updateResponse = executor.sendSync(updateCommand);
 
       // verify response
       matchDataInt(throwExceptionIfError(updateResponse));
diff --git a/at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java b/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
similarity index 58%
rename from at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java
rename to at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
index 1006f4a1..35863eb9 100644
--- a/at_client/src/main/java/org/atsign/client/connection/protocol/SharedKeys.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
@@ -1,65 +1,59 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.atsign.client.api.AtKeyNames.toSharedByMeKeyName;
-import static org.atsign.client.connection.protocol.Data.*;
-import static org.atsign.client.connection.protocol.Error.throwExceptionIfError;
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.client.util.Preconditions.checkNotNull;
-import static org.atsign.client.util.Preconditions.checkTrue;
-import static org.atsign.common.VerbBuilders.LookupOperation.all;
+import static org.atsign.client.impl.commands.DataResponses.*;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkTrue;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
 
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
-import org.atsign.client.api.AtKeyNames;
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.util.EncryptionUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.Metadata;
-import org.atsign.common.VerbBuilders;
-import org.atsign.common.exceptions.AtKeyNotFoundException;
-import org.atsign.common.response_models.LookupResponse;
+import org.atsign.client.api.*;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.exceptions.AtKeyNotFoundException;
+import org.atsign.client.impl.util.EncryptionUtils;
 
 /**
  * Atsign protocol utility code that relates to "shared keys"
  *
  */
 
-public class SharedKeys {
+public class SharedKeyCommands {
 
-  public static String get(AtClientConnection conn, AtSign atSign, AtKeys keys, SharedKey key)
+  public static String get(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SharedKey key)
       throws AtException {
     if (key.sharedBy().equals(atSign)) {
-      return getSharedByMe(conn, keys, key);
+      return getSharedByMe(executor, keys, key);
     } else if (key.sharedWith().equals(atSign)) {
-      return getSharedByOther(conn, keys, key);
+      return getSharedByOther(executor, keys, key);
     } else {
       throw new IllegalArgumentException("the client atsign is neither the sharedBy or sharedWith");
     }
   }
 
-  public static void put(AtClientConnection conn, AtSign atSign, AtKeys keys, SharedKey key, String value)
+  public static void put(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SharedKey key, String value)
       throws AtException {
     checkTrue(key.sharedBy().equals(atSign), "sharedBy does not match this client's atsign");
     try {
 
       // get or create key for sharedBy - sharedWith
-      String aesKey = getEncryptKeySharedByMe(conn, keys, key);
+      String aesKey = getEncryptKeySharedByMe(executor, keys, key);
       if (aesKey == null) {
-        aesKey = createEncryptKey(conn, keys, key);
+        aesKey = createEncryptKey(executor, keys, key);
       }
 
       // encrypt the value
-      String iv = EncryptionUtil.generateRandomIvBase64(16);
+      String iv = EncryptionUtils.generateRandomIvBase64(16);
       key.updateMissingMetadata(Metadata.builder().ivNonce(iv).build());
       String encrypted = aesEncryptToBase64(value, aesKey, iv);
 
       // send an update command
-      String updateCommand = VerbBuilders.updateCommandBuilder().key(key).value(encrypted).build();
-      String updateResponse = conn.sendSync(updateCommand);
+      String updateCommand = CommandBuilders.updateCommandBuilder().key(key).value(encrypted).build();
+      String updateResponse = executor.sendSync(updateCommand);
 
       // verify the response
       matchDataInt(throwExceptionIfError(updateResponse));
@@ -69,15 +63,15 @@ public static void put(AtClientConnection conn, AtSign atSign, AtKeys keys, Shar
     }
   }
 
-  public static String getSharedByMe(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+  public static String getSharedByMe(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // send local lookup command and decode
-      String llookupCommand = VerbBuilders.llookupCommandBuilder().key(key).operation(all).build();
-      LookupResponse llookupResponse = matchLookupResponse(throwExceptionIfError(conn.sendSync(llookupCommand)));
+      String llookupCommand = CommandBuilders.llookupCommandBuilder().key(key).operation(all).build();
+      LookupResponse llookupResponse = matchLookupResponse(throwExceptionIfError(executor.sendSync(llookupCommand)));
 
       // get my encrypt key for sharedBy sharedWith
-      String aesKey = checkNotNull(getEncryptKeySharedByMe(conn, keys, key), key + " not found");
+      String aesKey = checkNotNull(getEncryptKeySharedByMe(executor, keys, key), key + " not found");
 
       // return decrypted value
       return aesDecryptFromBase64(llookupResponse.data, aesKey, llookupResponse.metaData.ivNonce());
@@ -87,15 +81,15 @@ public static String getSharedByMe(AtClientConnection conn, AtKeys keys, SharedK
     }
   }
 
-  public static String getSharedByOther(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+  public static String getSharedByOther(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // send lookup command and decode
-      String lookupCommand = VerbBuilders.lookupCommandBuilder().key(key).operation(all).build();
-      LookupResponse lookupResponse = matchLookupResponse(throwExceptionIfError(conn.sendSync(lookupCommand)));
+      String lookupCommand = CommandBuilders.lookupCommandBuilder().key(key).operation(all).build();
+      LookupResponse lookupResponse = matchLookupResponse(throwExceptionIfError(executor.sendSync(lookupCommand)));
 
       // get my encrypt key for sharedBy sharedWith
-      String shareEncryptionKey = getEncryptKeySharedByOther(conn, keys, key);
+      String shareEncryptionKey = getEncryptKeySharedByOther(executor, keys, key);
 
       // return decrypted value
       return aesDecryptFromBase64(lookupResponse.data, shareEncryptionKey, lookupResponse.metaData.ivNonce());
@@ -105,7 +99,8 @@ public static String getSharedByOther(AtClientConnection conn, AtKeys keys, Shar
     }
   }
 
-  public static String getEncryptKeySharedByMe(AtClientConnection conn, AtKeys keys, SharedKey key) throws AtException {
+  public static String getEncryptKeySharedByMe(AtCommandExecutor executor, AtKeys keys, SharedKey key)
+      throws AtException {
     try {
 
       String keyName = AtKeyNames.toSharedByMeKeyName(key.sharedWith());
@@ -115,15 +110,15 @@ public static String getEncryptKeySharedByMe(AtClientConnection conn, AtKeys key
       }
 
       // send local lookup command for sharedKey
-      String llookupCommand = VerbBuilders.llookupCommandBuilder()
+      String llookupCommand = CommandBuilders.llookupCommandBuilder()
           .keyName(toSharedByMeKeyName(key.sharedWith()))
           .sharedBy(key.sharedBy())
           .build();
-      String llookupResponse = conn.sendSync(llookupCommand);
+      String llookupResponse = executor.sendSync(llookupCommand);
 
       try {
         // decrypt the key
-        String encrypted = Data.matchDataStringNoWhitespace(throwExceptionIfError(llookupResponse));
+        String encrypted = DataResponses.matchDataStringNoWhitespace(throwExceptionIfError(llookupResponse));
         aesKey = rsaDecryptFromBase64(encrypted, keys.getEncryptPrivateKey());
 
         // store in keys
@@ -138,7 +133,7 @@ public static String getEncryptKeySharedByMe(AtClientConnection conn, AtKeys key
     }
   }
 
-  public static String getEncryptKeySharedByOther(AtClientConnection conn, AtKeys keys, SharedKey key)
+  public static String getEncryptKeySharedByOther(AtCommandExecutor executor, AtKeys keys, SharedKey key)
       throws AtException {
     try {
 
@@ -150,11 +145,11 @@ public static String getEncryptKeySharedByOther(AtClientConnection conn, AtKeys
       }
 
       // otherwise send lookup
-      String lookupCommand = VerbBuilders.lookupCommandBuilder()
+      String lookupCommand = CommandBuilders.lookupCommandBuilder()
           .keyName(AtKeyNames.SHARED_KEY)
           .sharedBy(key.sharedBy())
           .build();
-      String lookupResponse = conn.sendSync(lookupCommand);
+      String lookupResponse = executor.sendSync(lookupCommand);
 
       // decrypt with my private key
       String encrypted = matchDataStringNoWhitespace(throwExceptionIfError(lookupResponse));
@@ -170,26 +165,26 @@ public static String getEncryptKeySharedByOther(AtClientConnection conn, AtKeys
     }
   }
 
-  public static String createEncryptKey(AtClientConnection connection, AtKeys keys, SharedKey key) throws AtException {
+  public static String createEncryptKey(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // generate a new encrypt key
-      String aesKey = EncryptionUtil.generateAESKeyBase64();
+      String aesKey = EncryptionUtils.generateAESKeyBase64();
 
       // compose an update command to store this key encrypted with this (sharedBy) atsign's public key
       String encryptedForMe = rsaEncryptToBase64(aesKey, keys.getEncryptPublicKey());
-      String updateForUsCommand = VerbBuilders.updateCommandBuilder()
+      String updateForUsCommand = CommandBuilders.updateCommandBuilder()
           .keyName(toSharedByMeKeyName(key.sharedWith()))
           .sharedBy(key.sharedBy())
           .value(encryptedForMe)
           .build();
 
       // get the other (sharedWith) atsign's public key
-      String otherPublicKey = getEncryptKey(connection, key.sharedWith());
+      String otherPublicKey = getEncryptKey(executor, key.sharedWith());
 
       // compose an update command to store this key encrypted with the other (sharedWith) atsign's public key
       String encryptedForOther = rsaEncryptToBase64(aesKey, otherPublicKey);
-      String updateForOtherCommand = VerbBuilders.updateCommandBuilder()
+      String updateForOtherCommand = CommandBuilders.updateCommandBuilder()
           .keyName(AtKeyNames.SHARED_KEY)
           .sharedBy(key.sharedBy())
           .sharedWith(key.sharedWith())
@@ -198,8 +193,8 @@ public static String createEncryptKey(AtClientConnection connection, AtKeys keys
           .build();
 
       // send the update commands
-      connection.sendSync(updateForUsCommand);
-      connection.sendSync(updateForOtherCommand);
+      executor.sendSync(updateForUsCommand);
+      executor.sendSync(updateForOtherCommand);
 
       keys.put(AtKeyNames.toSharedByMeKeyName(key.sharedWith()), aesKey);
 
@@ -211,15 +206,15 @@ public static String createEncryptKey(AtClientConnection connection, AtKeys keys
     }
   }
 
-  public static String getEncryptKey(AtClientConnection connection, AtSign sharedBy) throws AtException {
+  public static String getEncryptKey(AtCommandExecutor executor, AtSign sharedBy) throws AtException {
     try {
 
       // send plookup for atsign's public encryption key
-      String plookupCommand = VerbBuilders.plookupCommandBuilder()
+      String plookupCommand = CommandBuilders.plookupCommandBuilder()
           .keyName(AtKeyNames.PUBLIC_ENCRYPT)
           .sharedBy(sharedBy)
           .build();
-      String plookupResponse = connection.sendSync(plookupCommand);
+      String plookupResponse = executor.sendSync(plookupCommand);
 
       // return key
       return matchDataStringNoWhitespace(throwExceptionIfError(plookupResponse));
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/package-info.java b/at_client/src/main/java/org/atsign/client/impl/commands/package-info.java
new file mode 100644
index 00000000..87ca5e1c
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/package-info.java
@@ -0,0 +1,5 @@
+/**
+ * Utilities which can perform composite AtProtocol functions such as authentication,
+ * atsign onboarding / enrollment, key manipulation and notification handling.
+ */
+package org.atsign.client.impl.commands;
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/Command.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
similarity index 82%
rename from at_client/src/main/java/org/atsign/client/connection/common/Command.java
rename to at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
index f0b12c10..8cd620e6 100644
--- a/at_client/src/main/java/org/atsign/client/connection/common/Command.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
 import java.util.concurrent.CompletableFuture;
 import java.util.function.Consumer;
@@ -6,7 +6,7 @@
 /**
  * An "element" / holder for commands
  */
-public class Command {
+public class CommandElement {
 
   private final String text;
 
@@ -18,7 +18,7 @@ public class Command {
 
   private final boolean isOnReady;
 
-  public Command(String text, CompletableFuture<String> future, long timestampMillis, boolean isOnReady) {
+  public CommandElement(String text, CompletableFuture<String> future, long timestampMillis, boolean isOnReady) {
     this.text = text;
     this.future = future;
     this.consumer = null;
@@ -26,8 +26,8 @@ public Command(String text, CompletableFuture<String> future, long timestampMill
     this.isOnReady = isOnReady;
   }
 
-  public Command(String text, CompletableFuture<Void> future, Consumer<String> consumer, long timestampMillis,
-                 boolean isOnReady) {
+  public CommandElement(String text, CompletableFuture<Void> future, Consumer<String> consumer, long timestampMillis,
+                        boolean isOnReady) {
     this.text = text;
     this.future = future;
     this.consumer = consumer;
@@ -81,7 +81,7 @@ public boolean isConsumerCommand() {
     return consumer != null;
   }
 
-  public static boolean isConsumerCommand(Command command) {
+  public static boolean isConsumerCommand(CommandElement command) {
     return command != null && command.isConsumerCommand();
   }
 
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
similarity index 65%
rename from at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java
rename to at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
index 32ce7f06..94f2bb24 100644
--- a/at_client/src/main/java/org/atsign/client/connection/common/CommandQueue.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
-import static org.atsign.client.connection.common.Command.isConsumerCommand;
-import static org.atsign.client.connection.netty.NettyAtClientConnection.isPrompt;
+import static org.atsign.client.impl.common.CommandElement.isConsumerCommand;
+import static org.atsign.client.impl.netty.NettyAtCommandExecutor.isPrompt;
 
 import java.util.Collection;
 import java.util.Deque;
@@ -13,18 +13,18 @@
 import java.util.stream.Collectors;
 
 /**
- * A queue of {@link Command} elements. This is used to hold pending commands, those
+ * A queue of {@link CommandElement} elements. This is used to hold pending commands, those
  * commands which have been sent but no response has been received (or event commands
  * where there will be a stream of responses). It is also used to hold queued commands
  * in the event that the pending {@link CommandQueue} is full.
  */
-public class CommandQueue implements Iterable<Command> {
+public class CommandQueue implements Iterable<CommandElement> {
 
   private final int capacity;
 
-  private final Deque<Command> commands = new ConcurrentLinkedDeque<>();
+  private final Deque<CommandElement> commands = new ConcurrentLinkedDeque<>();
 
-  private final Deque<Command> consumers = new ConcurrentLinkedDeque<>();
+  private final Deque<CommandElement> consumers = new ConcurrentLinkedDeque<>();
 
   public CommandQueue(int capacity) {
     this.capacity = capacity;
@@ -36,7 +36,7 @@ public void clear() {
   }
 
   public int drain(CommandQueue queue) {
-    Command command;
+    CommandElement command;
     int count = 0;
     while ((command = queue.poll()) != null) {
       commands.addFirst(command);
@@ -45,11 +45,11 @@ public int drain(CommandQueue queue) {
     return count;
   }
 
-  public void removeIf(Predicate<Command> predicate) {
+  public void removeIf(Predicate<CommandElement> predicate) {
     commands.removeIf(predicate);
   }
 
-  public boolean offer(Command command) {
+  public boolean offer(CommandElement command) {
     if (command.isConsumerCommand() && hasConsumerCommand()) {
       // TODO: allow replacement of existing command where the verb matches
       return false;
@@ -62,14 +62,14 @@ public boolean offer(Command command) {
     }
   }
 
-  public Command pop(String response) {
-    Command command = null;
+  public CommandElement pop(String response) {
+    CommandElement command = null;
     if (isPrompt(response)) {
       if (isConsumerCommand(commands.peek())) {
         command = commands.pop();
         consumers.add(command);
       }
-    } else if (Command.isConsumerResponse(response)) {
+    } else if (CommandElement.isConsumerResponse(response)) {
       if (isConsumerCommand(commands.peek())) {
         consumers.add(pollFirst(response));
       }
@@ -80,11 +80,11 @@ public Command pop(String response) {
     return command;
   }
 
-  public Command poll() {
+  public CommandElement poll() {
     return commands.pollFirst();
   }
 
-  public Command peek() {
+  public CommandElement peek() {
     return commands.peekFirst();
   }
 
@@ -100,16 +100,16 @@ public int getQueueCapacity() {
     return capacity;
   }
 
-  public Collection<Command> pollTimedOut(long timeoutMillis) {
-    Collection<Command> list = commands.stream()
+  public Collection<CommandElement> pollTimedOut(long timeoutMillis) {
+    Collection<CommandElement> list = commands.stream()
         .filter(command -> command.isTimedOut(timeoutMillis))
         .collect(Collectors.toList());
     commands.removeAll(list);
     return list;
   }
 
-  public Collection<Command> pollIsOnReady() {
-    Collection<Command> list = commands.stream()
+  public Collection<CommandElement> pollIsOnReady() {
+    Collection<CommandElement> list = commands.stream()
         .filter(command -> command.isOnReady())
         .collect(Collectors.toList());
     commands.removeAll(list);
@@ -117,17 +117,17 @@ public Collection<Command> pollIsOnReady() {
   }
 
   @Override
-  public Iterator<Command> iterator() {
+  public Iterator<CommandElement> iterator() {
     return commands.iterator();
   }
 
   @Override
-  public void forEach(Consumer<? super Command> action) {
+  public void forEach(Consumer<? super CommandElement> action) {
     commands.forEach(action);
   }
 
   @Override
-  public Spliterator<Command> spliterator() {
+  public Spliterator<CommandElement> spliterator() {
     return commands.spliterator();
   }
 
@@ -138,10 +138,10 @@ public boolean hasConsumerCommand() {
     return commands.stream().filter(c -> c.isConsumerCommand()).findAny().orElse(null) != null;
   }
 
-  private Command pollFirst(String response) {
-    Iterator<Command> it = commands.iterator();
+  private CommandElement pollFirst(String response) {
+    Iterator<CommandElement> it = commands.iterator();
     while (it.hasNext()) {
-      Command command = it.next();
+      CommandElement command = it.next();
       if (command.isMatch(response)) {
         it.remove();
         return command;
diff --git a/at_client/src/main/java/org/atsign/client/util/EnrollmentId.java b/at_client/src/main/java/org/atsign/client/impl/common/EnrollmentId.java
similarity index 65%
rename from at_client/src/main/java/org/atsign/client/util/EnrollmentId.java
rename to at_client/src/main/java/org/atsign/client/impl/common/EnrollmentId.java
index 44a1cf3e..1eee0cee 100644
--- a/at_client/src/main/java/org/atsign/client/util/EnrollmentId.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/EnrollmentId.java
@@ -1,8 +1,10 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.common;
+
+import org.atsign.client.api.AtSign;
 
 /**
- * Identifier that represent a specific {@link org.atsign.common.AtSign} enrollment
- * and association with a specific key pair used for authentication management (PKAM)
+ * Identifier that represent a specific {@link AtSign} enrollment
+ * and association with a specific key pair used for authentication management (PKAM).
  */
 public class EnrollmentId extends TypedString {
 
diff --git a/at_client/src/main/java/org/atsign/client/util/Preconditions.java b/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
similarity index 97%
rename from at_client/src/main/java/org/atsign/client/util/Preconditions.java
rename to at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
index 7d07b074..b01751f9 100644
--- a/at_client/src/main/java/org/atsign/client/util/Preconditions.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.common;
 
 import java.io.File;
 import java.util.function.Predicate;
diff --git a/at_client/src/main/java/org/atsign/client/api/impl/events/SimpleAtEventBus.java b/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
similarity index 94%
rename from at_client/src/main/java/org/atsign/client/api/impl/events/SimpleAtEventBus.java
rename to at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
index 77faa580..cb30a7a8 100644
--- a/at_client/src/main/java/org/atsign/client/api/impl/events/SimpleAtEventBus.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
@@ -1,4 +1,4 @@
-package org.atsign.client.api.impl.events;
+package org.atsign.client.impl.common;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -14,7 +14,7 @@
 import java.util.concurrent.Executors;
 
 /**
- * In memory implementation of {@link AtEventBus} which will asynchronously dispatch
+ * Simple implementation of {@link AtEventBus} which will asynchronously dispatch
  * events to registered listeners.
  */
 @Slf4j
diff --git a/at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
similarity index 94%
rename from at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java
rename to at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
index a97c7d37..1d593a04 100644
--- a/at_client/src/main/java/org/atsign/client/connection/common/SimpleReconnectStrategy.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
 import lombok.Builder;
-import org.atsign.client.connection.api.ReconnectStrategy;
+import org.atsign.client.impl.ReconnectStrategy;
 
 import java.util.concurrent.TimeUnit;
 
diff --git a/at_client/src/main/java/org/atsign/client/util/TypedString.java b/at_client/src/main/java/org/atsign/client/impl/common/TypedString.java
similarity index 73%
rename from at_client/src/main/java/org/atsign/client/util/TypedString.java
rename to at_client/src/main/java/org/atsign/client/impl/common/TypedString.java
index 31e83071..a01b1a57 100644
--- a/at_client/src/main/java/org/atsign/client/util/TypedString.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/TypedString.java
@@ -1,9 +1,9 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.common;
 
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 /**
- * Base class for simple classes have String values
+ * Base class for simple classes have String values.
  */
 public abstract class TypedString {
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtBlockedConnectionException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtBlockedConnectionException.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtBlockedConnectionException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtBlockedConnectionException.java
index 8a9c9ef8..4299b1ee 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtBlockedConnectionException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtBlockedConnectionException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This will occur when a blocked user tries to connect to the atServer.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtBufferOverFlowException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtBufferOverFlowException.java
similarity index 80%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtBufferOverFlowException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtBufferOverFlowException.java
index e8ee9f76..9591994e 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtBufferOverFlowException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtBufferOverFlowException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception occurs when input/output message size reaches the maximum limit configured in the
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtClientConfigException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtClientConfigException.java
similarity index 82%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtClientConfigException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtClientConfigException.java
index fe9250af..18f73057 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtClientConfigException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtClientConfigException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when configuration required to create an {@link org.atsign.client.api.AtClient} is
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtDecryptionException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtDecryptionException.java
similarity index 72%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtDecryptionException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtDecryptionException.java
index c7e76a8d..935e2bf0 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtDecryptionException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtDecryptionException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when attempt to decrypt fails
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtEncryptionException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtEncryptionException.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtEncryptionException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtEncryptionException.java
index 7855eec2..fa819e2f 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtEncryptionException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtEncryptionException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when attempt to encrypt fails
diff --git a/at_client/src/main/java/org/atsign/common/AtException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
similarity index 90%
rename from at_client/src/main/java/org/atsign/common/AtException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
index 1909fe58..582d9927 100644
--- a/at_client/src/main/java/org/atsign/common/AtException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Base class for all Atsign Platform {@link Exception}s
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtHandShakeException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtHandShakeException.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtHandShakeException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtHandShakeException.java
index ac1fa11b..7909428e 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtHandShakeException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtHandShakeException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception is for any exception during the handshake process of two atServers.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtIllegalArgumentException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtIllegalArgumentException.java
similarity index 76%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtIllegalArgumentException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtIllegalArgumentException.java
index a1719c89..24b07112 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtIllegalArgumentException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtIllegalArgumentException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when command argument provided is invalid
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtInboundConnectionLimitException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInboundConnectionLimitException.java
similarity index 80%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtInboundConnectionLimitException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtInboundConnectionLimitException.java
index c8fd1bdd..928ca1eb 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtInboundConnectionLimitException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInboundConnectionLimitException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception will occur when the number of active clients reaches the maximum limit configured.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerError.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerError.java
similarity index 75%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerError.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerError.java
index f82d383b..adf37eb3 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerError.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerError.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This is for any server related errors.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerException.java
similarity index 77%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerException.java
index 1e36b55a..ea12bddf 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtInternalServerException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInternalServerException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception is used for any server related exceptions.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtInvalidAtKeyException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidAtKeyException.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtInvalidAtKeyException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidAtKeyException.java
index 0fd5a695..c3b3f565 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtInvalidAtKeyException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidAtKeyException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when AtKey string is null, the wrong format or contains unsupported characters
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidSyntaxException.java
similarity index 74%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidSyntaxException.java
index f318e3c6..650c21b1 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtInvalidSyntaxException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtInvalidSyntaxException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions.AtExceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Exception occurs if we give any invalid command to the server.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtKeyNotFoundException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtKeyNotFoundException.java
similarity index 78%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtKeyNotFoundException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtKeyNotFoundException.java
index 7f313a90..a79e99f5 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtKeyNotFoundException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtKeyNotFoundException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception will be thrown when the key is not available for encryption/decryption.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtNewErrorCodeWhoDisException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtNewErrorCodeWhoDisException.java
similarity index 75%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtNewErrorCodeWhoDisException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtNewErrorCodeWhoDisException.java
index b9664763..75005c7e 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtNewErrorCodeWhoDisException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtNewErrorCodeWhoDisException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Server exception with unrecognized error code
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtOnReadyException.java
similarity index 73%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtOnReadyException.java
index cb470be3..988a96a9 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtOnReadyException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtOnReadyException.java
@@ -1,11 +1,13 @@
-package org.atsign.common.exceptions;
+package org.atsign.client.impl.exceptions;
+
+import org.atsign.client.api.AtCommandExecutor;
 
 import java.util.function.Consumer;
 
 /**
  * A {@link RuntimeException} that is used to communicate fatal exception
  * in the execution of an OnReady consumer.
- * See {@link org.atsign.client.connection.api.AtClientConnection#onReady(Consumer)}.
+ * See {@link AtCommandExecutor#onReady(Consumer)}.
  */
 public class AtOnReadyException extends RuntimeException {
 
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtOutboundConnectionLimitException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtOutboundConnectionLimitException.java
similarity index 81%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtOutboundConnectionLimitException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtOutboundConnectionLimitException.java
index 9f7a926f..e20b359c 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtOutboundConnectionLimitException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtOutboundConnectionLimitException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Exception occurs when the number of open connections to other atServers reaches the maximum limit
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtRegistrarException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtRegistrarException.java
similarity index 79%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtRegistrarException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtRegistrarException.java
index 00dd2d08..ed61621c 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtRegistrarException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtRegistrarException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs if there is an exception during registration
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtResponseHandlingException.java
similarity index 79%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtResponseHandlingException.java
index f9ee5fbf..031214bc 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtResponseHandlingException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtResponseHandlingException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs if response cannot be decoded
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryConnectException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryConnectException.java
similarity index 83%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryConnectException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryConnectException.java
index 50658ff9..e3d8ed0a 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryConnectException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryConnectException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception will occur when we are unable to connect to an atServer.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryNotFoundException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryNotFoundException.java
similarity index 85%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryNotFoundException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryNotFoundException.java
index 64ae9b55..a7808c1b 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtSecondaryNotFoundException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtSecondaryNotFoundException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Exception occurs when an atServer tries to connect to another atServer which is not available in
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerIsPausedException.java
similarity index 75%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerIsPausedException.java
index 9c7e6593..6a27a1ad 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtServerIsPausedException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerIsPausedException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs when the AtServer has been paused
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerRuntimeException.java
similarity index 74%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerRuntimeException.java
index e9e81861..374e4967 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtExceptions/AtServerRuntimeException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtServerRuntimeException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions.AtExceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Exception occurs when there is an issue while starting the server.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtTimeoutException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtTimeoutException.java
similarity index 75%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtTimeoutException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtTimeoutException.java
index 370a2d1a..3d3380db 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtTimeoutException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtTimeoutException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Exception occurs when there is a timeout in the server.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtUnauthenticatedException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthenticatedException.java
similarity index 80%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtUnauthenticatedException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthenticatedException.java
index a8e294d3..395e9695 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtUnauthenticatedException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthenticatedException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * This exception occurs when client authentication fails or client tries to execute any verb which
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtUnauthorizedException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthorizedException.java
similarity index 77%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtUnauthorizedException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthorizedException.java
index 7da9332e..89092947 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtUnauthorizedException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnauthorizedException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Will occur when an unsuccessful handshake happens between two atServers.
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnknownResponseException.java
similarity index 73%
rename from at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnknownResponseException.java
index a06f842d..2235a7b4 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/AtUnknownResponseException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtUnknownResponseException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs if response does not have a recognized structure
diff --git a/at_client/src/main/java/org/atsign/common/exceptions/MalformedKeyException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/MalformedKeyException.java
similarity index 70%
rename from at_client/src/main/java/org/atsign/common/exceptions/MalformedKeyException.java
rename to at_client/src/main/java/org/atsign/client/impl/exceptions/MalformedKeyException.java
index 95a1f6d9..af43259b 100644
--- a/at_client/src/main/java/org/atsign/common/exceptions/MalformedKeyException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/MalformedKeyException.java
@@ -1,6 +1,4 @@
-package org.atsign.common.exceptions;
-
-import org.atsign.common.AtException;
+package org.atsign.client.impl.exceptions;
 
 /**
  * Occurs if AtKey string cannot be decoded
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
similarity index 93%
rename from at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java
rename to at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
index 7a445b19..6a9404e6 100644
--- a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtCommandEncoder.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.ByteBufUtil;
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
similarity index 84%
rename from at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java
rename to at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
index 5412a795..8f960a08 100644
--- a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtClientConnection.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
@@ -1,8 +1,8 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static java.util.concurrent.CompletableFuture.failedFuture;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.io.IOException;
 import java.time.Clock;
@@ -16,17 +16,17 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.api.AtEndpointSupplier;
-import org.atsign.client.connection.api.ReconnectStrategy;
-import org.atsign.client.connection.common.Command;
-import org.atsign.client.connection.common.CommandQueue;
-import org.atsign.client.util.Preconditions;
-import org.atsign.common.AtException;
-import org.atsign.common.exceptions.AtOnReadyException;
-import org.atsign.common.exceptions.AtSecondaryConnectException;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-import org.atsign.common.exceptions.AtTimeoutException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.impl.ReconnectStrategy;
+import org.atsign.client.impl.common.CommandElement;
+import org.atsign.client.impl.common.CommandQueue;
+import org.atsign.client.impl.common.Preconditions;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.exceptions.AtOnReadyException;
+import org.atsign.client.impl.exceptions.AtSecondaryConnectException;
+import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
+import org.atsign.client.impl.exceptions.AtTimeoutException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -45,7 +45,7 @@
 /**
  * An implementation that uses Netty
  */
-public class NettyAtClientConnection implements AtClientConnection {
+public class NettyAtCommandExecutor implements AtCommandExecutor {
 
   public static final long DEFAULT_COMMAND_TIMEOUT_MILLIS = TimeUnit.SECONDS.toMillis(2);
   public static final long DEFAULT_HEARTBEAT_MILLIS = TimeUnit.SECONDS.toMillis(30);
@@ -88,7 +88,7 @@ String toLowerCase() {
   private final CommandQueue pending;
   private final CommandQueue queue;
 
-  private final AtomicReference<Consumer<AtClientConnection>> onReadyConsumer = new AtomicReference<>();
+  private final AtomicReference<Consumer<AtCommandExecutor>> onReadyConsumer = new AtomicReference<>();
 
   private final long timeoutMillis;
 
@@ -104,7 +104,7 @@ String toLowerCase() {
 
   /**
    * Builder method for instantiating instances of a Netty based implementation of
-   * {@link AtClientConnection}
+   * {@link AtCommandExecutor}
    *
    * @param endpoint A supplier that will be invoked prior to connection attempts, need to return
    *        host:port
@@ -124,19 +124,19 @@ String toLowerCase() {
    * @param log Optional implementation of {@link Logger}. Defaults to classname.
    */
   @Builder
-  protected NettyAtClientConnection(AtEndpointSupplier endpoint,
-                                    Integer maxFrameLength,
-                                    SSLContext sslContext,
-                                    ReconnectStrategy reconnect,
-                                    Consumer<AtClientConnection> onReady,
-                                    ThreadFactory threadFactory,
-                                    Long timeoutMillis,
-                                    Long heartbeatMillis,
-                                    Integer queueLimit,
-                                    Long awaitReadyMillis,
-                                    Boolean isVerbose,
-                                    Clock clock,
-                                    Logger log)
+  protected NettyAtCommandExecutor(AtEndpointSupplier endpoint,
+                                   Integer maxFrameLength,
+                                   SSLContext sslContext,
+                                   ReconnectStrategy reconnect,
+                                   Consumer<AtCommandExecutor> onReady,
+                                   ThreadFactory threadFactory,
+                                   Long timeoutMillis,
+                                   Long heartbeatMillis,
+                                   Integer queueLimit,
+                                   Long awaitReadyMillis,
+                                   Boolean isVerbose,
+                                   Clock clock,
+                                   Logger log)
       throws AtException {
     this.endpointSupplier = Preconditions.checkNotNull(endpoint, "endpoint is not set");
     this.maxFrameLength = defaultIfUnset(maxFrameLength, DEFAULT_MAX_FRAME_LENGTH);
@@ -178,9 +178,9 @@ protected NettyAtClientConnection(AtEndpointSupplier endpoint,
   }
 
   /**
-   * A builder for instantiating {@link NettyAtClientConnection} instances.
+   * A builder for instantiating {@link NettyAtCommandExecutor} instances.
    */
-  public static class NettyAtClientConnectionBuilder {
+  public static class NettyAtCommandExecutorBuilder {
     // required for javadoc
   };
 
@@ -191,7 +191,7 @@ public void send(String command, CompletableFuture<String> future) {
     } else if (threadFactory.isCurrentThreadMyThread()) {
       throw new RuntimeException("send on netty event thread is prohibited");
     } else {
-      group.execute(() -> send(new Command(command, future, clock.millis(), false)));
+      group.execute(() -> send(new CommandElement(command, future, clock.millis(), false)));
     }
   }
 
@@ -199,11 +199,11 @@ public void send(String command, CompletableFuture<String> future) {
   public String sendSync(String command) throws ExecutionException, InterruptedException {
     CompletableFuture<String> future = new CompletableFuture<>();
     if (threadFactory.isCurrentThreadOnReadyThread()) {
-      send(new Command(command, future, clock.millis(), true));
+      send(new CommandElement(command, future, clock.millis(), true));
     } else if (threadFactory.isCurrentThreadMyThread()) {
       throw new ExecutionException("send on netty event thread is prohibited", null);
     } else {
-      group.execute(() -> send(new Command(command, future, clock.millis(), false)));
+      group.execute(() -> send(new CommandElement(command, future, clock.millis(), false)));
     }
     return future.get();
   }
@@ -215,7 +215,7 @@ public void send(String command, Consumer<String> consumer, CompletableFuture<Vo
     } else if (threadFactory.isCurrentThreadMyThread()) {
       throw new RuntimeException("send on netty event thread is prohibited");
     } else {
-      group.execute(() -> send(new Command(command, future, consumer, clock.millis(), false)));
+      group.execute(() -> send(new CommandElement(command, future, consumer, clock.millis(), false)));
     }
   }
 
@@ -223,17 +223,17 @@ public void send(String command, Consumer<String> consumer, CompletableFuture<Vo
   public void sendSync(String command, Consumer<String> consumer) throws ExecutionException, InterruptedException {
     CompletableFuture<Void> future = new CompletableFuture<>();
     if (threadFactory.isCurrentThreadOnReadyThread()) {
-      send(new Command(command, future, consumer, clock.millis(), true));
+      send(new CommandElement(command, future, consumer, clock.millis(), true));
     } else if (threadFactory.isCurrentThreadMyThread()) {
       throw new ExecutionException("send on netty event thread is prohibited", null);
     } else {
-      group.execute(() -> send(new Command(command, future, consumer, clock.millis(), true)));
+      group.execute(() -> send(new CommandElement(command, future, consumer, clock.millis(), true)));
     }
     future.get();
   }
 
   @Override
-  public AtClientConnection onReady(Consumer<AtClientConnection> consumer) {
+  public AtCommandExecutor onReady(Consumer<AtCommandExecutor> consumer) {
     checkNotNull(consumer, "null");
     try {
       readyingLock.lock();
@@ -319,7 +319,7 @@ private void checkForTimeouts() {
   }
 
   private void checkForTimeout(CommandQueue commands, long timeoutMillis, String message) {
-    Collection<Command> expired = commands.pollTimedOut(clock.millis() - timeoutMillis);
+    Collection<CommandElement> expired = commands.pollTimedOut(clock.millis() - timeoutMillis);
     if (!expired.isEmpty()) {
       AtTimeoutException ex = new AtTimeoutException(message);
       expired.forEach(x -> x.completeExceptionally(ex));
@@ -331,12 +331,12 @@ private void checkForTimeout(CommandQueue commands, long timeoutMillis, String m
 
   private void sendHeartbeat() {
     if (isReady() && (clock.millis() - lastReadMillis) > heartbeatMillis) {
-      writeAndFlushCommand(new Command("noop:0", null, 0, false));
+      writeAndFlushCommand(new CommandElement("noop:0", null, 0, false));
     }
   }
 
   private void completeIsOnReadyExceptionally(CommandQueue commands, String message) {
-    Collection<Command> isOnReadyCommands = commands.pollIsOnReady();
+    Collection<CommandElement> isOnReadyCommands = commands.pollIsOnReady();
     if (!isOnReadyCommands.isEmpty()) {
       AtTimeoutException ex = new AtTimeoutException(message);
       isOnReadyCommands.forEach(x -> x.completeExceptionally(ex));
@@ -355,7 +355,7 @@ private void scheduleReconnect() {
     }
     boolean isForceReconnect = this.isForceReconnect.getAndSet(false);
     if (isForceReconnect || reconnectStrategy.isReconnectSupported()) {
-      pending.removeIf(Command::isOnReady);
+      pending.removeIf(CommandElement::isOnReady);
       log.debug("re-queued {} pending commands", queue.drain(pending));
       pending.clear();
       long delayMillis = isForceReconnect ? 0 : reconnectStrategy.getReconnectPauseMillis();
@@ -367,7 +367,7 @@ private void scheduleReconnect() {
     }
   }
 
-  private void send(Command command) {
+  private void send(CommandElement command) {
     if (status.get().isClosedOrClosing()) {
       command.completeExceptionally(new IllegalStateException("connection " + status.get().toLowerCase()));
     } else if ((isReady() || threadFactory.isCurrentThreadOnReadyThread()) && pending.offer(command)) {
@@ -388,14 +388,14 @@ private String getPendingStatus() {
     }
   }
 
-  private void writeAndFlushCommand(Command command) {
+  private void writeAndFlushCommand(CommandElement command) {
     if (command != null) {
       ChannelFuture future = channel.writeAndFlush(command.toString());
       future.addListener((ChannelFutureListener) f -> onCommandWrite(command, f));
     }
   }
 
-  private void onCommandWrite(Command command, ChannelFuture future) {
+  private void onCommandWrite(CommandElement command, ChannelFuture future) {
     if (future.isSuccess()) {
       if (isVerbose) {
         log.info("SENT: {}", command);
@@ -410,7 +410,7 @@ private void onCommandWrite(Command command, ChannelFuture future) {
   }
 
   private boolean sendNext() {
-    Command command = queue.poll();
+    CommandElement command = queue.poll();
     if (command != null) {
       send(command);
       return true;
@@ -425,7 +425,7 @@ private void onPrompt() {
       status.set(Status.Readying);
       threadFactory.newThread(createOnReadyRunnable()).start();
     }
-    Command command = pending.pop("@");
+    CommandElement command = pending.pop("@");
     if (command != null) {
       command.complete(null);
     }
@@ -460,7 +460,7 @@ private void onResponse(String msg) {
     } else {
       log.debug("RCVD: {}", msg);
     }
-    Command command = pending.pop(msg);
+    CommandElement command = pending.pop(msg);
     if (command != null) {
       command.complete(msg);
     } else {
@@ -519,7 +519,7 @@ private class SocketChannelChannelInitializer extends ChannelInitializer<SocketC
 
     @Override
     protected void initChannel(SocketChannel ch) {
-      String endpoint = NettyAtClientConnection.this.endpoint.get();
+      String endpoint = NettyAtCommandExecutor.this.endpoint.get();
       ChannelPipeline pipeline = ch.pipeline();
       pipeline.addLast(sslContext.newHandler(ch.alloc(), toHost(endpoint), toPort(endpoint)));
       pipeline.addLast(new NettyAtResponseDecoder(maxFrameLength));
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
new file mode 100644
index 00000000..3a2bbe8c
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
@@ -0,0 +1,50 @@
+package org.atsign.client.impl.netty;
+
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+
+
+import javax.net.ssl.SSLContext;
+
+import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
+
+import lombok.Builder;
+
+/**
+ * An implementation that uses a {@link NettyAtCommandExecutor} to connect to the
+ * root / directory server and resolve the endpoint for a specific {@link AtSign}
+ */
+public class NettyAtEndpointSupplier implements AtEndpointSupplier {
+
+  private final AtSign atsign;
+
+  private final NettyAtCommandExecutorBuilder executorBuilder;
+
+  @Builder
+  public NettyAtEndpointSupplier(String rootUrl, AtSign atsign, Long timeoutMillis, SSLContext sslContext) {
+    this.atsign = checkNotNull(atsign, "atSign not set");
+    String hostAndPort = checkNotNull(rootUrl, "rootUrl not set");
+    this.executorBuilder = NettyAtCommandExecutor.builder()
+        .endpoint(() -> hostAndPort)
+        .timeoutMillis(timeoutMillis)
+        .sslContext(sslContext);
+  }
+
+  @Override
+  public String get() throws AtSecondaryNotFoundException {
+    try (NettyAtCommandExecutor executor = executorBuilder.build()) {
+      return checkNotBlank(executor.sendSync(atsign.withoutPrefix()));
+    } catch (Exception e) {
+      throw new AtSecondaryNotFoundException("unable to resolve the endpoint for " + atsign, e);
+    }
+  }
+
+  private static String checkNotBlank(String s) throws AtSecondaryNotFoundException {
+    if (s == null || s.isBlank() || "null".equals(s)) {
+      throw new AtSecondaryNotFoundException("unable to resolve the endpoint");
+    }
+    return s;
+  }
+}
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
similarity index 98%
rename from at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java
rename to at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
index 3df0f960..51c62c24 100644
--- a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtResponseDecoder.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import java.util.List;
 
diff --git a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
similarity index 97%
rename from at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java
rename to at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
index b1414925..741fd4e6 100644
--- a/at_client/src/main/java/org/atsign/client/connection/netty/NettyAtThreadFactory.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import io.netty.util.concurrent.DefaultThreadFactory;
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/package-info.java b/at_client/src/main/java/org/atsign/client/impl/package-info.java
new file mode 100644
index 00000000..6c861e9b
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * Default implementations of the interfaces in {@link org.atsign.client.api}.
+ */
+package org.atsign.client.impl;
diff --git a/at_client/src/main/java/org/atsign/client/util/ByteUtil.java b/at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
similarity index 91%
rename from at_client/src/main/java/org/atsign/client/util/ByteUtil.java
rename to at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
index b5f5e74d..fd44877b 100644
--- a/at_client/src/main/java/org/atsign/client/util/ByteUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.util;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -8,7 +8,7 @@
  * Utility class with "no throw" methods for converting between byte arrays and Strings
  */
 @Slf4j
-public class ByteUtil {
+public class ByteUtils {
   public static String convert(byte[] data) {
     try {
       return new String(data, StandardCharsets.UTF_8);
diff --git a/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java b/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
similarity index 97%
rename from at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java
rename to at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
index fa41f68a..f8c18405 100644
--- a/at_client/src/main/java/org/atsign/client/util/EncryptionUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.util;
 
 import java.nio.charset.StandardCharsets;
 import java.security.*;
@@ -12,15 +12,15 @@
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
-import org.atsign.common.exceptions.AtDecryptionException;
-import org.atsign.common.exceptions.AtEncryptionException;
+import org.atsign.client.impl.exceptions.AtDecryptionException;
+import org.atsign.client.impl.exceptions.AtEncryptionException;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 /**
  * Utility class which registers bouncycastle as a security {@link Provider} and provides
  * static methods for the various encryption functions required by Atsign client APIs
  */
-public class EncryptionUtil {
+public class EncryptionUtils {
 
   public static final String SIGNING_ALGO_RSA = "rsa2048";
   public static final String HASHING_ALGO_SHA256 = "sha256";
diff --git a/at_client/src/main/java/org/atsign/common/Json.java b/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
similarity index 96%
rename from at_client/src/main/java/org/atsign/common/Json.java
rename to at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
index 658e83ad..0babacbe 100644
--- a/at_client/src/main/java/org/atsign/common/Json.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.impl.util;
 
 import java.io.IOException;
 import java.time.OffsetDateTime;
@@ -16,7 +16,7 @@
 /**
  * Utility class for JSON encoding / decoding
  */
-public class Json {
+public class JsonUtils {
 
   public static final ObjectMapper MAPPER = objectMapper(false);
 
diff --git a/at_client/src/main/java/org/atsign/client/util/KeysUtil.java b/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
similarity index 93%
rename from at_client/src/main/java/org/atsign/client/util/KeysUtil.java
rename to at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
index b5a1bd8d..3daa1ac2 100644
--- a/at_client/src/main/java/org/atsign/client/util/KeysUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
@@ -1,9 +1,9 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.util;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.atsign.client.util.EncryptionUtil.aesDecryptFromBase64;
-import static org.atsign.client.util.EncryptionUtil.aesEncryptToBase64;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.impl.util.EncryptionUtils.aesDecryptFromBase64;
+import static org.atsign.client.impl.util.EncryptionUtils.aesEncryptToBase64;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
 
 import java.io.File;
 import java.io.IOException;
@@ -15,23 +15,24 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import lombok.extern.slf4j.Slf4j;
 import org.atsign.client.api.AtKeys;
-import org.atsign.common.AtSign;
-import org.atsign.common.Json;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.common.TypedString;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.atsign.common.exceptions.AtDecryptionException;
+import org.atsign.client.impl.exceptions.AtDecryptionException;
 
 /**
  * Utility class for loading a saving {@link AtKeys} from the file system
  */
 @Slf4j
-public class KeysUtil {
+public class KeysUtils {
 
   static private final String EMPTY_IV = Base64.getEncoder().encodeToString(new byte[16]);
 
-  private static final ObjectMapper MAPPER = Json.MAPPER;
+  private static final ObjectMapper MAPPER = JsonUtils.MAPPER;
 
   private static final TypeReference<Map<String, String>> STRING_MAP_TYPE = new TypeReference<>() {};
 
diff --git a/at_client/src/main/java/org/atsign/client/util/StringUtil.java b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
similarity index 79%
rename from at_client/src/main/java/org/atsign/client/util/StringUtil.java
rename to at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
index f57df034..94434ff8 100644
--- a/at_client/src/main/java/org/atsign/client/util/StringUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
@@ -1,9 +1,9 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.util;
 
 /**
  * Utility class with static methods for common String operations
  */
-public class StringUtil {
+public class StringUtils {
 
   public static boolean isBlank(String s) {
     return s == null || s.isBlank();
diff --git a/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java b/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
deleted file mode 100644
index f77016d4..00000000
--- a/at_client/src/main/java/org/atsign/common/options/GetRequestOptions.java
+++ /dev/null
@@ -1,14 +0,0 @@
-package org.atsign.common.options;
-
-
-import lombok.Builder;
-import lombok.Value;
-
-/**
- * Data class used to model options to the {@link org.atsign.client.api.AtClient} get methods
- */
-@Value
-@Builder
-public class GetRequestOptions {
-  boolean bypassCache;
-}
diff --git a/at_client/src/test/java/org/atsign/client/api/AtKeyNamesTest.java b/at_client/src/test/java/org/atsign/client/api/AtKeyNamesTest.java
index 3ff710d8..1cbef612 100644
--- a/at_client/src/test/java/org/atsign/client/api/AtKeyNamesTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/AtKeyNamesTest.java
@@ -3,7 +3,7 @@
 import org.junit.jupiter.api.Test;
 
 import static org.atsign.client.api.AtKeyNames.*;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 
diff --git a/at_client/src/test/java/org/atsign/client/api/AtKeysTest.java b/at_client/src/test/java/org/atsign/client/api/AtKeysTest.java
index d79af312..f3bf4c33 100644
--- a/at_client/src/test/java/org/atsign/client/api/AtKeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/AtKeysTest.java
@@ -1,6 +1,6 @@
 package org.atsign.client.api;
 
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.nullValue;
diff --git a/at_client/src/test/java/org/atsign/common/AtSignTest.java b/at_client/src/test/java/org/atsign/client/api/AtSignTest.java
similarity index 96%
rename from at_client/src/test/java/org/atsign/common/AtSignTest.java
rename to at_client/src/test/java/org/atsign/client/api/AtSignTest.java
index 4fc0edab..109396e8 100644
--- a/at_client/src/test/java/org/atsign/common/AtSignTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/AtSignTest.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
diff --git a/at_client/src/test/java/org/atsign/common/KeysTest.java b/at_client/src/test/java/org/atsign/client/api/KeysTest.java
similarity index 99%
rename from at_client/src/test/java/org/atsign/common/KeysTest.java
rename to at_client/src/test/java/org/atsign/client/api/KeysTest.java
index d1263354..4a68a042 100644
--- a/at_client/src/test/java/org/atsign/common/KeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/KeysTest.java
@@ -1,6 +1,6 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/at_client/src/test/java/org/atsign/common/MetadataTest.java b/at_client/src/test/java/org/atsign/client/api/MetadataTest.java
similarity index 99%
rename from at_client/src/test/java/org/atsign/common/MetadataTest.java
rename to at_client/src/test/java/org/atsign/client/api/MetadataTest.java
index 3fe98762..ed164c89 100644
--- a/at_client/src/test/java/org/atsign/common/MetadataTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/MetadataTest.java
@@ -1,4 +1,4 @@
-package org.atsign.common;
+package org.atsign.client.api;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import org.junit.jupiter.api.Test;
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java b/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
deleted file mode 100644
index 9754ad9c..00000000
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/ErrorTest.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.atsign.client.connection.protocol;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import org.atsign.common.AtException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
-import org.junit.jupiter.api.Test;
-
-class ErrorTest {
-
-  @Test
-  public void testError() {
-    assertThat(Error.matchError("error:fail"), is("fail"));
-    assertThat(Error.matchError("error:some reason"), is("some reason"));
-    assertThat(Error.matchError("error:AT0401:an error message"), is("AT0401:an error message"));
-  }
-
-  @Test
-  public void testThrowExceptionIfErrorDoesNothingIfNoError() throws AtException {
-    Error.throwExceptionIfError("data:success");
-    Error.throwExceptionIfError("");
-  }
-
-  @Test
-  public void testThrowExceptionIfErrorThrowsTypedException() {
-    Exception ex = assertThrows(Exception.class, () -> Error.throwExceptionIfError("error:AT0401:an error message"));
-    assertThat(ex, instanceOf(AtUnauthenticatedException.class));
-    assertThat(ex.getMessage(), containsString("an error message"));
-  }
-
-  @Test
-  public void testThrowExceptionIfErrorThrowsExceptionIfNull() {
-    Exception ex = assertThrows(Exception.class, () -> Error.throwExceptionIfError(null));
-    assertThat(ex, instanceOf(IllegalArgumentException.class));
-  }
-
-}
diff --git a/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java b/at_client/src/test/java/org/atsign/client/impl/cli/ActivateIT.java
similarity index 98%
rename from at_client/src/test/java/org/atsign/client/cli/ActivateIT.java
rename to at_client/src/test/java/org/atsign/client/impl/cli/ActivateIT.java
index 2954a0bb..2f9609fc 100644
--- a/at_client/src/test/java/org/atsign/client/cli/ActivateIT.java
+++ b/at_client/src/test/java/org/atsign/client/impl/cli/ActivateIT.java
@@ -1,4 +1,4 @@
-package org.atsign.client.cli;
+package org.atsign.client.impl.cli;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.awaitility.Awaitility.await;
@@ -20,7 +20,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.atsign.client.util.KeysUtil;
+import org.atsign.client.impl.util.KeysUtils;
 import org.atsign.cucumber.helpers.AtDemoData;
 import org.atsign.cucumber.helpers.Helpers;
 import org.atsign.virtualenv.VirtualEnv;
@@ -204,7 +204,7 @@ public void testOnboardEnrollRevoke() throws IOException {
   private String getEnrollmentIdWhenAvailable(File keys) {
     try {
       if (keys.exists()) {
-        return KeysUtil.loadKeys(keys).getEnrollmentId().toString();
+        return KeysUtils.loadKeys(keys).getEnrollmentId().toString();
       }
     } catch (Exception e) {
     }
diff --git a/at_client/src/test/java/org/atsign/common/ConfigReaderTest.java b/at_client/src/test/java/org/atsign/client/impl/cli/register/ConfigReaderTest.java
similarity index 94%
rename from at_client/src/test/java/org/atsign/common/ConfigReaderTest.java
rename to at_client/src/test/java/org/atsign/client/impl/cli/register/ConfigReaderTest.java
index 6ad21c26..436d0842 100644
--- a/at_client/src/test/java/org/atsign/common/ConfigReaderTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/cli/register/ConfigReaderTest.java
@@ -1,8 +1,7 @@
-package org.atsign.common;
+package org.atsign.client.impl.cli.register;
 
 import java.io.IOException;
 
-import org.atsign.config.ConfigReader;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/AtExceptionsTest.java
similarity index 80%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/AtExceptionsTest.java
index dc49556a..274b0575 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/AtExceptionsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/AtExceptionsTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
@@ -9,12 +9,9 @@
 import java.util.concurrent.ExecutionException;
 import java.util.function.Consumer;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.protocol.AtExceptions.AtClientConnectionCommand;
-import org.atsign.common.AtException;
-import org.atsign.common.exceptions.*;
-import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.commands.AtExceptions.AtClientConnectionCommand;
+import org.atsign.client.impl.exceptions.*;
 import org.junit.jupiter.api.Test;
 
 public class AtExceptionsTest {
@@ -136,38 +133,38 @@ public void testUnknownCodeReturnsNewErrorCodeException() {
 
   @Test
   public void testThrowOnReadyExceptionWrapsAtException() {
-    AtClientConnectionCommand command = connection -> {
+    AtClientConnectionCommand command = executor -> {
       throw new AtUnauthorizedException("deliberate");
     };
-    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
-    AtClientConnection connection = mock(AtClientConnection.class);
+    Consumer<AtCommandExecutor> consumer = AtExceptions.throwOnReadyException(command);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
 
-    AtOnReadyException ex = assertThrows(AtOnReadyException.class, () -> consumer.accept(connection));
+    AtOnReadyException ex = assertThrows(AtOnReadyException.class, () -> consumer.accept(executor));
     assertThat(ex.getMessage(), containsString("deliberate"));
     assertThat(ex.getCause(), instanceOf(AtUnauthorizedException.class));
   }
 
   @Test
   public void testThrowOnReadyExceptionWrapsExecutionException() {
-    AtClientConnectionCommand command = connection -> {
+    AtClientConnectionCommand command = executor -> {
       throw new ExecutionException(new RuntimeException("deliberate"));
     };
-    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
-    AtClientConnection connection = mock(AtClientConnection.class);
+    Consumer<AtCommandExecutor> consumer = AtExceptions.throwOnReadyException(command);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
 
-    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(connection));
+    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(executor));
     assertThat(ex.getCause(), instanceOf(ExecutionException.class));
   }
 
   @Test
   public void testThrowOnReadyExceptionWrapsInterruptedException() {
-    AtClientConnectionCommand command = connection -> {
+    AtClientConnectionCommand command = executor -> {
       throw new InterruptedException("deliberate");
     };
-    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
-    AtClientConnection connection = mock(AtClientConnection.class);
+    Consumer<AtCommandExecutor> consumer = AtExceptions.throwOnReadyException(command);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
 
-    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(connection));
+    RuntimeException ex = assertThrows(RuntimeException.class, () -> consumer.accept(executor));
     assertThat(ex.getCause(), instanceOf(InterruptedException.class));
   }
 
@@ -175,11 +172,11 @@ public void testThrowOnReadyExceptionWrapsInterruptedException() {
   public void testThrowOnReadyExceptionInvokesWrappedCommand()
       throws AtException, ExecutionException, InterruptedException {
     AtClientConnectionCommand command = mock(AtClientConnectionCommand.class);
-    Consumer<AtClientConnection> consumer = AtExceptions.throwOnReadyException(command);
-    AtClientConnection connection = mock(AtClientConnection.class);
+    Consumer<AtCommandExecutor> consumer = AtExceptions.throwOnReadyException(command);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
 
-    consumer.accept(connection);
+    consumer.accept(executor);
 
-    verify(command).run(connection);
+    verify(command).run(executor);
   }
 }
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/AuthenticationCommandsTest.java
similarity index 58%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/AuthenticationCommandsTest.java
index f0ebd1cf..84821f14 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/AuthenticationTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/AuthenticationCommandsTest.java
@@ -1,87 +1,90 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.util.EncryptionUtils.generateRSAKeyPair;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.exceptions.AtOnReadyException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtOnReadyException;
+import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
 import org.junit.jupiter.api.Test;
 
-public class AuthenticationTest {
+public class AuthenticationCommandsTest {
 
   @Test
   public void testAuthenticateWithCramDoesNotThrowException() throws Exception {
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("cram:7e91508d5.+", "data:success")
         .build();
 
-    Authentication.authenticateWithCram(conn, createAtSign("@alice"), "secret");
+    AuthenticationCommands.authenticateWithCram(executor, createAtSign("@alice"), "secret");
   }
 
   @Test
   public void testAuthenticateWithCramFailThrowsExpectedException() throws Exception {
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("cram:.+", "error:AT0401:deliberate")
         .build();
 
     Exception ex = assertThrows(AtUnauthenticatedException.class,
-                                () -> Authentication.authenticateWithCram(conn, createAtSign("@alice"), "secret"));
+                                () -> AuthenticationCommands.authenticateWithCram(executor, createAtSign("@alice"),
+                                                                                  "secret"));
     assertThat(ex.getMessage(), containsString("deliberate"));
   }
 
   @Test
   public void testAuthenticateWithPkamDoesNotThrowException() throws Exception {
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("pkam:[^{].+", "data:success")
         .build();
 
-    Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys);
+    AuthenticationCommands.authenticateWithPkam(executor, createAtSign("@alice"), keys);
   }
 
   @Test
   public void testAuthenticateWithApkamWithEnrollmentId() throws Exception {
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("pkam:signingAlgo:rsa2048:hashingAlgo:sha256:enrollmentId:12345:.+", "data:success")
         .build();
 
-    Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys);
+    AuthenticationCommands.authenticateWithPkam(executor, createAtSign("@alice"), keys);
   }
 
   @Test
   public void testAuthenticateWithApkamFailThrowsExpectedException() throws Exception {
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("pkam:.+", "error:AT0401:deliberate")
         .build();
 
     Exception ex = assertThrows(AtUnauthenticatedException.class,
-                                () -> Authentication.authenticateWithPkam(conn, createAtSign("@alice"), keys));
+                                () -> AuthenticationCommands.authenticateWithPkam(executor, createAtSign("@alice"),
+                                                                                  keys));
     assertThat(ex.getMessage(), containsString("deliberate"));
   }
 
   @Test
   public void testPkamAuthenticatorThrowsOnReadyException() throws Exception {
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).enrollmentId(createEnrollmentId("12345")).build();
-    AtClientConnection conn = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("pkam:.+", "error:AT0401:deliberate")
         .build();
 
     Exception ex = assertThrows(Exception.class,
-                                () -> Authentication.pkamAuthenticator(createAtSign("@alice"), keys).accept(conn));
+                                () -> AuthenticationCommands.pkamAuthenticator(createAtSign("@alice"), keys)
+                                    .accept(executor));
     assertThat(ex, instanceOf(AtOnReadyException.class));
     assertThat(ex.getMessage(), containsString("deliberate"));
   }
@@ -89,6 +92,6 @@ public void testPkamAuthenticatorThrowsOnReadyException() throws Exception {
   @Test
   public void testBytesToHex() throws Exception {
     byte[] bytes = new byte[] {(byte) 0x00, (byte) 0x0f, (byte) 0xff};
-    assertThat(Authentication.bytesToHex(bytes), is("000fff"));
+    assertThat(AuthenticationCommands.bytesToHex(bytes), is("000fff"));
   }
 }
diff --git a/at_client/src/test/java/org/atsign/common/VerbBuildersTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
similarity index 73%
rename from at_client/src/test/java/org/atsign/common/VerbBuildersTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
index 1a683003..633a7db9 100644
--- a/at_client/src/test/java/org/atsign/common/VerbBuildersTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
@@ -1,8 +1,8 @@
-package org.atsign.common;
+package org.atsign.client.impl.commands;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -13,25 +13,27 @@
 import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtKeyNames;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.VerbBuilders.EnrollOperation;
-import org.atsign.common.VerbBuilders.LookupOperation;
-import org.atsign.common.VerbBuilders.NotifyOperation;
-import org.atsign.common.VerbBuilders.UpdateCommandBuilder;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.commands.CommandBuilders.EnrollOperation;
+import org.atsign.client.impl.commands.CommandBuilders.LookupOperation;
+import org.atsign.client.impl.commands.CommandBuilders.NotifyOperation;
+import org.atsign.client.impl.commands.CommandBuilders.UpdateCommandBuilder;
 import org.junit.jupiter.api.Test;
 
-public class VerbBuildersTest {
+public class CommandBuildersTest {
 
   @Test
   public void testFromBuilderGeneratesExpectedOutput() {
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.fromCommandBuilder().build());
+                                               () -> CommandBuilders.fromCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("atSign not set"));
 
-    String command = VerbBuilders.fromCommandBuilder()
+    String command = CommandBuilders.fromCommandBuilder()
         .atSign(createAtSign("@bob"))
         .build();
     assertEquals("from:@bob", command);
@@ -41,10 +43,10 @@ public void testFromBuilderGeneratesExpectedOutput() {
   public void testCramBuilderGeneratesExpectedOutput() {
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.cramCommandBuilder().build());
+                                               () -> CommandBuilders.cramCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("digest not set"));
 
-    String command = VerbBuilders.cramCommandBuilder()
+    String command = CommandBuilders.cramCommandBuilder()
         .digest("digest")
         .build();
     assertEquals("cram:digest", command);
@@ -52,7 +54,7 @@ public void testCramBuilderGeneratesExpectedOutput() {
 
   @Test
   public void testPolBuilderGeneratesExpectedOutput() {
-    String command = VerbBuilders.polCommandBuilder().build();
+    String command = CommandBuilders.polCommandBuilder().build();
     assertEquals("pol", command);
   }
 
@@ -60,10 +62,10 @@ public void testPolBuilderGeneratesExpectedOutput() {
   public void testPkamBuilderGeneratesExpectedOutput() {
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.pkamCommandBuilder().build());
+                                               () -> CommandBuilders.pkamCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("digest not set"));
 
-    String command = VerbBuilders.pkamCommandBuilder()
+    String command = CommandBuilders.pkamCommandBuilder()
         .digest("digest")
         .build();
     assertEquals("pkam:digest", command);
@@ -73,21 +75,21 @@ public void testPkamBuilderGeneratesExpectedOutput() {
   public void testPkamBuilderGeneratesExpectedOutputWhenEnrollmentIdIsSet() {
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.pkamCommandBuilder()
+                                               () -> CommandBuilders.pkamCommandBuilder()
                                                    .digest("digest")
                                                    .enrollmentId(createEnrollmentId("12345-6789"))
                                                    .signingAlgo("RSA")
                                                    .build());
     assertThat(ex.getMessage(), containsString("hashingAlgo not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.pkamCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.pkamCommandBuilder()
         .digest("digest")
         .enrollmentId(createEnrollmentId("12345-6789"))
         .hashingAlgo("SHA")
         .build());
     assertThat(ex.getMessage(), containsString("signingAlgo not set"));
 
-    String command = VerbBuilders.pkamCommandBuilder()
+    String command = CommandBuilders.pkamCommandBuilder()
         .digest("digest")
         .enrollmentId(createEnrollmentId("12345-6789"))
         .signingAlgo("RSA")
@@ -100,121 +102,122 @@ public void testPkamBuilderGeneratesExpectedOutputWhenEnrollmentIdIsSet() {
   public void testUpdateBuilderThrowsExceptionsWhenMandatoryFieldsAreNotSet() {
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.updateCommandBuilder().build());
+                                               () -> CommandBuilders.updateCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("keyName not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.updateCommandBuilder().keyName("test").build());
+                      () -> CommandBuilders.updateCommandBuilder().keyName("test").build());
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.updateCommandBuilder().keyName("test").sharedBy(createAtSign("fred")).build());
+                      () -> CommandBuilders.updateCommandBuilder().keyName("test").sharedBy(createAtSign("fred"))
+                          .build());
     assertThat(ex.getMessage(), containsString("value not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.updateCommandBuilder().isPublic(true).rawKey("@colin:key1@fred").build());
+                      () -> CommandBuilders.updateCommandBuilder().isPublic(true).rawKey("@colin:key1@fred").build());
     assertThat(ex.getMessage(), containsString("both rawKeys and isHidden, isPublic isCached set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.updateCommandBuilder().keyName("test").rawKey("@colin:key1@fred").build());
+                      () -> CommandBuilders.updateCommandBuilder().keyName("test").rawKey("@colin:key1@fred").build());
     assertThat(ex.getMessage(), containsString("both rawKeys and key fields set"));
   }
 
   @Test
   public void testUpdateBuilderMetadataSettersOverrideKeyMetadata() {
     PublicKey key = Keys.publicKeyBuilder().sharedBy(createAtSign("fred")).name("test").build();
-    UpdateCommandBuilder builder = VerbBuilders.updateCommandBuilder().key(key).value("x");
+    UpdateCommandBuilder builder = CommandBuilders.updateCommandBuilder().key(key).value("x");
 
-    builder = VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
+    builder = CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
     assertThat(builder.isPublic(true).build(),
                equalTo("update:public:test@fred x"));
     assertThat(builder.isPublic(false).build(),
                equalTo("update:test@fred x"));
 
-    builder = VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
+    builder = CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
     assertThat(builder.isHidden(true).build(),
                equalTo("update:_test@fred x"));
     assertThat(builder.isHidden(false).build(),
                equalTo("update:test@fred x"));
 
-    builder = VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
+    builder = CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).value("x");
     assertThat(builder.isCached(true).build(),
                equalTo("update:cached:test@fred x"));
     assertThat(builder.isCached(false).build(),
                equalTo("update:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.ttl(SECONDS.toMillis(1)).build(),
                equalTo("update:ttl:1000:public:test@fred x"));
     assertThat(builder.ttl(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.ttb(SECONDS.toMillis(2)).build(),
                equalTo("update:ttb:2000:public:test@fred x"));
     assertThat(builder.ttb(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.ttr(SECONDS.toMillis(3)).build(),
                equalTo("update:ttr:3000:public:test@fred x"));
     assertThat(builder.ttr(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.ccd(true).build(),
                equalTo("update:ccd:true:public:test@fred x"));
     assertThat(builder.ccd(false).build(),
                equalTo("update:ccd:false:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.isBinary(true).build(),
                equalTo("update:isBinary:true:public:test@fred x"));
     assertThat(builder.isBinary(false).build(),
                equalTo("update:isBinary:false:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.isEncrypted(true).build(),
                equalTo("update:isEncrypted:true:public:test@fred x"));
     assertThat(builder.isEncrypted(false).build(),
                equalTo("update:isEncrypted:false:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.dataSignature("XYZ").build(),
                equalTo("update:dataSignature:XYZ:public:test@fred x"));
     assertThat(builder.dataSignature(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.sharedKeyEnc("abcdef").build(),
                equalTo("update:sharedKeyEnc:abcdef:public:test@fred x"));
     assertThat(builder.sharedKeyEnc(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.pubKeyCS("xxxx").build(),
                equalTo("update:pubKeyCS:xxxx:public:test@fred x"));
     assertThat(builder.pubKeyCS(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.encoding("en").build(),
                equalTo("update:encoding:en:public:test@fred x"));
     assertThat(builder.encoding(null).build(),
                equalTo("update:public:test@fred x"));
 
     builder =
-        VerbBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
+        CommandBuilders.updateCommandBuilder().keyName(key.name()).sharedBy(key.sharedBy()).isPublic(true).value("x");
     assertThat(builder.ivNonce("abc123op").build(),
                equalTo("update:ivNonce:abc123op:public:test@fred x"));
     assertThat(builder.ivNonce(null).build(),
@@ -229,7 +232,7 @@ public void testUpdateBuilderThrowsExceptionIfMutuallyExclusiveFieldsHaveBeenSet
         .build();
 
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> {
-      VerbBuilders.updateCommandBuilder()
+      CommandBuilders.updateCommandBuilder()
           .key(key)
           .sharedBy(key.sharedBy())
           .ccd(true)
@@ -245,7 +248,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
     String command;
 
     // self key
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@bob"))
         .value("my Value 123")
@@ -253,7 +256,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
     assertEquals("update:test@bob my Value 123", command);
 
     // self key but shared with self
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("bob"))
         .sharedWith(createAtSign("bob"))
@@ -262,7 +265,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
     assertEquals("update:@bob:test@bob My value 123", command);
 
     // public key
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("bob"))
         .isPublic(true)
@@ -271,7 +274,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
     assertEquals("update:public:publickey@bob my Value 123", command);
 
     // cached public key
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("alice"))
         .isPublic(true)
@@ -281,7 +284,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
     assertEquals("update:cached:public:publickey@alice my Value 123", command);
 
     // shared key
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName("sharedkey")
         .sharedBy(createAtSign("@bob"))
         .sharedWith(createAtSign("@alice"))
@@ -297,7 +300,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
         .ttl(TimeUnit.MINUTES.toMillis(10))
         .isBinary(true)
         .build();
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .key(sk1)
         .value("myBinaryValue123456")
         .build();
@@ -309,7 +312,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
         .name("test")
         .isCached(true)
         .build();
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .key(pk1)
         .value("myValue123")
         .build();
@@ -321,7 +324,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
         .name("test")
         .ttl(TimeUnit.MINUTES.toMillis(10))
         .build();
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .key(sk2)
         .value("myValue123")
         .build();
@@ -335,7 +338,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
         .name("test")
         .ttl(TimeUnit.MINUTES.toMillis(10))
         .build();
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .key(sk3)
         .value("myValue123")
         .build();
@@ -352,7 +355,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForPublicKeyWithNamespace()
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.updateCommandBuilder()
+    String command = CommandBuilders.updateCommandBuilder()
         .key(key)
         .value("testvalue")
         .build();
@@ -367,7 +370,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.updateCommandBuilder()
+    String command = CommandBuilders.updateCommandBuilder()
         .key(key)
         .value("testvalue")
         .build();
@@ -383,7 +386,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForSharedKeyWithNamespace()
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.updateCommandBuilder()
+    String command = CommandBuilders.updateCommandBuilder()
         .key(key)
         .value("testvalue")
         .build();
@@ -396,7 +399,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForSharedEncryption() {
     AtSign sharedBy = createAtSign("sharedBy");
     AtSign sharedWith = createAtSign("sharedWith");
 
-    String command = VerbBuilders.updateCommandBuilder()
+    String command = CommandBuilders.updateCommandBuilder()
         .keyName(AtKeyNames.toSharedByMeKeyName(sharedWith))
         .sharedBy(sharedBy)
         .value("XXXX")
@@ -404,7 +407,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForSharedEncryption() {
 
     assertThat(command, equalTo("update:shared_key.sharedWith@sharedBy XXXX"));
 
-    command = VerbBuilders.updateCommandBuilder()
+    command = CommandBuilders.updateCommandBuilder()
         .keyName(AtKeyNames.SHARED_KEY)
         .sharedBy(sharedBy)
         .sharedWith(sharedWith)
@@ -417,7 +420,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForSharedEncryption() {
 
   @Test
   public void testUpdateBuilderGeneratesExpectedOutputForPublicEncyrptionKey() {
-    String command = VerbBuilders.updateCommandBuilder()
+    String command = CommandBuilders.updateCommandBuilder()
         .sharedBy(createAtSign("fred"))
         .keyName(AtKeyNames.PUBLIC_ENCRYPT)
         .isPublic(true)
@@ -431,14 +434,14 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     String command;
 
     // Type.NONE self key
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .build();
     assertEquals("llookup:test@alice", command);
 
     // Type.METADATA self key
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.meta)
@@ -446,7 +449,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     assertEquals("llookup:meta:test@alice", command);
 
     // hidden self key, meta
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.meta)
@@ -455,7 +458,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     assertEquals("llookup:meta:_test@alice", command);
 
     // Type.ALL public cached key
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .isCached(true)
@@ -466,28 +469,28 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
     // no key name
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.llookupCommandBuilder()
+                                               () -> CommandBuilders.llookupCommandBuilder()
                                                    .sharedBy(createAtSign("@alice")).build());
     assertThat(ex.getMessage(), containsString("keyName not set"));
 
     // no shared by
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.llookupCommandBuilder().keyName("test").build());
+                      () -> CommandBuilders.llookupCommandBuilder().keyName("test").build());
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.llookupCommandBuilder().keyName("test").rawKey("public:publickey@alice")
+                      () -> CommandBuilders.llookupCommandBuilder().keyName("test").rawKey("public:publickey@alice")
                           .build());
     assertThat(ex.getMessage(), containsString("both rawKey and key fields are set"));
 
     // with public key
     PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(pk)
         .operation(LookupOperation.meta)
         .build();
     assertEquals("llookup:meta:public:publickey@bob", command);
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .rawKey("public:publickey@bob")
         .operation(LookupOperation.meta)
         .build();
@@ -499,7 +502,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
         .sharedWith(new AtSign("@alice"))
         .name("sharedkey")
         .build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(sk)
         .operation(LookupOperation.none)
         .build();
@@ -507,7 +510,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
     // with self key
     SelfKey selfKey1 = Keys.selfKeyBuilder().sharedBy(new AtSign("@bob")).name("test").build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(selfKey1)
         .operation(LookupOperation.all)
         .build(); // "llookup:all:test@bob"
@@ -516,7 +519,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     // with self key (shared with self)
     AtSign as = new AtSign("@bob");
     SelfKey selfKey2 = Keys.selfKeyBuilder().sharedBy(as).sharedWith(as).name("test").build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(selfKey2)
         .operation(LookupOperation.all)
         .build();
@@ -528,7 +531,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
         .name("publickey")
         .isCached(true)
         .build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(pk2)
         .operation(LookupOperation.all)
         .build();
@@ -541,7 +544,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
         .name("sharedkey")
         .isCached(true)
         .build();
-    command = VerbBuilders.llookupCommandBuilder()
+    command = CommandBuilders.llookupCommandBuilder()
         .key(sk2)
         .operation(LookupOperation.none)
         .build();
@@ -558,7 +561,7 @@ public void testLlookupBuilderGeneratesExpectedOutputForPublicKeyWithNamespace()
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.llookupCommandBuilder()
+    String command = CommandBuilders.llookupCommandBuilder()
         .key(key)
         .operation(LookupOperation.meta)
         .build();
@@ -572,7 +575,7 @@ public void testLlookupBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.llookupCommandBuilder()
+    String command = CommandBuilders.llookupCommandBuilder()
         .key(key)
         .operation(LookupOperation.meta)
         .build();
@@ -586,7 +589,7 @@ public void testLlookupBuilderGeneratesExpectedOutputForSharedKeyWithNamespace()
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.llookupCommandBuilder()
+    String command = CommandBuilders.llookupCommandBuilder()
         .key(key)
         .operation(LookupOperation.meta)
         .build();
@@ -598,18 +601,18 @@ public void lookupVerbBuilderTest() {
     String command;
 
     // Type.NONE
-    command = VerbBuilders.lookupCommandBuilder()
+    command = CommandBuilders.lookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .build();
     assertEquals("lookup:test@alice", command);
-    command = VerbBuilders.lookupCommandBuilder()
+    command = CommandBuilders.lookupCommandBuilder()
         .rawKey("test@alice")
         .build();
     assertEquals("lookup:test@alice", command);
 
     // Type.METADATA
-    command = VerbBuilders.lookupCommandBuilder()
+    command = CommandBuilders.lookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.meta)
@@ -617,7 +620,7 @@ public void lookupVerbBuilderTest() {
     assertEquals("lookup:meta:test@alice", command);
 
     // Type.ALL
-    command = VerbBuilders.lookupCommandBuilder()
+    command = CommandBuilders.lookupCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.all)
@@ -627,12 +630,12 @@ public void lookupVerbBuilderTest() {
     // no key name
     IllegalArgumentException ex =
         assertThrows(IllegalArgumentException.class,
-                     () -> VerbBuilders.lookupCommandBuilder().sharedBy(createAtSign("@alice")).build());
+                     () -> CommandBuilders.lookupCommandBuilder().sharedBy(createAtSign("@alice")).build());
     assertThat(ex.getMessage(), containsString("keyName not set"));
 
     // no sharedBy
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.lookupCommandBuilder().keyName("test").build());
+                      () -> CommandBuilders.lookupCommandBuilder().keyName("test").build());
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with shared key
@@ -640,7 +643,7 @@ public void lookupVerbBuilderTest() {
         .sharedWith(new AtSign("@sharedwith"))
         .name("test")
         .build();
-    command = VerbBuilders.lookupCommandBuilder()
+    command = CommandBuilders.lookupCommandBuilder()
         .key(sk)
         .operation(LookupOperation.meta)
         .build();
@@ -654,7 +657,7 @@ public void testLookupVerbBuilderForSharedKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.lookupCommandBuilder()
+    String command = CommandBuilders.lookupCommandBuilder()
         .key(key)
         .operation(LookupOperation.meta)
         .build();
@@ -666,18 +669,18 @@ public void plookupVerbBuilderTest() {
     String command;
 
     // Type.NONE
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .build(); // "plookup:publickey@alice"
     assertEquals("plookup:publickey@alice", command);
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .rawKey("publickey@alice")
         .build(); // "plookup:publickey@alice"
     assertEquals("plookup:publickey@alice", command);
 
     // Type.METADATA
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.meta)
@@ -685,7 +688,7 @@ public void plookupVerbBuilderTest() {
     assertEquals("plookup:meta:publickey@alice", command);
 
     // Type.ALL
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .operation(LookupOperation.all)
@@ -695,26 +698,26 @@ public void plookupVerbBuilderTest() {
     // no key
     IllegalArgumentException ex =
         assertThrows(IllegalArgumentException.class,
-                     () -> VerbBuilders.plookupCommandBuilder().sharedBy(createAtSign("@alice"))
+                     () -> CommandBuilders.plookupCommandBuilder().sharedBy(createAtSign("@alice"))
                          .operation(LookupOperation.all)
                          .build());
     assertThat(ex.getMessage(), containsString("keyName not set"));
     // no shared by
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.plookupCommandBuilder().keyName("publickey").operation(LookupOperation.all)
+                      () -> CommandBuilders.plookupCommandBuilder().keyName("publickey").operation(LookupOperation.all)
                           .build());
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with
     PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .key(pk)
         .operation(LookupOperation.all)
         .build();
     assertEquals("plookup:all:publickey@bob", command);
 
     // bypasscache true
-    command = VerbBuilders.plookupCommandBuilder()
+    command = CommandBuilders.plookupCommandBuilder()
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .bypassCache(true)
@@ -730,7 +733,7 @@ public void testPlookupVerbBuilderForPublicKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.plookupCommandBuilder()
+    String command = CommandBuilders.plookupCommandBuilder()
         .key(key)
         .operation(LookupOperation.meta)
         .build();
@@ -743,19 +746,19 @@ public void deleteVerbBuilderTest() {
     String command;
 
     // delete a public key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .isPublic(true)
         .keyName("publickey")
         .sharedBy(createAtSign("@alice"))
         .build();
     assertEquals("delete:public:publickey@alice", command);
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .rawKey("public:publickey@alice")
         .build();
     assertEquals("delete:public:publickey@alice", command);
 
     // delete a cached public key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .isCached(true)
         .isPublic(true)
         .keyName("publickey")
@@ -764,14 +767,14 @@ public void deleteVerbBuilderTest() {
     assertEquals("delete:cached:public:publickey@bob", command);
 
     // delete a self key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .build();
     assertEquals("delete:test@alice", command);
 
     // delete a hidden self key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .isHidden(true)
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
@@ -779,7 +782,7 @@ public void deleteVerbBuilderTest() {
     assertEquals("delete:_test@alice", command);
 
     // delete a shared key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
         .sharedWith(createAtSign("@bob"))
@@ -787,7 +790,7 @@ public void deleteVerbBuilderTest() {
     assertEquals("delete:@bob:test@alice", command);
 
     // delete a cached shared key
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .isCached(true)
         .keyName("test")
         .sharedBy(createAtSign("@alice"))
@@ -797,7 +800,7 @@ public void deleteVerbBuilderTest() {
 
     // missing key name
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.deleteCommandBuilder()
+                                               () -> CommandBuilders.deleteCommandBuilder()
                                                    .sharedBy(createAtSign("@alice"))
                                                    .sharedWith(createAtSign("@bob"))
                                                    .build());
@@ -805,19 +808,19 @@ public void deleteVerbBuilderTest() {
 
     // missing shared by
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.deleteCommandBuilder().keyName("test").build());
+                      () -> CommandBuilders.deleteCommandBuilder().keyName("test").build());
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with self key
     SelfKey selfKey = Keys.selfKeyBuilder().sharedBy(new AtSign("@alice")).name("test").build();
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .key(selfKey)
         .build();
     assertEquals("delete:test@alice", command);
 
     // with public key
     PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .key(pk)
         .build();
 
@@ -827,7 +830,7 @@ public void deleteVerbBuilderTest() {
         .sharedWith(new AtSign("@bob"))
         .name("test")
         .build();
-    command = VerbBuilders.deleteCommandBuilder()
+    command = CommandBuilders.deleteCommandBuilder()
         .key(sk)
         .build();
     assertEquals("delete:@bob:test@alice", command);
@@ -840,7 +843,7 @@ public void testDeleteVerbBuilderForPublicKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.deleteCommandBuilder()
+    String command = CommandBuilders.deleteCommandBuilder()
         .key(key)
         .build();
     assertThat(command, equalTo("delete:public:test.testns@alice"));
@@ -853,7 +856,7 @@ public void testDeleteVerbBuilderForSelfKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.deleteCommandBuilder()
+    String command = CommandBuilders.deleteCommandBuilder()
         .key(key)
         .build();
     assertThat(command, equalTo("delete:test.testns@alice"));
@@ -866,7 +869,7 @@ public void testDeleteVerbBuilderForSharedKeyWithNamespace() {
         .name("test")
         .namespace("testns")
         .build();
-    String command = VerbBuilders.deleteCommandBuilder()
+    String command = CommandBuilders.deleteCommandBuilder()
         .key(key)
         .build();
     assertThat(command, equalTo("delete:@bob:test.testns@alice"));
@@ -876,49 +879,49 @@ public void testDeleteVerbBuilderForSharedKeyWithNamespace() {
   public void scanVerbBuilderTest() {
 
     // Test not setting any parameters
-    String command = VerbBuilders.scanCommandBuilder().build();
+    String command = CommandBuilders.scanCommandBuilder().build();
     assertEquals("scan", command);
 
     // Test setting just regex
-    command = VerbBuilders.scanCommandBuilder().regex("*.public")
+    command = CommandBuilders.scanCommandBuilder().regex("*.public")
         .build();
     assertEquals("scan *.public", command);
 
     // Test setting just fromAtSign
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .fromAtSign(createAtSign("@other"))
         .build();
     assertEquals("scan:@other", command);
 
     // Test seting just showHidden
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .showHidden(true)
         .build();
     assertEquals("scan:showHidden:true", command);
 
     // Test setting regex & fromAtSign
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .regex("*.public")
         .fromAtSign(createAtSign("@other"))
         .build();
     assertEquals("scan:@other *.public", command);
 
     // Test setting regex & showHidden
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .regex("*.public")
         .showHidden(true)
         .build();
     assertEquals("scan:showHidden:true *.public", command);
 
     // Test setting fromAtSign & showHidden
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .fromAtSign(createAtSign("@other"))
         .showHidden(true)
         .build();
     assertEquals("scan:showHidden:true:@other", command);
 
     // Test setting regex & fromAtSign & showHidden
-    command = VerbBuilders.scanCommandBuilder()
+    command = CommandBuilders.scanCommandBuilder()
         .regex("*.public")
         .fromAtSign(createAtSign("@other"))
         .showHidden(true)
@@ -930,15 +933,15 @@ public void scanVerbBuilderTest() {
   public void testNotifyTextBuilderGeneratesTheExpectedOutput() {
     // Test not setting any parameters
     IllegalArgumentException ex =
-        assertThrows(IllegalArgumentException.class, () -> VerbBuilders.notifyTextCommandBuilder().build());
+        assertThrows(IllegalArgumentException.class, () -> CommandBuilders.notifyTextCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("recipient not set"));
 
     // Test not setting the text
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.notifyTextCommandBuilder().recipient(createAtSign("@somebody")).build());
+                      () -> CommandBuilders.notifyTextCommandBuilder().recipient(createAtSign("@somebody")).build());
     assertThat(ex.getMessage(), containsString("text not set"));
 
-    String command = VerbBuilders.notifyTextCommandBuilder()
+    String command = CommandBuilders.notifyTextCommandBuilder()
         .recipient(createAtSign("@test"))
         .text("Hi")
         .build();
@@ -949,7 +952,7 @@ public void testNotifyTextBuilderGeneratesTheExpectedOutput() {
   public void notifyKeyChangeBuilderTest() {
     // Test not setting any parameters
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.notifyKeyChangeCommandBuilder()
+                                               () -> CommandBuilders.notifyKeyChangeCommandBuilder()
                                                    .operation(NotifyOperation.update)
                                                    .sender(createAtSign("sender"))
                                                    .recipient(createAtSign("recipient"))
@@ -957,11 +960,11 @@ public void notifyKeyChangeBuilderTest() {
     assertThat(ex.getMessage(), containsString("key not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.notifyKeyChangeCommandBuilder().key("key").build());
+                      () -> CommandBuilders.notifyKeyChangeCommandBuilder().key("key").build());
     assertThat(ex.getMessage(), containsString("operation not set"));
 
     // Test setting the value when ttr has been set
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.notifyKeyChangeCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.notifyKeyChangeCommandBuilder()
         .operation(NotifyOperation.update)
         .sender(createAtSign("sender"))
         .recipient(createAtSign("recipient"))
@@ -971,7 +974,7 @@ public void notifyKeyChangeBuilderTest() {
     assertThat(ex.getMessage(), containsString("value not set (mandatory when ttr is set)"));
 
     // Test setting invalid ttr
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.notifyKeyChangeCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.notifyKeyChangeCommandBuilder()
         .operation(NotifyOperation.update)
         .sender(createAtSign("sender"))
         .recipient(createAtSign("recipient"))
@@ -981,7 +984,7 @@ public void notifyKeyChangeBuilderTest() {
     assertThat(ex.getMessage(), containsString("ttr < -1"));
 
     // test command
-    String command = VerbBuilders.notifyKeyChangeCommandBuilder()
+    String command = CommandBuilders.notifyKeyChangeCommandBuilder()
         .operation(NotifyOperation.update)
         .sender(createAtSign("sender"))
         .recipient(createAtSign("recipient"))
@@ -990,14 +993,14 @@ public void notifyKeyChangeBuilderTest() {
     assertEquals("notify:update:messageType:key:@recipient:phone@sender", command);
 
     // test command with a fully formed key
-    command = VerbBuilders.notifyKeyChangeCommandBuilder()
+    command = CommandBuilders.notifyKeyChangeCommandBuilder()
         .operation(NotifyOperation.update)
         .key("@recipient:phone@sender")
         .build();
     assertEquals("notify:update:messageType:key:@recipient:phone@sender", command);
 
     // test command when ttr and value are present
-    command = VerbBuilders.notifyKeyChangeCommandBuilder()
+    command = CommandBuilders.notifyKeyChangeCommandBuilder()
         .operation(NotifyOperation.update)
         .key("@recipient:phone@sender")
         .ttr(1000L)
@@ -1011,10 +1014,10 @@ public void notificationStatusVerbBuilderTest() {
 
     // Test not setting any parameters
     IllegalArgumentException ex =
-        assertThrows(IllegalArgumentException.class, () -> VerbBuilders.notifyStatusCommandBuilder().build());
+        assertThrows(IllegalArgumentException.class, () -> CommandBuilders.notifyStatusCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("notificationId not set"));
 
-    String command = VerbBuilders.notifyStatusCommandBuilder()
+    String command = CommandBuilders.notifyStatusCommandBuilder()
         .notificationId("n1234").build();
     assertEquals("notify:status:n1234", command);
   }
@@ -1022,13 +1025,13 @@ public void notificationStatusVerbBuilderTest() {
   @Test
   void testEnrollThrowExceptionIfOperationIsNotSet() {
     IllegalArgumentException ex =
-        assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder().build());
+        assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("operation not set"));
   }
 
   @Test
   void testEnrollListReturnsExpectedCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.list)
         .build();
 
@@ -1037,7 +1040,7 @@ void testEnrollListReturnsExpectedCommand() {
 
   @Test
   void testEnrollListWithStatusProducesCommandWithStatusFilter() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.list)
         .status("pending")
         .build();
@@ -1047,16 +1050,17 @@ void testEnrollListWithStatusProducesCommandWithStatusFilter() {
 
   @Test
   void testEnrollApproveThrowsIfFieldsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.approve)
-        .encryptPrivateKey("privKey")
-        .encryptPrivateKeyIv("privKeyIv")
-        .selfEncryptKey("selfKey")
-        .selfEncryptKeyIv("selfKeyIv")
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.approve)
+                                                   .encryptPrivateKey("privKey")
+                                                   .encryptPrivateKeyIv("privKeyIv")
+                                                   .selfEncryptKey("selfKey")
+                                                   .selfEncryptKeyIv("selfKeyIv")
+                                                   .build());
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.approve)
         .enrollmentId(createEnrollmentId("abc123"))
         .encryptPrivateKeyIv("privKeyIv")
@@ -1065,7 +1069,7 @@ void testEnrollApproveThrowsIfFieldsNotSet() {
         .build());
     assertThat(ex.getMessage(), containsString("encryptPrivateKey not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.approve)
         .enrollmentId(createEnrollmentId("abc123"))
         .encryptPrivateKey("privKey")
@@ -1075,7 +1079,7 @@ void testEnrollApproveThrowsIfFieldsNotSet() {
 
     assertThat(ex.getMessage(), containsString("encryptPrivateKeyIv not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.approve)
         .enrollmentId(createEnrollmentId("abc123"))
         .encryptPrivateKey("privKey")
@@ -1085,7 +1089,7 @@ void testEnrollApproveThrowsIfFieldsNotSet() {
 
     assertThat(ex.getMessage(), containsString("selfEncryptKey not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.approve)
         .enrollmentId(createEnrollmentId("abc123"))
         .encryptPrivateKey("privKey")
@@ -1099,7 +1103,7 @@ void testEnrollApproveThrowsIfFieldsNotSet() {
 
   @Test
   void testEnrollApproveWithAllRequiredParamsReturnsExpectedCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.approve)
         .enrollmentId(createEnrollmentId("abc123"))
         .encryptPrivateKey("privKey")
@@ -1119,16 +1123,17 @@ void testEnrollApproveWithAllRequiredParamsReturnsExpectedCommand() {
 
   @Test
   void testEnrollFetchThrowsExpectedExceptionWhenFieldsAreNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.fetch)
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.fetch)
+                                                   .build());
 
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
   }
 
   @Test
   void testEnrollFetchWithEnrollmentIdReturnsExpectedCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.fetch)
         .enrollmentId(createEnrollmentId("abc123"))
         .build();
@@ -1138,16 +1143,17 @@ void testEnrollFetchWithEnrollmentIdReturnsExpectedCommand() {
 
   @Test
   void testEnrollDenyThrowExceptionIfEnrollmentIdIsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.deny)
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.deny)
+                                                   .build());
 
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
   }
 
   @Test
   void testEnrollDenyWithEnrollmentIdProducesCorrectCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.deny)
         .enrollmentId(createEnrollmentId("abc123"))
         .build();
@@ -1157,16 +1163,17 @@ void testEnrollDenyWithEnrollmentIdProducesCorrectCommand() {
 
   @Test
   void testEnrollRevokeThrowExceptionIfEnrollmentIdIsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.revoke)
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.revoke)
+                                                   .build());
 
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
   }
 
   @Test
   void testEnrollRevokeWithEnrollmentIdProducesCorrectCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.revoke)
         .enrollmentId(createEnrollmentId("abc123"))
         .build();
@@ -1176,16 +1183,17 @@ void testEnrollRevokeWithEnrollmentIdProducesCorrectCommand() {
 
   @Test
   void testEnrollUnrevokeThrowExceptionIfEnrollmentIdIsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.unrevoke)
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.unrevoke)
+                                                   .build());
 
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
   }
 
   @Test
   void testEnrollUnrevokeWithEnrollmentIdProducesCorrectCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.unrevoke)
         .enrollmentId(createEnrollmentId("abc123"))
         .build();
@@ -1195,16 +1203,17 @@ void testEnrollUnrevokeWithEnrollmentIdProducesCorrectCommand() {
 
   @Test
   void testEnrollDeleteThrowExceptionIfEnrollmentIdIsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.delete)
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.delete)
+                                                   .build());
 
     assertThat(ex.getMessage(), containsString("enrollmentId not set"));
   }
 
   @Test
   void testEnrollDeleteWithEnrollmentIdProducesCorrectCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.delete)
         .enrollmentId(createEnrollmentId("abc123"))
         .build();
@@ -1214,14 +1223,15 @@ void testEnrollDeleteWithEnrollmentIdProducesCorrectCommand() {
 
   @Test
   void testEnrollRequestThrowExceptionIfFieldsNotSet() {
-    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
-        .operation(EnrollOperation.request)
-        .deviceName("myDevice")
-        .apkamPublicKey("pubKey")
-        .build());
+    IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
+                                               () -> CommandBuilders.enrollCommandBuilder()
+                                                   .operation(EnrollOperation.request)
+                                                   .deviceName("myDevice")
+                                                   .apkamPublicKey("pubKey")
+                                                   .build());
     assertThat(ex.getMessage(), containsString("appName not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("")
         .deviceName("myDevice")
@@ -1229,14 +1239,14 @@ void testEnrollRequestThrowExceptionIfFieldsNotSet() {
         .build());
     assertThat(ex.getMessage(), containsString("appName not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("myApp")
         .apkamPublicKey("pubKey")
         .build());
     assertThat(ex.getMessage(), containsString("deviceName not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("myApp")
         .deviceName("")
@@ -1244,14 +1254,14 @@ void testEnrollRequestThrowExceptionIfFieldsNotSet() {
         .build());
     assertThat(ex.getMessage(), containsString("deviceName not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("myApp")
         .deviceName("myDevice")
         .build());
     assertThat(ex.getMessage(), containsString("apkamPublicKey not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .otp("")
         .appName("myApp")
@@ -1260,7 +1270,7 @@ void testEnrollRequestThrowExceptionIfFieldsNotSet() {
         .build());
     assertThat(ex.getMessage(), containsString("otp not set"));
 
-    ex = assertThrows(IllegalArgumentException.class, () -> VerbBuilders.enrollCommandBuilder()
+    ex = assertThrows(IllegalArgumentException.class, () -> CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .otp("AZ19")
         .appName("myApp")
@@ -1272,7 +1282,7 @@ void testEnrollRequestThrowExceptionIfFieldsNotSet() {
 
   @Test
   void testInitialEnrollRequestReturnsExpectedCommand() {
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("myApp")
         .deviceName("myDevice")
@@ -1291,7 +1301,7 @@ void testSubsequentEnrollRequestReturnsExpectedCommand() {
     Map<String, String> namespaces = new LinkedHashMap<>();
     namespaces.put("ns1", "rw");
 
-    String result = VerbBuilders.enrollCommandBuilder()
+    String result = CommandBuilders.enrollCommandBuilder()
         .operation(EnrollOperation.request)
         .appName("myApp")
         .deviceName("myDevice")
@@ -1315,23 +1325,23 @@ void testSubsequentEnrollRequestReturnsExpectedCommand() {
 
   @Test
   public void testOtpBuilderGeneratesExpectedOutput() {
-    String command = VerbBuilders.otpCommandBuilder().build();
+    String command = CommandBuilders.otpCommandBuilder().build();
     assertEquals("otp:get", command);
   }
 
   @Test
   void testKeysBuilderThrowsExceptionIfFieldsNotSet() {
     IllegalArgumentException ex = assertThrows(IllegalArgumentException.class,
-                                               () -> VerbBuilders.keysCommandBuilder().build());
+                                               () -> CommandBuilders.keysCommandBuilder().build());
     assertThat(ex.getMessage(), containsString("operation not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.keysCommandBuilder().operation(VerbBuilders.KeysOperation.get).build());
+                      () -> CommandBuilders.keysCommandBuilder().operation(CommandBuilders.KeysOperation.get).build());
     assertThat(ex.getMessage(), containsString("keyName not set"));
 
     ex = assertThrows(IllegalArgumentException.class,
-                      () -> VerbBuilders.keysCommandBuilder()
-                          .operation(VerbBuilders.KeysOperation.delete)
+                      () -> CommandBuilders.keysCommandBuilder()
+                          .operation(CommandBuilders.KeysOperation.delete)
                           .keyName("private:_secret@fred")
                           .build());
     assertThat(ex.getMessage(), containsString("delete not supported"));
@@ -1340,8 +1350,8 @@ void testKeysBuilderThrowsExceptionIfFieldsNotSet() {
 
   @Test
   void testKeysBuilderReturnsExpectedCommand() {
-    String command = VerbBuilders.keysCommandBuilder()
-        .operation(VerbBuilders.KeysOperation.get)
+    String command = CommandBuilders.keysCommandBuilder()
+        .operation(CommandBuilders.KeysOperation.get)
         .keyName("private:_secret@fred")
         .build();
     assertThat(command, equalTo("keys:get:keyName:private:_secret@fred"));
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/DataResponsesTest.java
similarity index 51%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/DataResponsesTest.java
index 4adaa8b3..12b8d0ed 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/DataTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/DataResponsesTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
@@ -6,94 +6,93 @@
 
 import java.util.Map;
 
-import org.atsign.common.Metadata;
-import org.atsign.common.response_models.LookupResponse;
+import org.atsign.client.api.Metadata;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.Test;
 
-public class DataTest {
+public class DataResponsesTest {
 
   @Test
   public void testMatchDataSuccess() {
-    assertThat(Data.matchDataSuccess("data:success"), is("success"));
+    assertThat(DataResponses.matchDataSuccess("data:success"), is("success"));
   }
 
   @Test
   public void testMatchDataSuccessThrowException() {
-    Exception ex = assertThrows(Exception.class, () -> Data.matchDataSuccess("error:epicfail"));
+    Exception ex = assertThrows(Exception.class, () -> DataResponses.matchDataSuccess("error:epicfail"));
     assertThat(ex.getMessage(), containsString("expected [data:(success)] but input was : error:epicfail"));
   }
 
   @Test
   public void testMatchDataStringNoWhitespace() {
-    assertThat(Data.matchDataStringNoWhitespace("data:somestring"), is("somestring"));
+    assertThat(DataResponses.matchDataStringNoWhitespace("data:somestring"), is("somestring"));
   }
 
   @Test
   public void testMatchDataStringNoWhitespaceThrowException() {
-    assertThrows(Exception.class, () -> Data.matchDataStringNoWhitespace("data:some string with spaces"));
+    assertThrows(Exception.class, () -> DataResponses.matchDataStringNoWhitespace("data:some string with spaces"));
   }
 
   @Test
   public void testMatchData() {
-    assertThat(Data.matchData("data:some string"), is("some string"));
-    assertThat(Data.matchData("data:{\"member\":value}"), is("{\"member\":value}"));
+    assertThat(DataResponses.matchData("data:some string"), is("some string"));
+    assertThat(DataResponses.matchData("data:{\"member\":value}"), is("{\"member\":value}"));
   }
 
   @Test
   public void testMatchDataInt() {
-    assertThat(Data.matchDataInt("data:42"), is(42));
+    assertThat(DataResponses.matchDataInt("data:42"), is(42));
   }
 
   @Test
   public void testMatchDataNegativeInt() {
-    assertThat(Data.matchDataInt("data:-42"), is(-42));
+    assertThat(DataResponses.matchDataInt("data:-42"), is(-42));
   }
 
   @Test
   public void testMatchDataJsonList() {
-    assertThat(Data.matchDataJsonList("data:[1,2,3]"), contains(1, 2, 3));
+    assertThat(DataResponses.matchDataJsonList("data:[1,2,3]"), contains(1, 2, 3));
   }
 
   @Test
   public void testMatchDataJsonListOfStrings() {
-    assertThat(Data.matchDataJsonListOfStrings("data:[\"a\",\"b\"]"), contains("a", "b"));
+    assertThat(DataResponses.matchDataJsonListOfStrings("data:[\"a\",\"b\"]"), contains("a", "b"));
   }
 
   @Test
   public void testMatchDataJsonMapOfStringsNonEmpty() {
-    assertThat(Data.matchDataJsonMapOfStrings("data:{\"k\":\"v\"}"), hasEntry("k", "v"));
+    assertThat(DataResponses.matchDataJsonMapOfStrings("data:{\"k\":\"v\"}"), hasEntry("k", "v"));
   }
 
   @Test
   public void testMatchDataJsonMapOfStringsAllowEmpty() {
-    Map<String, String> result = Data.matchDataJsonMapOfStrings("data:{}", true);
+    Map<String, String> result = DataResponses.matchDataJsonMapOfStrings("data:{}", true);
     assertThat(result.entrySet(), Matchers.empty());
   }
 
   @Test
   public void testMatchDataJsonMapOfObjectsNonEmpty() {
-    Map<String, Object> result = Data.matchDataJsonMapOfObjects("data:{\"k\":42}");
+    Map<String, Object> result = DataResponses.matchDataJsonMapOfObjects("data:{\"k\":42}");
     assertThat(result.get("k"), is(42));
   }
 
   @Test
   public void testMatchDataJsonMapOfObjectsAllowEmpty() {
-    Map<String, Object> result = Data.matchDataJsonMapOfObjects("data:{}", true);
+    Map<String, Object> result = DataResponses.matchDataJsonMapOfObjects("data:{}", true);
     assertThat(result.isEmpty(), is(true));
   }
 
   @Test
   public void testMatchLookupResponse() {
     String json = "data:{\"data\":\"xyz\"}";
-    LookupResponse result = Data.matchLookupResponse(json);
+    LookupResponse result = DataResponses.matchLookupResponse(json);
     assertThat(result.data, is("xyz"));
   }
 
   @Test
   public void testMatchMetadata() {
     String json = "data:{\"ttr\":0}";
-    Metadata result = Data.matchMetadata(json);
+    Metadata result = DataResponses.matchMetadata(json);
     assertThat(result.ttr(), is(0L));
   }
 }
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/EnrollCommandsTest.java
similarity index 74%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/EnrollCommandsTest.java
index dc352a4c..739d2093 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/EnrollTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/EnrollCommandsTest.java
@@ -1,10 +1,10 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static java.lang.String.format;
 import static java.util.Collections.singletonMap;
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.client.util.EnrollmentId.createEnrollmentId;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -12,14 +12,14 @@
 import java.util.List;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtServerRuntimeException;
 import org.junit.jupiter.api.Test;
 
-public class EnrollTest {
+public class EnrollCommandsTest {
 
   public static final String RSA_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0ZpMHagomCnC6MX" +
       "GIRbG9our0NsmPsSPLKSpL/BbJU8nMqwbsSVlDoW9LX8h8yyLeMDC/AsrHjF3jviXWEYNQhZTZohPP" +
@@ -34,20 +34,20 @@ public class EnrollTest {
 
   @Test
   public void testDeleteCramSecretDoesNotThrowException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("delete:privatekey:at_secret", "data:1")
         .build();
 
-    Enroll.deleteCramSecret(connection);
+    EnrollCommands.deleteCramSecret(executor);
   }
 
   @Test
   public void testDeleteCramSecretThrowsException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("delete:privatekey:at_secret", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> Enroll.deleteCramSecret(connection));
+    assertThrows(AtServerRuntimeException.class, () -> EnrollCommands.deleteCramSecret(executor));
   }
 
   @Test
@@ -58,31 +58,31 @@ public void testOnboardThrowsExceptionIfSigningPublicKeyIsMissing() throws Excep
         .encryptKeyPair(generateRSAKeyPair())
         .build();
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan", "data:[\"signing_publickey@gary\"]")
         .build();
 
     Exception ex = assertThrows(Exception.class,
-                                () -> Enroll.onboard(connection, atSign, keys, "secret", "app", "device", false));
+                                () -> EnrollCommands.onboard(executor, atSign, keys, "secret", "app", "device", false));
     assertThat(ex.getMessage(), containsString("not connected to the atsign's at server"));
   }
 
   @Test
   void testOtpSendsExpectedCommandAndMatchesExpectedResponse() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("otp:get", "data:ABC123")
         .build();
 
-    assertThat(Enroll.otp(connection), equalTo("ABC123"));
+    assertThat(EnrollCommands.otp(executor), equalTo("ABC123"));
   }
 
   @Test
   void testOtpThrowsExceptionOnError() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("otp:get", "error:AT0013:deliberate")
         .build();
 
-    assertThrows(AtException.class, () -> Enroll.otp(connection));
+    assertThrows(AtException.class, () -> EnrollCommands.otp(executor));
   }
 
   @Test
@@ -93,7 +93,7 @@ public void testOnboard() throws Exception {
         .encryptKeyPair(generateRSAKeyPair())
         .build();
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan", "data:[\"signing_publickey@alice\"]")
         .stub("from:@alice", "data:challenge")
         .stub("cram:7e91508d5.+", "data:success")
@@ -102,7 +102,7 @@ public void testOnboard() throws Exception {
         .stub("update:public:publickey@alice .+", "data:1")
         .build();
 
-    AtKeys newKeys = Enroll.onboard(connection, atSign, keys, "secret", "app", "device", false);
+    AtKeys newKeys = EnrollCommands.onboard(executor, atSign, keys, "secret", "app", "device", false);
 
     assertThat(newKeys, is(not(sameInstance(keys))));
     assertThat(newKeys.getEnrollmentId(), equalTo(createEnrollmentId("904dcbf7")));
@@ -116,12 +116,12 @@ public void testEnroll() throws Exception {
         .apkamSymmetricKey(generateAESKeyBase64())
         .build();
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("lookup:publickey@alice", "data:" + RSA_KEY)
         .stub("enroll:request\\{.+}", "data:{\"enrollmentId\":\"759acb09\",\"status\":\"pending\"}")
         .build();
 
-    AtKeys newKeys = Enroll.enroll(connection, atSign, keys, "OTP123", "app", "device", singletonMap("ns", "rw"));
+    AtKeys newKeys = EnrollCommands.enroll(executor, atSign, keys, "OTP123", "app", "device", singletonMap("ns", "rw"));
 
     assertThat(newKeys, is(not(sameInstance(keys))));
     assertThat(newKeys.getEnrollmentId(), equalTo(createEnrollmentId("759acb09")));
@@ -143,14 +143,14 @@ public void testComplete() throws Exception {
     String privateEncryptKeysGetResponse = format("data:{\"value\":\"%s\",\"iv\":\"%s\"}",
                                                   aesEncryptToBase64(RSA_KEY, keys.getApkamSymmetricKey(), IV), IV);
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("from:@alice", "data:challenge")
         .stub("pkam:[^{].+", "data:success")
         .stub("keys:get:keyName:12345.default_self_enc_key.__manage@alice", selfEncryptKeysGetResponse)
         .stub("keys:get:keyName:12345.default_enc_private_key.__manage@alice", privateEncryptKeysGetResponse)
         .build();
 
-    AtKeys newKeys = Enroll.complete(connection, atSign, keys);
+    AtKeys newKeys = EnrollCommands.complete(executor, atSign, keys);
 
     assertThat(newKeys, is(not(sameInstance(keys))));
     assertThat(newKeys.getEncryptPrivateKey(), notNullValue());
@@ -168,53 +168,53 @@ public void testApprove() throws Exception {
         "\"namespace\":{\"ns\":\"rw\"},\"encryptedAPKAMSymmetricKey\":\"%s\",\"status\":\"pending\"}",
                                   rsaEncryptToBase64(AES_KEY, keys.getEncryptPublicKey()));
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:fetch\\{\"enrollmentId\":\"12345\"}", fetchResponse)
         .stub("enroll:approve\\{\"enrollmentId\":\"12345\".+",
               "data:{\"status\":\"approved\",\"enrollmentId\":\"12345\"}")
         .build();
 
-    Enroll.approve(connection, keys, createEnrollmentId("12345"));
+    EnrollCommands.approve(executor, keys, createEnrollmentId("12345"));
   }
 
   @Test
   public void testDeny() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:deny\\{\"enrollmentId\":\"12345\".+",
               "data:{\"status\":\"denied\",\"enrollmentId\":\"12345\"}")
         .build();
 
-    Enroll.deny(connection, createEnrollmentId("12345"));
+    EnrollCommands.deny(executor, createEnrollmentId("12345"));
   }
 
   @Test
   public void testRevoke() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:revoke\\{\"enrollmentId\":\"12345\".+",
               "data:{\"status\":\"revoked\",\"enrollmentId\":\"12345\"}")
         .build();
 
-    Enroll.revoke(connection, createEnrollmentId("12345"));
+    EnrollCommands.revoke(executor, createEnrollmentId("12345"));
   }
 
   @Test
   public void testUnrevoke() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:unrevoke\\{\"enrollmentId\":\"12345\".+",
               "data:{\"status\":\"approved\",\"enrollmentId\":\"12345\"}")
         .build();
 
-    Enroll.unrevoke(connection, createEnrollmentId("12345"));
+    EnrollCommands.unrevoke(executor, createEnrollmentId("12345"));
   }
 
   @Test
   public void testDelete() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:delete\\{\"enrollmentId\":\"12345\".+",
               "data:{\"status\":\"deleted\",\"enrollmentId\":\"12345\"}")
         .build();
 
-    Enroll.delete(connection, createEnrollmentId("12345"));
+    EnrollCommands.delete(executor, createEnrollmentId("12345"));
   }
 
   @Test
@@ -239,11 +239,11 @@ public void testList() throws Exception {
         "      \"fredns\": \"rw\"" +
         "    }}}";
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("enroll:list\\{\"enrollmentStatusFilter\":\\[\"pending\"]}", response)
         .build();
 
-    List<EnrollmentId> ids = Enroll.list(connection, "pending");
+    List<EnrollmentId> ids = EnrollCommands.list(executor, "pending");
     assertThat(ids, contains(createEnrollmentId("bc8bfdf3-eadd-4373-b0cc-a9c8a52c96c5")));
   }
 
diff --git a/at_client/src/test/java/org/atsign/client/impl/commands/ErrorResponsesTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/ErrorResponsesTest.java
new file mode 100644
index 00000000..f4316940
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/ErrorResponsesTest.java
@@ -0,0 +1,40 @@
+package org.atsign.client.impl.commands;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
+import org.junit.jupiter.api.Test;
+
+class ErrorResponsesTest {
+
+  @Test
+  public void testError() {
+    assertThat(ErrorResponses.matchError("error:fail"), is("fail"));
+    assertThat(ErrorResponses.matchError("error:some reason"), is("some reason"));
+    assertThat(ErrorResponses.matchError("error:AT0401:an error message"), is("AT0401:an error message"));
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorDoesNothingIfNoError() throws AtException {
+    ErrorResponses.throwExceptionIfError("data:success");
+    ErrorResponses.throwExceptionIfError("");
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorThrowsTypedException() {
+    Exception ex =
+        assertThrows(Exception.class, () -> ErrorResponses.throwExceptionIfError("error:AT0401:an error message"));
+    assertThat(ex, instanceOf(AtUnauthenticatedException.class));
+    assertThat(ex.getMessage(), containsString("an error message"));
+  }
+
+  @Test
+  public void testThrowExceptionIfErrorThrowsExceptionIfNull() {
+    Exception ex = assertThrows(Exception.class, () -> ErrorResponses.throwExceptionIfError(null));
+    assertThat(ex, instanceOf(IllegalArgumentException.class));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/KeyCommandsTest.java
similarity index 71%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/KeyCommandsTest.java
index e87e6c49..4d31480d 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/KeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/KeyCommandsTest.java
@@ -1,6 +1,6 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.nullValue;
@@ -9,54 +9,54 @@
 
 import java.util.List;
 
-import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.api.AtCommandExecutor;
 import org.junit.jupiter.api.Test;
 
-class KeysTest {
+class KeyCommandsTest {
 
   @Test
   void testDeleteKeyRawKey() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("delete:selfkey1@alice", "data:1")
         .build();
 
-    Keys.deleteKey(connection, "selfkey1@alice");
+    KeyCommands.deleteKey(executor, "selfkey1@alice");
   }
 
   @Test
   void testDeleteKeyRawKeyThrowsExceptionIfResponseIsError() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("delete:selfkey1@alice", "error:AT0001:an error message")
         .build();
 
-    assertThrows(Exception.class, () -> Keys.deleteKey(connection, "selfkey1@alice"));
+    assertThrows(Exception.class, () -> KeyCommands.deleteKey(executor, "selfkey1@alice"));
   }
 
   @Test
   void testDeleteKey() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("delete:keyname@colin", "data:1")
         .build();
 
-    org.atsign.common.Keys.SelfKey key = org.atsign.common.Keys.selfKeyBuilder()
+    org.atsign.client.api.Keys.SelfKey key = org.atsign.client.api.Keys.selfKeyBuilder()
         .name("keyname")
         .sharedBy(createAtSign("colin"))
         .build();
-    Keys.deleteKey(connection, key);
+    KeyCommands.deleteKey(executor, key);
 
-    verify(connection).sendSync("delete:keyname@colin");
+    verify(executor).sendSync("delete:keyname@colin");
   }
 
   @Test
   void getKeysWithMetaDataReturnsExpectedResults() throws Exception {
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
         .stub("llookup:meta:public:publickey@gary", "data:{\"ttl\":1000}")
         .stub("llookup:meta:public:signing_publickey@gary", "data:{\"ttl\":2000}")
         .build();
 
-    List<org.atsign.common.Keys.AtKey> result = Keys.getKeys(connection, ".+", true);
+    List<org.atsign.client.api.Keys.AtKey> result = KeyCommands.getKeys(executor, ".+", true);
 
     assertThat(result.size(), equalTo(2));
     assertThat(result.get(0).rawKey(), equalTo("public:publickey@gary"));
@@ -73,11 +73,11 @@ void getKeysWithMetaDataReturnsExpectedResults() throws Exception {
   @Test
   void getKeysWithoutMetaDataReturnsExpectedResults() throws Exception {
 
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
         .build();
 
-    List<org.atsign.common.Keys.AtKey> result = Keys.getKeys(connection, ".*gary", false);
+    List<org.atsign.client.api.Keys.AtKey> result = KeyCommands.getKeys(executor, ".*gary", false);
 
     assertThat(result.size(), equalTo(2));
     assertThat(result.get(0).rawKey(), equalTo("public:publickey@gary"));
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/NotificationsTest.java
similarity index 89%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/NotificationsTest.java
index b7446a3d..93610411 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/NotificationsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/NotificationsTest.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.util.EncryptionUtils.generateRSAKeyPair;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -14,10 +14,10 @@
 
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtOnReadyException;
-import org.atsign.common.exceptions.AtTimeoutException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtOnReadyException;
+import org.atsign.client.impl.exceptions.AtTimeoutException;
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
@@ -29,27 +29,27 @@ class NotificationsTest {
   void testMonitorSendExpectedCommands() throws Exception {
     AtSign atSign = createAtSign("colin");
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
-    AtClientConnection conn = mock(AtClientConnection.class);
-    stubAuthentication(conn, atSign);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
+    stubAuthentication(executor, atSign);
 
     Consumer<String> consumer = mock(Consumer.class);
-    Notifications.monitor(conn, atSign, keys, consumer);
+    Notifications.monitor(executor, atSign, keys, consumer);
 
-    verify(conn).sendSync(eq("monitor"), eq(consumer));
+    verify(executor).sendSync(eq("monitor"), eq(consumer));
   }
 
   @Test
   void testMonitorWrapsConsumer() throws Exception {
     AtSign atSign = createAtSign("colin");
     AtKeys keys = AtKeys.builder().apkamKeyPair(generateRSAKeyPair()).build();
-    AtClientConnection conn = mock(AtClientConnection.class);
-    stubAuthentication(conn, atSign);
+    AtCommandExecutor executor = mock(AtCommandExecutor.class);
+    stubAuthentication(executor, atSign);
     Consumer<String> consumer = mock(Consumer.class);
     doAnswer((Answer<Void>) invocation -> {
       throw new AtTimeoutException("deliberate");
-    }).when(conn).sendSync(eq("monitor"), Mockito.any(Consumer.class));
+    }).when(executor).sendSync(eq("monitor"), Mockito.any(Consumer.class));
 
-    Exception ex = assertThrows(Exception.class, () -> Notifications.monitor(atSign, keys, consumer).accept(conn));
+    Exception ex = assertThrows(Exception.class, () -> Notifications.monitor(atSign, keys, consumer).accept(executor));
     assertThat(ex, instanceOf(AtOnReadyException.class));
   }
 
@@ -166,9 +166,9 @@ void testEventBusBridgePublishesExpectedEventForUnrecognizedNotification() {
     assertThat(captor.getValue().get("exception"), equalTo("unknown notification operation 'unrecognized'"));
   }
 
-  private static void stubAuthentication(AtClientConnection conn, AtSign atSign)
+  private static void stubAuthentication(AtCommandExecutor executor, AtSign atSign)
       throws ExecutionException, InterruptedException {
-    when(conn.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
+    when(executor.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
       String command = invocation.getArgument(0);
       if (command.matches("from:" + atSign)) {
         return "data:challenge";
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
similarity index 59%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
index 5f7996da..11f5592d 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/PublicKeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
@@ -1,6 +1,6 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -9,16 +9,16 @@
 import java.util.concurrent.ExecutionException;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.util.EncryptionUtil;
-import org.atsign.common.Keys;
-import org.atsign.common.exceptions.AtKeyNotFoundException;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
-import org.atsign.common.options.GetRequestOptions;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.util.EncryptionUtils;
+import org.atsign.client.api.Keys;
+import org.atsign.client.impl.exceptions.AtKeyNotFoundException;
+import org.atsign.client.impl.exceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtClient.GetRequestOptions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-class PublicKeysTest {
+class PublicKeyCommandsTest {
 
   private Keys.PublicKey key;
 
@@ -27,7 +27,7 @@ class PublicKeysTest {
   @BeforeEach
   public void setup() throws Exception {
     keys = AtKeys.builder()
-        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
     key = Keys.publicKeyBuilder()
         .sharedBy(createAtSign("gary"))
@@ -37,74 +37,74 @@ public void setup() throws Exception {
 
   @Test
   void testGetSharedByMe() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:public:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
         .build();
 
-    String actual = PublicKeys.get(connection, createAtSign("gary"), key, null);
+    String actual = PublicKeyCommands.get(executor, createAtSign("gary"), key, null);
 
     assertThat(actual, equalTo("hello world"));
   }
 
   @Test
   void testGetCachedSharedByMe() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:public:test@gary", createMockLookupResponse("cached:public:test@gary", "hello world"))
         .build();
 
-    PublicKeys.get(connection, createAtSign("gary"), key, null);
+    PublicKeyCommands.get(executor, createAtSign("gary"), key, null);
 
     assertThat(key.metadata().isCached(), is(true));
   }
 
   @Test
   void testGetSharedByMeNoSuchKey() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:public:test@gary", "error:AT0015:deliberate")
         .build();
 
-    assertThrows(AtKeyNotFoundException.class, () -> PublicKeys.get(connection, createAtSign("gary"), key, null));
+    assertThrows(AtKeyNotFoundException.class, () -> PublicKeyCommands.get(executor, createAtSign("gary"), key, null));
   }
 
   @Test
   void testGetSharedByMeExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:public:test@gary", new ExecutionException("deliberate", null))
         .build();
 
-    assertThrows(RuntimeException.class, () -> PublicKeys.get(connection, createAtSign("gary"), key, null));
+    assertThrows(RuntimeException.class, () -> PublicKeyCommands.get(executor, createAtSign("gary"), key, null));
   }
 
   @Test
   void testGetSharedByOther() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("plookup:all:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
         .build();
 
-    String actual = PublicKeys.get(connection, createAtSign("colin"), key, null);
+    String actual = PublicKeyCommands.get(executor, createAtSign("colin"), key, null);
 
     assertThat(actual, equalTo("hello world"));
   }
 
   @Test
   void testGetCachedSharedByOther() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("plookup:all:test@gary", createMockLookupResponse("cached:public:test@gary", "hello world"))
         .build();
 
-    PublicKeys.get(connection, createAtSign("colin"), key, null);
+    PublicKeyCommands.get(executor, createAtSign("colin"), key, null);
 
     assertThat(key.metadata().isCached(), is(true));
   }
 
   @Test
   void testGetSharedByOtherBypassCache() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("plookup:bypassCache:true:all:test@gary", createMockLookupResponse("public:test@gary", "hello world"))
         .build();
 
     GetRequestOptions options = GetRequestOptions.builder().bypassCache(true).build();
-    String actual = PublicKeys.get(connection, createAtSign("colin"), key, options);
+    String actual = PublicKeyCommands.get(executor, createAtSign("colin"), key, options);
 
     assertThat(actual, equalTo("hello world"));
   }
@@ -113,55 +113,55 @@ void testGetSharedByOtherBypassCache() throws Exception {
 
   @Test
   void testGetSharedByOtherNoSuchKey() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("plookup:all:test@gary", "error:AT0015:deliberate")
         .build();
 
-    assertThrows(AtKeyNotFoundException.class, () -> PublicKeys.get(connection, createAtSign("colin"), key, null));
+    assertThrows(AtKeyNotFoundException.class, () -> PublicKeyCommands.get(executor, createAtSign("colin"), key, null));
   }
 
   @Test
   void testGetSharedByOtherExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stubExecutionException("plookup:all:test@gary")
         .build();
 
-    assertThrows(RuntimeException.class, () -> PublicKeys.get(connection, createAtSign("colin"), key, null));
+    assertThrows(RuntimeException.class, () -> PublicKeyCommands.get(executor, createAtSign("colin"), key, null));
   }
 
   @Test
   void testPutSendsExpectedCommands() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world", "data:123")
         .build();
 
-    PublicKeys.put(connection, keys, key, "hello world");
+    PublicKeyCommands.put(executor, keys, key, "hello world");
   }
 
   @Test
   void testPutThrowExceptionIfCommandFails() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world", "error:AT0001:deliberate")
         .build();
 
     AtKeys keys = AtKeys.builder()
-        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> PublicKeys.put(connection, keys, key, "hello world"));
+    assertThrows(AtServerRuntimeException.class, () -> PublicKeyCommands.put(executor, keys, key, "hello world"));
   }
 
   @Test
   void testPutExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stubExecutionException("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world")
         .build();
 
     AtKeys keys = AtKeys.builder()
-        .encryptKeyPair(EncryptionUtil.generateRSAKeyPair())
+        .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
 
-    assertThrows(RuntimeException.class, () -> PublicKeys.put(connection, keys, key, "hello world"));
+    assertThrows(RuntimeException.class, () -> PublicKeyCommands.put(executor, keys, key, "hello world"));
   }
 
   private static String createMockLookupResponse(String key, String value) {
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/ResponsesTest.java
similarity index 98%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/ResponsesTest.java
index 73b5276a..dfa382cf 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/ResponsesTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/ResponsesTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static java.util.Collections.emptyList;
 import static java.util.Collections.emptyMap;
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/ScanCommandsTest.java
similarity index 55%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/ScanCommandsTest.java
index 0ebbe93e..68a58d7b 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/ScanTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/ScanCommandsTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
@@ -6,49 +6,49 @@
 
 import java.util.List;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.exceptions.AtServerRuntimeException;
 import org.junit.jupiter.api.Test;
 
-class ScanTest {
+class ScanCommandsTest {
 
   @Test
   void testScanReturnsExpectedResults() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan:showHidden:true .*", "data:[]")
         .build();
 
-    assertThat(Scan.scan(connection, true, ".*"), equalTo(List.of()));
+    assertThat(ScanCommands.scan(executor, true, ".*"), equalTo(List.of()));
 
-    connection = TestConnectionBuilder.builder()
+    executor = TestConnectionBuilder.builder()
         .stub("scan:showHidden:true .+", "data:[\"public:publickey@gary\",\"public:signing_publickey@gary\"]")
         .build();
 
-    assertThat(Scan.scan(connection, true, ".+"),
+    assertThat(ScanCommands.scan(executor, true, ".+"),
                equalTo(List.of("public:publickey@gary", "public:signing_publickey@gary")));
 
-    connection = TestConnectionBuilder.builder()
+    executor = TestConnectionBuilder.builder()
         .stub("scan .*", "data:[\"public:publickey@gary\"]")
         .build();
-    assertThat(Scan.scan(connection, false, ".*"),
+    assertThat(ScanCommands.scan(executor, false, ".*"),
                equalTo(List.of("public:publickey@gary")));
   }
 
   @Test
   void testScanThrowsServerException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("scan:showHidden:true .*", "error:AT0001:deliberate")
         .build();
-    assertThrows(AtServerRuntimeException.class, () -> Scan.scan(connection, true, ".*"));
+    assertThrows(AtServerRuntimeException.class, () -> ScanCommands.scan(executor, true, ".*"));
   }
 
 
   @Test
   void testScanThrowsExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stubExecutionException("scan:showHidden:true .*")
         .build();
-    assertThrows(RuntimeException.class, () -> Scan.scan(connection, true, ".*"));
+    assertThrows(RuntimeException.class, () -> ScanCommands.scan(executor, true, ".*"));
   }
 
 }
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
similarity index 62%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
index 484fdc0d..dac22ae6 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/SelfKeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -9,13 +9,13 @@
 import static org.mockito.Mockito.verify;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.Keys;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.Keys;
+import org.atsign.client.impl.exceptions.AtServerRuntimeException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-class SelfKeysTest {
+class SelfKeyCommandsTest {
 
   private Keys.SelfKey key;
 
@@ -38,59 +38,59 @@ void testGet() throws Exception {
 
     String iv = generateRandomIvBase64(16);
     String encrypted = aesEncryptToBase64("hello me", keys.getSelfEncryptKey(), iv);
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:test@gary", createMockLookupResponse("test@gary", encrypted, iv))
         .build();
 
-    String actual = SelfKeys.get(connection, keys, key);
+    String actual = SelfKeyCommands.get(executor, keys, key);
 
     assertThat(actual, equalTo("hello me"));
   }
 
   @Test
   void testGetException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:test@gary", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> SelfKeys.get(connection, keys, key));
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.get(executor, keys, key));
   }
 
   @Test
   void testGetExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stubExecutionException("llookup:all:test@gary")
         .build();
 
-    assertThrows(RuntimeException.class, () -> SelfKeys.get(connection, keys, key));
+    assertThrows(RuntimeException.class, () -> SelfKeyCommands.get(executor, keys, key));
   }
 
   @Test
   void testPut() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "data:123")
         .build();
 
-    SelfKeys.put(connection, keys, key, "hello world");
-    verify(connection).sendSync(argThat(s -> !s.contains("hello world")));
+    SelfKeyCommands.put(executor, keys, key, "hello world");
+    verify(executor).sendSync(argThat(s -> !s.contains("hello world")));
   }
 
   @Test
   void testPutAtException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> SelfKeys.put(connection, keys, key, "hello world"));
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.put(executor, keys, key, "hello world"));
   }
 
   @Test
   void testPutExecutionException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stubExecutionException("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+")
         .build();
 
-    assertThrows(RuntimeException.class, () -> SelfKeys.put(connection, keys, key, "hello world"));
+    assertThrows(RuntimeException.class, () -> SelfKeyCommands.put(executor, keys, key, "hello world"));
   }
 
   private static String createMockLookupResponse(String key, String encrypted, String iv) {
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
similarity index 72%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
index e9e0e587..23b1255d 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/SharedKeysTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
-import static org.atsign.client.util.EncryptionUtil.*;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -10,13 +10,13 @@
 import static org.mockito.Mockito.verify;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.common.Keys;
-import org.atsign.common.exceptions.AtExceptions.AtServerRuntimeException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.Keys;
+import org.atsign.client.impl.exceptions.AtServerRuntimeException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-class SharedKeysTest {
+class SharedKeyCommandsTest {
 
   private Keys.SharedKey key;
 
@@ -40,23 +40,23 @@ void testGetSharedByMe() throws Exception {
     String encryptKey = generateAESKeyBase64();
     String iv = generateRandomIvBase64(16);
     String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
         .stub("llookup:all:@colin:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
         .build();
 
-    String actual = SharedKeys.get(connection, createAtSign("gary"), keys, key);
+    String actual = SharedKeyCommands.get(executor, createAtSign("gary"), keys, key);
 
     assertThat(actual, equalTo("hello colin"));
   }
 
   @Test
   void testGetNotSharedByMeOrWithMeThrowsException() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .build();
 
     RuntimeException ex =
-        assertThrows(RuntimeException.class, () -> SharedKeys.get(connection, createAtSign("alice"), keys, key));
+        assertThrows(RuntimeException.class, () -> SharedKeyCommands.get(executor, createAtSign("alice"), keys, key));
     assertThat(ex.getMessage(), containsString("the client atsign is neither the sharedBy or sharedWith"));
   }
 
@@ -66,11 +66,11 @@ void testGetSharedByMeCachedKey() throws Exception {
     String iv = generateRandomIvBase64(16);
     String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
     keys.put("shared_key.colin", encryptKey);
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:all:@colin:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
         .build();
 
-    String actual = SharedKeys.get(connection, createAtSign("gary"), keys, key);
+    String actual = SharedKeyCommands.get(executor, createAtSign("gary"), keys, key);
 
     assertThat(actual, equalTo("hello colin"));
   }
@@ -78,23 +78,24 @@ void testGetSharedByMeCachedKey() throws Exception {
   @Test
   void testGetSharedByMeServerException() throws Exception {
     String encryptKey = generateAESKeyBase64();
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
         .stub("llookup:all:@colin:test@gary", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> SharedKeys.get(connection, createAtSign("gary"), keys, key));
+    assertThrows(AtServerRuntimeException.class,
+                 () -> SharedKeyCommands.get(executor, createAtSign("gary"), keys, key));
   }
 
   @Test
   void testGetSharedByMeExecutionException() throws Exception {
     String encryptKey = generateAESKeyBase64();
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
         .stubExecutionException("llookup:all:@colin:test@gary")
         .build();
 
-    assertThrows(RuntimeException.class, () -> SharedKeys.get(connection, createAtSign("gary"), keys, key));
+    assertThrows(RuntimeException.class, () -> SharedKeyCommands.get(executor, createAtSign("gary"), keys, key));
   }
 
   @Test
@@ -102,12 +103,12 @@ void getGetSharedByOther() throws Exception {
     String encryptKey = generateAESKeyBase64();
     String iv = generateRandomIvBase64(16);
     String encrypted = aesEncryptToBase64("hello colin", encryptKey, iv);
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("lookup:all:test@gary", createMockLookupResponse("@colin:test@gary", encrypted, iv))
         .stub("lookup:shared_key@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
         .build();
 
-    String actual = SharedKeys.get(connection, createAtSign("colin"), keys, key);
+    String actual = SharedKeyCommands.get(executor, createAtSign("colin"), keys, key);
 
     assertThat(actual, equalTo("hello colin"));
   }
@@ -115,18 +116,18 @@ void getGetSharedByOther() throws Exception {
   @Test
   void testPutWhenSharedKeyAlreadyExists() throws Exception {
     String encryptKey = generateAESKeyBase64();
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:shared_key.colin@gary", "data:" + rsaEncryptToBase64(encryptKey, keys.getEncryptPublicKey()))
         .stub("update:isEncrypted:true:ivNonce:.+:@colin:test@gary .+", "data:123")
         .build();
 
-    SharedKeys.put(connection, createAtSign("gary"), keys, key, "hello colin");
-    verify(connection).sendSync(argThat(s -> s.contains("update:") && !s.contains("hello colin")));
+    SharedKeyCommands.put(executor, createAtSign("gary"), keys, key, "hello colin");
+    verify(executor).sendSync(argThat(s -> s.contains("update:") && !s.contains("hello colin")));
   }
 
   @Test
   void testPutWhenSharedKeDoesNotAlreadyExists() throws Exception {
-    AtClientConnection connection = TestConnectionBuilder.builder()
+    AtCommandExecutor executor = TestConnectionBuilder.builder()
         .stub("llookup:shared_key.colin@gary", "error:AT0015:deliberate")
         .stub("plookup:publickey@colin", "data:" + keys.getEncryptPublicKey())
         .stub("update:shared_key.colin@gary .+", "data:1")
@@ -134,7 +135,7 @@ void testPutWhenSharedKeDoesNotAlreadyExists() throws Exception {
         .stub("update:isEncrypted:true:ivNonce:.+:@colin:test@gary .+", "data:3")
         .build();
 
-    SharedKeys.put(connection, createAtSign("gary"), keys, key, "hello colin");
+    SharedKeyCommands.put(executor, createAtSign("gary"), keys, key, "hello colin");
   }
 
   private static String createMockLookupResponse(String key, String value) {
diff --git a/at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java b/at_client/src/test/java/org/atsign/client/impl/commands/TestConnectionBuilder.java
similarity index 84%
rename from at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java
rename to at_client/src/test/java/org/atsign/client/impl/commands/TestConnectionBuilder.java
index 0487d380..15c32fa7 100644
--- a/at_client/src/test/java/org/atsign/client/connection/protocol/TestConnectionBuilder.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/TestConnectionBuilder.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.protocol;
+package org.atsign.client.impl.commands;
 
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.when;
@@ -10,7 +10,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.atsign.client.connection.api.AtClientConnection;
+import org.atsign.client.api.AtCommandExecutor;
 import org.mockito.Mockito;
 import org.mockito.stubbing.Answer;
 
@@ -53,9 +53,9 @@ public TestConnectionBuilder stub(Pattern command, Exception ex) {
     return this;
   }
 
-  public AtClientConnection build() throws ExecutionException, InterruptedException {
-    AtClientConnection connection = Mockito.mock(AtClientConnection.class);
-    when(connection.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
+  public AtCommandExecutor build() throws ExecutionException, InterruptedException {
+    AtCommandExecutor mock = Mockito.mock(AtCommandExecutor.class);
+    when(mock.sendSync(anyString())).thenAnswer((Answer<String>) invocation -> {
       String command = invocation.getArgument(0);
       for (Map.Entry<Pattern, Object> entry : mapping.entrySet()) {
         Matcher matcher = entry.getKey().matcher(command);
@@ -71,6 +71,6 @@ public AtClientConnection build() throws ExecutionException, InterruptedExceptio
       }
       throw new IllegalArgumentException("no stub for " + command);
     });
-    return connection;
+    return mock;
   }
 }
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java b/at_client/src/test/java/org/atsign/client/impl/common/CommandElementTest.java
similarity index 63%
rename from at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java
rename to at_client/src/test/java/org/atsign/client/impl/common/CommandElementTest.java
index 0c9c2d72..2ab9b37a 100644
--- a/at_client/src/test/java/org/atsign/client/connection/common/CommandTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/common/CommandElementTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
@@ -11,32 +11,32 @@
 
 import org.junit.jupiter.api.Test;
 
-class CommandTest {
+class CommandElementTest {
 
   @Test
   void testToStringReturnsText() {
-    Command command = new Command("scan", new CompletableFuture<>(), 100, false);
+    CommandElement command = new CommandElement("scan", new CompletableFuture<>(), 100, false);
 
     assertThat(command.toString(), equalTo("scan"));
   }
 
   @Test
   void testIsTimedOutTrueWhenTimestampBeforeTimeout() {
-    Command command = new Command("cmd", new CompletableFuture<>(), 100, false);
+    CommandElement command = new CommandElement("cmd", new CompletableFuture<>(), 100, false);
 
     assertThat(command.isTimedOut(101L), is(true));
   }
 
   @Test
   void testIsTimedOutFalseWhenTimestampAfterTimeout() {
-    Command command = new Command("cmd", new CompletableFuture<>(), 300, false);
+    CommandElement command = new CommandElement("cmd", new CompletableFuture<>(), 300, false);
 
     assertThat(command.isTimedOut(200L), is(false));
   }
 
   @Test
   void testIsTimedOutFalseWhenTimestampEqualsTimeout() {
-    Command command = new Command("cmd", new CompletableFuture<>(), 300, false);
+    CommandElement command = new CommandElement("cmd", new CompletableFuture<>(), 300, false);
 
     assertThat(command.isTimedOut(300L), is(false));
   }
@@ -44,7 +44,7 @@ void testIsTimedOutFalseWhenTimestampEqualsTimeout() {
   @Test
   void testCompleteSetsFutureValue() throws Exception {
     CompletableFuture<String> future = new CompletableFuture<>();
-    Command command = new Command("cmd", future, 0, false);
+    CommandElement command = new CommandElement("cmd", future, 0, false);
 
     command.complete("result");
 
@@ -54,7 +54,7 @@ void testCompleteSetsFutureValue() throws Exception {
   @Test
   void testCompleteAllowsNullValue() throws Exception {
     CompletableFuture<String> future = new CompletableFuture<>();
-    Command command = new Command("cmd", future, 0, false);
+    CommandElement command = new CommandElement("cmd", future, 0, false);
 
     command.complete(null);
 
@@ -66,7 +66,7 @@ void testCompleteConsumerCommandCompletesFutureAndCallsConsumer() {
     CompletableFuture<Void> future = new CompletableFuture<>();
     Consumer<String> consumer = mock(Consumer.class);
 
-    Command command = new Command("monitor", future, consumer, 0, false);
+    CommandElement command = new CommandElement("monitor", future, consumer, 0, false);
 
     command.complete("notification:xyz");
 
@@ -79,7 +79,7 @@ void testCompleteConsumerCommandDoesNotCallConsumerWhenNullValue() {
     CompletableFuture<Void> future = new CompletableFuture<>();
     Consumer<String> consumer = mock(Consumer.class);
 
-    Command command = new Command("cmd", future, consumer, 0, false);
+    CommandElement command = new CommandElement("cmd", future, consumer, 0, false);
 
     command.complete(null);
 
@@ -90,7 +90,7 @@ void testCompleteConsumerCommandDoesNotCallConsumerWhenNullValue() {
   @Test
   void testCompleteExceptionallyCompletesFutureExceptionally() {
     CompletableFuture<String> future = new CompletableFuture<>();
-    Command command = new Command("cmd", future, 0, false);
+    CommandElement command = new CommandElement("cmd", future, 0, false);
 
     command.completeExceptionally(new RuntimeException("deliberate"));
 
@@ -101,14 +101,14 @@ void testCompleteExceptionallyCompletesFutureExceptionally() {
 
   @Test
   void testIsMatchReturnsTrueForCommand() {
-    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
+    CommandElement command = new CommandElement("scan", new CompletableFuture<>(), 0, false);
 
     assertThat(command.isMatch("xyz"), is(true));
   }
 
   @Test
   void testIsMatchReturnsExpectedResultForConsumerCommand() {
-    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0, false);
 
     assertThat(command.isMatch("notification:xyz"), is(true));
@@ -117,8 +117,8 @@ void testIsMatchReturnsExpectedResultForConsumerCommand() {
 
   @Test
   void testIsConsumerCommandReturnsExpectedResults() {
-    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
-    Command consumerCommand = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("scan", new CompletableFuture<>(), 0, false);
+    CommandElement consumerCommand = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0, false);
 
     assertThat(command.isConsumerCommand(), is(false));
@@ -127,18 +127,18 @@ void testIsConsumerCommandReturnsExpectedResults() {
 
   @Test
   void testIsConsumerCommandStaticMethodReturnsExpectedResults() {
-    Command command = new Command("scan", new CompletableFuture<>(), 0, false);
-    Command consumerCommand = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("scan", new CompletableFuture<>(), 0, false);
+    CommandElement consumerCommand = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0, false);
 
-    assertThat(Command.isConsumerCommand(consumerCommand), is(true));
-    assertThat(Command.isConsumerCommand(command), is(false));
-    assertThat(Command.isConsumerCommand(null), is(false));
+    assertThat(CommandElement.isConsumerCommand(consumerCommand), is(true));
+    assertThat(CommandElement.isConsumerCommand(command), is(false));
+    assertThat(CommandElement.isConsumerCommand(null), is(false));
   }
 
   @Test
   void testIsConsumerResponseReturnsExpectedResults() {
-    assertThat(Command.isConsumerResponse("notification:test"), is(true));
-    assertThat(Command.isConsumerResponse("ok"), is(false));
+    assertThat(CommandElement.isConsumerResponse("notification:test"), is(true));
+    assertThat(CommandElement.isConsumerResponse("ok"), is(false));
   }
 }
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java b/at_client/src/test/java/org/atsign/client/impl/common/CommandQueueTest.java
similarity index 68%
rename from at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java
rename to at_client/src/test/java/org/atsign/client/impl/common/CommandQueueTest.java
index 927f00e8..de9ef6f9 100644
--- a/at_client/src/test/java/org/atsign/client/connection/common/CommandQueueTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/common/CommandQueueTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
@@ -38,7 +38,7 @@ void testNewQueueHasSizeZero() {
 
   @Test
   void testOfferNonConsumerCommandWithinCapacityReturnsTrue() {
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
 
     boolean result = commandQueue.offer(command);
 
@@ -47,7 +47,7 @@ void testOfferNonConsumerCommandWithinCapacityReturnsTrue() {
 
   @Test
   void testOfferNonConsumerCommandIncreasesSize() {
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
 
     commandQueue.offer(command);
 
@@ -57,7 +57,7 @@ void testOfferNonConsumerCommandIncreasesSize() {
   @Test
   void testOfferMultipleCommandsIncreasesSize() {
     for (int i = 0; i < 5; i++) {
-      Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+      CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
       commandQueue.offer(command);
     }
 
@@ -68,9 +68,9 @@ void testOfferMultipleCommandsIncreasesSize() {
   void testOfferExceedingCapacityReturnsFalse() {
     CommandQueue queue = new CommandQueue(2);
 
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
-    Command command3 = new Command("request3", new CompletableFuture<>(), 2L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command3 = new CommandElement("request3", new CompletableFuture<>(), 2L, false);
 
     queue.offer(command1);
     queue.offer(command2);
@@ -83,8 +83,8 @@ void testOfferExceedingCapacityReturnsFalse() {
   void testOfferExceedingCapacityDoesNotIncreaseSize() {
     CommandQueue smallQueue = new CommandQueue(1);
 
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
 
     smallQueue.offer(command1);
     smallQueue.offer(command2);
@@ -96,14 +96,14 @@ void testOfferExceedingCapacityDoesNotIncreaseSize() {
   void testOfferAtExactCapacityReturnsTrue() {
     CommandQueue queue = new CommandQueue(1);
 
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
 
     assertThat(queue.offer(command), is(true));
   }
 
   @Test
   void testOfferConsumerCommandWhenNoExistingConsumerReturnsTrue() {
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
 
     boolean result = commandQueue.offer(command);
 
@@ -112,11 +112,11 @@ void testOfferConsumerCommandWhenNoExistingConsumerReturnsTrue() {
 
   @Test
   void testOfferSecondConsumerCommandReturnsFalse() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), s -> {
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), s -> {
     }, 0L, false);
     commandQueue.offer(command1);
 
-    Command command2 = new Command("request1", new CompletableFuture<>(), s -> {
+    CommandElement command2 = new CommandElement("request1", new CompletableFuture<>(), s -> {
     }, 0L, false);
 
     commandQueue.offer(command2);
@@ -133,7 +133,7 @@ void testOfferSecondConsumerCommandReturnsFalse() {
   void testPopEmptyQueueReturnsNull() {
     assertThat(commandQueue.pop("response"), nullValue());
 
-    Command command = new Command("request1", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("request1", new CompletableFuture<>(), s -> {
     }, 0L, false);
     commandQueue.offer(command);
     commandQueue.pop("response1");
@@ -148,7 +148,7 @@ void testPopReturnsNullForEventIfNoConsumerCommand() {
 
   @Test
   void testPopReturnsExpectedCommandForResponse() {
-    Command command = new Command("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
     commandQueue.offer(command);
     commandQueue.pop("@");
 
@@ -157,14 +157,14 @@ void testPopReturnsExpectedCommandForResponse() {
 
   @Test
   void testPopReturnsNullForPromptIfNoConsumerCommand() {
-    Command command = new Command("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
     commandQueue.offer(command);
     assertThat(commandQueue.pop("@"), nullValue());
   }
 
   @Test
   void testPopReturnsConsumerCommandForPrompt() {
-    Command command = new Command("request1", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("request1", new CompletableFuture<>(), s -> {
     }, 0L, false);
     commandQueue.offer(command);
     assertThat(commandQueue.pop("@"), equalTo(command));
@@ -172,7 +172,7 @@ void testPopReturnsConsumerCommandForPrompt() {
 
   @Test
   void testPopWithEventReturnsConsumerCommand() {
-    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0L, false);
     commandQueue.offer(command);
     assertThat(commandQueue.size(), equalTo(1));
@@ -187,7 +187,7 @@ void testPopWithEventReturnsConsumerCommand() {
 
   @Test
   void testPopWithEventReturnsPeekedConsumerCommand() {
-    Command command = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0L, false);
     commandQueue.offer(command);
     assertThat(commandQueue.size(), equalTo(1));
@@ -200,8 +200,8 @@ void testPopWithEventReturnsPeekedConsumerCommand() {
 
   @Test
   void testPollReturnsFirstIn() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 0L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 0L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
@@ -216,8 +216,8 @@ void testPollReturnsFirstIn() {
 
   @Test
   void testPeekReturnsFirstIn() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 0L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 0L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
@@ -239,7 +239,7 @@ void testIsEmptyReturnsTrueWhenQueueHasNoCommands() {
 
   @Test
   void testIsEmptyReturnsFalseAfterCommandOffered() {
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
     commandQueue.offer(command);
 
     assertThat(commandQueue.isEmpty(), is(false));
@@ -249,7 +249,7 @@ void testIsEmptyReturnsFalseAfterCommandOffered() {
   void testSizeReflectsNumberOfCommandsInQueue() {
     int count = 4;
     for (int i = 0; i < count; i++) {
-      Command command = new Command("request", new CompletableFuture<>(), i, false);
+      CommandElement command = new CommandElement("request", new CompletableFuture<>(), i, false);
       commandQueue.offer(command);
       assertThat(commandQueue.size(), is(i + 1));
     }
@@ -257,13 +257,13 @@ void testSizeReflectsNumberOfCommandsInQueue() {
 
   @Test
   void testIteratorReturnsAllOfferedCommands() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
 
-    List<Command> iterated = new ArrayList<>();
+    List<CommandElement> iterated = new ArrayList<>();
     commandQueue.iterator().forEachRemaining(iterated::add);
 
     assertThat(iterated, hasSize(2));
@@ -277,13 +277,13 @@ void testIteratorOnEmptyQueueHasNoElements() {
 
   @Test
   void testForEachVisitsAllCommands() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
 
-    List<Command> visited = new ArrayList<>();
+    List<CommandElement> visited = new ArrayList<>();
     commandQueue.forEach(visited::add);
 
     assertThat(visited, hasSize(2));
@@ -292,16 +292,16 @@ void testForEachVisitsAllCommands() {
 
   @Test
   void testSpliteratorCoversAllCommands() {
-    Command command1 = new Command("monitor", new CompletableFuture<>(), s -> {
+    CommandElement command1 = new CommandElement("monitor", new CompletableFuture<>(), s -> {
     }, 0L, false);
-    Command command2 = new Command("request1", new CompletableFuture<>(), 0L, false);
-    Command command3 = new Command("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command2 = new CommandElement("request1", new CompletableFuture<>(), 0L, false);
+    CommandElement command3 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
     commandQueue.offer(command3);
 
-    List<Command> collected = new ArrayList<>();
+    List<CommandElement> collected = new ArrayList<>();
     commandQueue.spliterator().forEachRemaining(collected::add);
 
     assertThat(collected, hasSize(3));
@@ -325,7 +325,7 @@ void testSpliteratorCoversAllCommands() {
   @Test
   void testOfferToZeroCapacityQueueReturnsFalse() {
     CommandQueue zeroQueue = new CommandQueue(0);
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
 
     boolean result = zeroQueue.offer(command);
 
@@ -335,7 +335,7 @@ void testOfferToZeroCapacityQueueReturnsFalse() {
   @Test
   void testZeroCapacityQueueRemainsEmpty() {
     CommandQueue zeroQueue = new CommandQueue(0);
-    Command command = new Command("request", new CompletableFuture<>(), 0L, false);
+    CommandElement command = new CommandElement("request", new CompletableFuture<>(), 0L, false);
     zeroQueue.offer(command);
 
     assertThat(zeroQueue.isEmpty(), is(true));
@@ -343,9 +343,9 @@ void testZeroCapacityQueueRemainsEmpty() {
 
   @Test
   void testPollTimedOut() {
-    Command command1 = new Command("request1", new CompletableFuture<>(), 1L, false);
-    Command command2 = new Command("request2", new CompletableFuture<>(), 1L, false);
-    Command command3 = new Command("request3", new CompletableFuture<>(), 2L, false);
+    CommandElement command1 = new CommandElement("request1", new CompletableFuture<>(), 1L, false);
+    CommandElement command2 = new CommandElement("request2", new CompletableFuture<>(), 1L, false);
+    CommandElement command3 = new CommandElement("request3", new CompletableFuture<>(), 2L, false);
 
     commandQueue.offer(command1);
     commandQueue.offer(command2);
diff --git a/at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java b/at_client/src/test/java/org/atsign/client/impl/common/SimpleReconnectStrategyTest.java
similarity index 99%
rename from at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java
rename to at_client/src/test/java/org/atsign/client/impl/common/SimpleReconnectStrategyTest.java
index 9ea37521..7d8fbac4 100644
--- a/at_client/src/test/java/org/atsign/client/connection/common/SimpleReconnectStrategyTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/common/SimpleReconnectStrategyTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.common;
+package org.atsign.client.impl.common;
 
 import org.junit.jupiter.api.Test;
 
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandEncoderTest.java
similarity index 96%
rename from at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandEncoderTest.java
index 56fc22b8..8639e820 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtCommandEncoderTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandEncoderTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
similarity index 72%
rename from at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
index be2841ce..91936b99 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionIT.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
@@ -9,8 +9,8 @@
 import java.util.List;
 import java.util.concurrent.CopyOnWriteArrayList;
 
-import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
-import org.atsign.common.AtSign;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
 import org.atsign.cucumber.helpers.Helpers;
 import org.atsign.virtualenv.VirtualEnv;
 import org.hamcrest.Matchers;
@@ -20,7 +20,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
-class NettyAtClientConnectionIT {
+class NettyAtCommandExecutorIT {
 
   @BeforeAll
   public static void classSetup() {
@@ -45,8 +45,8 @@ void testScan() throws Exception {
         .rootUrl("vip.ve.atsign.zone:64")
         .atsign(createAtSign("colin"))
         .build();
-    try (NettyAtClientConnection connection = NettyAtClientConnection.builder().endpoint(provider).build()) {
-      assertThat(connection.sendSync("scan"), Matchers.startsWith("data:"));
+    try (NettyAtCommandExecutor executor = NettyAtCommandExecutor.builder().endpoint(provider).build()) {
+      assertThat(executor.sendSync("scan"), Matchers.startsWith("data:"));
     }
   }
 
@@ -59,12 +59,12 @@ void testUnauthenticatedMonitorAttempt() throws Exception {
         .atsign(atSign)
         .build();
 
-    NettyAtClientConnectionBuilder builder = NettyAtClientConnection.builder()
+    NettyAtCommandExecutorBuilder builder = NettyAtCommandExecutor.builder()
         .endpoint(provider);
 
-    try (NettyAtClientConnection connection = builder.build()) {
+    try (NettyAtCommandExecutor executor = builder.build()) {
       List<String> notifications = new CopyOnWriteArrayList<>();
-      connection.sendSync("monitor", notifications::add);
+      executor.sendSync("monitor", notifications::add);
       await().until(() -> !notifications.isEmpty());
       assertThat(notifications.get(0), Matchers.startsWith("error:"));
     }
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorTest.java
similarity index 75%
rename from at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorTest.java
index 131be841..de8dfd38 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtClientConnectionTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorTest.java
@@ -1,8 +1,8 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static java.util.concurrent.Executors.newSingleThreadScheduledExecutor;
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.client.connection.protocol.AtExceptions.throwOnReadyException;
+import static org.atsign.client.impl.commands.AtExceptions.throwOnReadyException;
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
@@ -20,15 +20,15 @@
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.api.AtEndpointSupplier;
-import org.atsign.client.connection.common.SimpleReconnectStrategy;
-import org.atsign.client.connection.netty.NettyAtClientConnection.NettyAtClientConnectionBuilder;
-import org.atsign.client.connection.protocol.AtExceptions;
-import org.atsign.common.exceptions.AtSecondaryConnectException;
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
-import org.atsign.common.exceptions.AtTimeoutException;
-import org.atsign.common.exceptions.AtUnauthenticatedException;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.impl.common.SimpleReconnectStrategy;
+import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
+import org.atsign.client.impl.commands.AtExceptions;
+import org.atsign.client.impl.exceptions.AtSecondaryConnectException;
+import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
+import org.atsign.client.impl.exceptions.AtTimeoutException;
+import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
 import org.junit.jupiter.api.*;
 import org.mockito.ArgumentCaptor;
 import org.slf4j.Logger;
@@ -38,11 +38,11 @@
 
 @SuppressWarnings("unchecked")
 @Slf4j
-class NettyAtClientConnectionTest {
+class NettyAtCommandExecutorTest {
 
   private TestServer server;
   private TestEndPointSupplier endPointSupplier;
-  private NettyAtClientConnectionBuilder connectionBuilder;
+  private NettyAtCommandExecutorBuilder connectionBuilder;
   private TestReconnectStrategy reconnectStrategy;
 
   @BeforeEach
@@ -50,7 +50,7 @@ public void setup() throws Exception {
     server = new TestServer();
     stubTestServerConnectAndResponseBehaviour(server);
     endPointSupplier = new TestEndPointSupplier();
-    connectionBuilder = NettyAtClientConnection.builder()
+    connectionBuilder = NettyAtCommandExecutor.builder()
         .endpoint(endPointSupplier)
         .sslContext(server.getClientSslContext());
     reconnectStrategy = TestReconnectStrategy.testBuilder()
@@ -67,97 +67,97 @@ public void teardown() throws Exception {
 
   @Test
   void testConnectSucceed() throws Exception {
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
       assertThat(endPointSupplier.invocationCount, equalTo(1));
     }
   }
 
   @Test
   void testBuilderOnReadyIsInvokedOnConnection() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     connectionBuilder.onReady(consumer);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      verify(consumer).accept(eq(connection));
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      verify(consumer).accept(eq(executor));
     }
   }
 
   @Test
   void testBuilderOnReadyIsInvokedOnReconnect() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     connectionBuilder.onReady(consumer).reconnect(reconnectStrategy);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      await().until(connection::isReady);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      await().until(executor::isReady);
       server.closeClientSocket();
-      await().until(connection::isReady);
+      await().until(executor::isReady);
       server.closeClientSocket();
-      await().until(connection::isReady);
+      await().until(executor::isReady);
 
-      verify(consumer, times(3)).accept(eq(connection));
+      verify(consumer, times(3)).accept(eq(executor));
     }
   }
 
   @Test
   void testOnReadyIsInvokedIfReady() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      await().until(connection::isReady);
-      connection.onReady(consumer);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      await().until(executor::isReady);
+      executor.onReady(consumer);
 
-      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(executor));
     }
   }
 
   @Test
   void testOnReadyWhenConnectionIsEstablishedButBeforeConnectionIsReady() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     CountDownLatch latch = new CountDownLatch(1);
     stubTestServerConnectAndResponseBehaviourWithConnectLatch(server, latch);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      connection.onReady(consumer);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      executor.onReady(consumer);
       latch.countDown();
 
-      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(executor));
     }
   }
 
   @Test
   void testOnReadyBeforeConnectionIsBound() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     server.closeServerSocket();
     connectionBuilder.reconnect(reconnectStrategy);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      connection.onReady(consumer);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      executor.onReady(consumer);
       server.newServerSocket();
 
-      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(executor));
     }
   }
 
   @Test
   void testOnReadyBeforeConnectionIsAccepted() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     server.closeServerSocket();
     server.newServerSocketWithoutAccept();
     connectionBuilder.reconnect(reconnectStrategy);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      connection.onReady(consumer);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      executor.onReady(consumer);
       server.accept();
 
-      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(executor));
     }
   }
 
   @Test
   void testOnReadyWhilstReadying() throws Exception {
-    Consumer<AtClientConnection> consumer = mock(Consumer.class);
+    Consumer<AtCommandExecutor> consumer = mock(Consumer.class);
     CountDownLatch latch = new CountDownLatch(1);
     stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
     connectionBuilder.onReady(AtExceptions.throwOnReadyException(c -> c.sendSync("request")));
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      connection.onReady(consumer);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      executor.onReady(consumer);
       latch.countDown();
 
-      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(connection));
+      verify(consumer, timeout(SECONDS.toMillis(1))).accept(eq(executor));
     }
   }
 
@@ -173,8 +173,8 @@ void testOnReadyNetworkExceptionsShouldNotBeFatalForTheConnection() throws Excep
       }
     });
     connectionBuilder.reconnect(reconnectStrategy).onReady(throwOnReadyException(c -> c.sendSync("request")));
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      assertThat(connection.sendSync("request2"), equalTo("response2"));
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      assertThat(executor.sendSync("request2"), equalTo("response2"));
     }
   }
 
@@ -190,16 +190,16 @@ void testOnReadyAtExceptionsShouldBeFatalForTheConnection() throws Exception {
 
   @Test
   void testSendSync() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      assertThat(connection.sendSync("request"), equalTo("response"));
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      assertThat(executor.sendSync("request"), equalTo("response"));
     }
   }
 
   @Test
   void testSendSyncAfterClosesThrowsException() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      connection.close();
-      Exception ex = assertThrows(Exception.class, () -> connection.sendSync("request"));
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      executor.close();
+      Exception ex = assertThrows(Exception.class, () -> executor.sendSync("request"));
       assertThat(ex.getMessage(), containsString("connection closed"));
     }
   }
@@ -215,8 +215,8 @@ void testSendSyncFromOnReady() throws Exception {
         throw new RuntimeException(e);
       }
     });
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      await().until(connection::isReady);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      await().until(executor::isReady);
       assertThat(responses, contains("response1", "response2"));
     }
   }
@@ -224,11 +224,11 @@ void testSendSyncFromOnReady() throws Exception {
   @Test
   void testSendSyncFromConsumerTriggersException() throws Exception {
     stubTestServerConnectAndAndAutomaticNotification(server);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       AtomicReference<Exception> ex = new AtomicReference<>();
-      connection.sendSync("monitor", s -> {
+      executor.sendSync("monitor", s -> {
         try {
-          connection.sendSync("request");
+          executor.sendSync("request");
         } catch (Exception e) {
           ex.set(e);
         }
@@ -240,19 +240,19 @@ void testSendSyncFromConsumerTriggersException() throws Exception {
 
   @Test
   void testSend() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      assertThat(connection.send("request").get(), equalTo("response"));
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      assertThat(executor.send("request").get(), equalTo("response"));
     }
   }
 
   @Test
   void testSendFromConsumerTriggersException() throws Exception {
     stubTestServerConnectAndAndAutomaticNotification(server);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       AtomicReference<Exception> ex = new AtomicReference<>();
-      connection.sendSync("monitor", s -> {
+      executor.sendSync("monitor", s -> {
         try {
-          connection.send("request");
+          executor.send("request");
         } catch (Exception e) {
           ex.set(e);
         }
@@ -272,10 +272,10 @@ void testSendFromOnReadyTriggersException() throws Exception {
   @Test
   void testSendMultipleTimesWorksWhenNumberOfCommandsIsLessThanOrEqualToTheQueueLimit() throws Exception {
     connectionBuilder.queueLimit(3);
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      CompletableFuture<String> future1 = connection.send("request1");
-      CompletableFuture<String> future2 = connection.send("request2");
-      CompletableFuture<String> future3 = connection.send("request3");
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = executor.send("request1");
+      CompletableFuture<String> future2 = executor.send("request2");
+      CompletableFuture<String> future3 = executor.send("request3");
       assertThat(future1.get(), equalTo("response1"));
       assertThat(future2.get(), equalTo("response2"));
       assertThat(future3.get(), equalTo("response3"));
@@ -287,10 +287,10 @@ void testSendMultipleTimesWillCompleteExceptionallyWhenQueueLimitIsBreached() th
     CountDownLatch latch = new CountDownLatch(1);
     stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
     connectionBuilder.queueLimit(1);
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      CompletableFuture<String> future1 = connection.send("request1");
-      CompletableFuture<String> future2 = connection.send("request2");
-      CompletableFuture<String> future3 = connection.send("request3");
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = executor.send("request1");
+      CompletableFuture<String> future2 = executor.send("request2");
+      CompletableFuture<String> future3 = executor.send("request3");
       latch.countDown();
       assertThat(future1.get(), equalTo("response1"));
       assertThat(future2.get(), equalTo("response2"));
@@ -302,19 +302,19 @@ void testSendMultipleTimesWillCompleteExceptionallyWhenQueueLimitIsBreached() th
 
   @Test
   void testSendWithFuture() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       CompletableFuture<String> future = new CompletableFuture<>();
-      connection.send("request", future);
+      executor.send("request", future);
       assertThat(future.get(), equalTo("response"));
     }
   }
 
   @Test
   void testSendSyncWithConsumer() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       List<String> list = new CopyOnWriteArrayList<>();
       Consumer<String> consumer = list::add;
-      connection.sendSync("monitor", consumer);
+      executor.sendSync("monitor", consumer);
       await().until(() -> "monitor".equals(server.poll()));
       server.writeAndFlush("notification:one\n", "notification:two\n", "notification:three\n");
       await().until(() -> list.size() == 3);
@@ -325,11 +325,11 @@ void testSendSyncWithConsumer() throws Exception {
   @Test
   void testSendSyncWithConsumerFromConsumerTriggersException() throws Exception {
     stubTestServerConnectAndAndAutomaticNotification(server);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       AtomicReference<Exception> ex = new AtomicReference<>();
-      connection.sendSync("monitor", s -> {
+      executor.sendSync("monitor", s -> {
         try {
-          connection.sendSync("request", response -> {
+          executor.sendSync("request", response -> {
           });
         } catch (Exception e) {
           ex.set(e);
@@ -343,11 +343,11 @@ void testSendSyncWithConsumerFromConsumerTriggersException() throws Exception {
   @Test
   void testSendWithConsumerFromConsumerTriggersException() throws Exception {
     stubTestServerConnectAndAndAutomaticNotification(server);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       AtomicReference<Exception> ex = new AtomicReference<>();
-      connection.sendSync("monitor", s -> {
+      executor.sendSync("monitor", s -> {
         try {
-          connection.send("request", response -> {
+          executor.send("request", response -> {
           }, new CompletableFuture<>());
         } catch (Exception e) {
           ex.set(e);
@@ -369,8 +369,8 @@ void testSendSyncWithConsumerFromOnReady() throws Exception {
         throw new RuntimeException(e);
       }
     });
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      await().until(connection::isReady);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      await().until(executor::isReady);
       verify(consumer).accept("notification:xyz");
     }
   }
@@ -385,11 +385,11 @@ void testSendWithConsumerFromOnReadyTriggersException() throws Exception {
 
   @Test
   void testSendSyncWithConsumerAndFuture() throws Exception {
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       CompletableFuture<Void> future = new CompletableFuture<>();
       List<String> list = new CopyOnWriteArrayList<>();
       Consumer<String> consumer = list::add;
-      connection.send("monitor", consumer, future);
+      executor.send("monitor", consumer, future);
       future.get();
       await().until(() -> "monitor".equals(server.poll()));
       server.writeAndFlush("notification:one\n", "notification:two\n", "notification:three\n");
@@ -418,8 +418,8 @@ void testConnectEndpointProviderException() {
   void testConnectRetryFail() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
     server.closeServerSocket();
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      ExecutionException ex = assertThrows(ExecutionException.class, () -> connection.sendSync("request"));
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      ExecutionException ex = assertThrows(ExecutionException.class, () -> executor.sendSync("request"));
       assertThat(ex.getMessage(), containsString("reconnect retries exceeded"));
       assertThat(reconnectStrategy.connectFailCount, equalTo(3));
       assertThat(reconnectStrategy.connectException.getMessage(), containsString("Connection refused"));
@@ -431,8 +431,8 @@ void testConnectRetryFailTimeout() throws Exception {
     reconnectStrategy.reconnectNoLimit();
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
     server.closeServerSocket();
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      ExecutionException ex = assertThrows(ExecutionException.class, () -> connection.sendSync("request"));
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      ExecutionException ex = assertThrows(ExecutionException.class, () -> executor.sendSync("request"));
       assertThat(ex.getMessage(), containsString("timed out (in queue)"));
     }
   }
@@ -441,9 +441,9 @@ void testConnectRetryFailTimeout() throws Exception {
   void testConnectRetrySucceed() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
     server.closeServerSocket();
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       server.newServerSocket();
-      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(executor.sendSync("request"), equalTo("response"));
       assertThat(reconnectStrategy.connectFailCount, greaterThanOrEqualTo(1));
       assertThat(reconnectStrategy.connectException.getMessage(), containsString("Connection refused"));
     }
@@ -452,9 +452,9 @@ void testConnectRetrySucceed() throws Exception {
   @Test
   void testReconnectAfterSocketDisconnect() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       server.closeClientSocket();
-      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(executor.sendSync("request"), equalTo("response"));
       assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
       assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
       assertThat(endPointSupplier.invocationCount, equalTo(1));
@@ -465,8 +465,8 @@ void testReconnectAfterSocketDisconnect() throws Exception {
   void testReconnectAndResendPendingAfterSocketDisconnect() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
     stubTestServerToCloseClientSocketOnRequest(server);
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      assertThat(connection.sendSync("request"), equalTo("response"));
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      assertThat(executor.sendSync("request"), equalTo("response"));
     }
   }
 
@@ -476,12 +476,12 @@ void testReconnectAndSendQueueAfterSocketDisconnectTriggersPendingRequestToTimeo
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L).clock(clock).queueLimit(2);
     CountDownLatch latch = new CountDownLatch(1);
     stubTestServerToCloseClientSocketOnRequest(server, latch, clock, 500L);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      CompletableFuture<String> future = connection.send("request");
-      await().until(() -> connection.getPendingSize() == 1);
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      CompletableFuture<String> future = executor.send("request");
+      await().until(() -> executor.getPendingSize() == 1);
       clock.advance(1);
-      CompletableFuture<String> future2 = connection.send("request2");
-      await().until(() -> connection.getQueuedSize() == 1);
+      CompletableFuture<String> future2 = executor.send("request2");
+      await().until(() -> executor.getQueuedSize() == 1);
       log.info("setting latch");
       latch.countDown();
       ExecutionException ex = assertThrows(ExecutionException.class, future::get);
@@ -493,9 +493,9 @@ void testReconnectAndSendQueueAfterSocketDisconnectTriggersPendingRequestToTimeo
   @Test
   void testReconnectAfterSocketAndSocketServerDisconnect() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       server.closeServerSocket();
-      CompletableFuture<String> future = connection.send("request");
+      CompletableFuture<String> future = executor.send("request");
       server.newServerSocket();
       await().until(future::isDone);
       assertThat(future.get(), equalTo("response"));
@@ -508,10 +508,10 @@ void testReconnectAfterSocketAndSocketServerDisconnect() throws Exception {
   void testReconnectTimeout() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(500L);
     ExecutionException ex = assertThrows(ExecutionException.class, () -> {
-      try (AtClientConnection connection = connectionBuilder.build()) {
+      try (AtCommandExecutor executor = connectionBuilder.build()) {
         server.closeServerSocket();
         newSingleThreadScheduledExecutor().schedule(() -> server.newServerSocket(), 5, SECONDS);
-        connection.sendSync("request");
+        executor.sendSync("request");
       }
     });
     assertThat(ex.getCause(), instanceOf(AtSecondaryConnectException.class));
@@ -521,12 +521,12 @@ void testReconnectTimeout() throws Exception {
   @Test
   void testReconnectAfterSocketAndSocketServerDisconnectAndAcceptPause() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy).timeoutMillis(5000L);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       server.closeServerSocket();
       server.newServerSocketWithoutAccept();
       sleep(SECONDS.toMillis(1));
       server.accept();
-      assertThat(connection.sendSync("request"), equalTo("response"));
+      assertThat(executor.sendSync("request"), equalTo("response"));
       assertThat(reconnectStrategy.disconnectCount, greaterThanOrEqualTo(1));
       assertThat(reconnectStrategy.disconnectException.getMessage(), containsString("connection closed"));
       assertThat(endPointSupplier.invocationCount, equalTo(1));
@@ -536,9 +536,9 @@ void testReconnectAfterSocketAndSocketServerDisconnectAndAcceptPause() throws Ex
   @Test
   void testReconnectAfterSocketAndSocketServerDisconnectAndMove() throws Exception {
     connectionBuilder.reconnect(reconnectStrategy);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       server.closeServerSocket();
-      CompletableFuture<String> future = connection.send("request");
+      CompletableFuture<String> future = executor.send("request");
       server.newServerSocketNewPort();
       await().until(future::isDone);
       assertThat(future.get(), equalTo("response"));
@@ -553,11 +553,11 @@ void testCloseCompletesPendingCommands() throws Exception {
     connectionBuilder.queueLimit(2);
     CountDownLatch latch = new CountDownLatch(1);
     stubTestServerConnectAndResponseBehaviourWithRequestLatch(server, latch);
-    try (NettyAtClientConnection connection = connectionBuilder.build()) {
-      CompletableFuture<String> future1 = connection.send("request1");
-      CompletableFuture<String> future2 = connection.send("request2");
-      await().until(() -> connection.getPendingSize() == 1 && connection.getQueuedSize() == 1);
-      connection.close();
+    try (NettyAtCommandExecutor executor = connectionBuilder.build()) {
+      CompletableFuture<String> future1 = executor.send("request1");
+      CompletableFuture<String> future2 = executor.send("request2");
+      await().until(() -> executor.getPendingSize() == 1 && executor.getQueuedSize() == 1);
+      executor.close();
       Exception ex = assertThrows(Exception.class, future1::get);
       assertThat(ex.getMessage(), containsString("connection clos"));
       ex = assertThrows(Exception.class, future2::get);
@@ -572,8 +572,8 @@ void testConsumerExceptionsAreLogged() throws Exception {
     stubTestServerConnectAndAndAutomaticNotification(server);
     Logger logger = mock(Logger.class);
     connectionBuilder.log(logger);
-    try (AtClientConnection connection = connectionBuilder.build()) {
-      connection.sendSync("monitor", s -> {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
+      executor.sendSync("monitor", s -> {
         throw new RuntimeException("deliberate");
       });
       ArgumentCaptor<Throwable> captor = ArgumentCaptor.forClass(Throwable.class);
@@ -585,7 +585,7 @@ void testConsumerExceptionsAreLogged() throws Exception {
   @Test
   void testHeartbeating() throws Exception {
     connectionBuilder.heartbeatMillis(250L);
-    try (AtClientConnection connection = connectionBuilder.build()) {
+    try (AtCommandExecutor executor = connectionBuilder.build()) {
       await().until(() -> server.peek() != null);
       assertThat(server.poll(), equalTo("noop:0"));
       await().until(() -> server.peek() != null);
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtEndpointSupplierTest.java
similarity index 95%
rename from at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/NettyAtEndpointSupplierTest.java
index f996ac9b..3a64b38d 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtEndpointSupplierTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtEndpointSupplierTest.java
@@ -1,6 +1,6 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -8,7 +8,7 @@
 
 import java.io.IOException;
 
-import org.atsign.common.exceptions.AtSecondaryNotFoundException;
+import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtServerResponseDecoderTest.java
similarity index 99%
rename from at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/NettyAtServerResponseDecoderTest.java
index dcd981ec..83b73e5b 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/NettyAtServerResponseDecoderTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtServerResponseDecoderTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
diff --git a/at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java b/at_client/src/test/java/org/atsign/client/impl/netty/TestServer.java
similarity index 98%
rename from at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java
rename to at_client/src/test/java/org/atsign/client/impl/netty/TestServer.java
index a605f273..cf94bd36 100644
--- a/at_client/src/test/java/org/atsign/client/connection/netty/TestServer.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/TestServer.java
@@ -1,7 +1,7 @@
-package org.atsign.client.connection.netty;
+package org.atsign.client.impl.netty;
 
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.io.*;
 import java.math.BigInteger;
diff --git a/at_client/src/test/java/org/atsign/common/ByteUtilTest.java b/at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java
similarity index 67%
rename from at_client/src/test/java/org/atsign/common/ByteUtilTest.java
rename to at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java
index bab1c660..66ed8622 100644
--- a/at_client/src/test/java/org/atsign/common/ByteUtilTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java
@@ -1,19 +1,18 @@
-package org.atsign.common;
+package org.atsign.client.impl.util;
 
 
-import org.atsign.client.util.ByteUtil;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-public class ByteUtilTest {
+public class ByteUtilsTest {
 
 
   @Test
   public void testByteUtil0() {
     byte[] bytec = new byte[] {74, 101, 114, 101, 109, 121, 84, 117, 98, 111, 110, 103, 98, 97, 110, 117, 97, 32};
-    assertEquals("JeremyTubongbanua ", ByteUtil.convert(bytec));
+    assertEquals("JeremyTubongbanua ", ByteUtils.convert(bytec));
 
   }
 
@@ -22,65 +21,65 @@ public void testByteUtil0() {
   public void testByteUtil1() {
     String s = "ABC";
     byte[] bytes = {65, 66, 67};
-    assertArrayEquals(bytes, ByteUtil.convert(s));
+    assertArrayEquals(bytes, ByteUtils.convert(s));
   }
 
   @Test
   public void testByteUtil2() {
     byte[] bytec = {64, 62, 75, 85, 96, 45};
-    assertEquals("@>KU`-", ByteUtil.convert(bytec));
+    assertEquals("@>KU`-", ByteUtils.convert(bytec));
   }
 
   @Test
   public void testByteUtil3() {
     String s = "@>KU`-";
     byte[] bytes = {64, 62, 75, 85, 96, 45};
-    assertArrayEquals(bytes, ByteUtil.convert(s));
+    assertArrayEquals(bytes, ByteUtils.convert(s));
   }
 
   @Test
   public void testByteUtil4() {
     byte[] bytec = {64, 65, 69, 54};
-    assertEquals("@AE6", ByteUtil.convert(bytec));
+    assertEquals("@AE6", ByteUtils.convert(bytec));
   }
 
   @Test
   public void testByteUtil5() {
     String s = "TECHNOLOGY";
     byte[] bytes = {84, 69, 67, 72, 78, 79, 76, 79, 71, 89};
-    assertArrayEquals(bytes, ByteUtil.convert(s));
+    assertArrayEquals(bytes, ByteUtils.convert(s));
   }
 
   @Test
   public void testByteUtil6() {
     byte[] bytec = new byte[] {75, 69, 82, 115, 121, 90, 43, 98};
-    assertEquals("KERsyZ+b", ByteUtil.convert(bytec));
+    assertEquals("KERsyZ+b", ByteUtils.convert(bytec));
   }
 
   @Test
   public void testByteUtil7() {
     String s = "+ada#4C0)";
     byte[] bytes = {43, 97, 100, 97, 35, 52, 67, 48, 41};
-    assertArrayEquals(bytes, ByteUtil.convert(s));
+    assertArrayEquals(bytes, ByteUtils.convert(s));
   }
 
   @Test
   public void testByteUtil8() {
     byte[] bytec = new byte[] {45, 45, 43, 97, 115, 100, 99, 96, 96, 126, 50, 41};
-    assertEquals("--+asdc``~2)", ByteUtil.convert(bytec));
+    assertEquals("--+asdc``~2)", ByteUtils.convert(bytec));
   }
 
   @Test
   public void testByteUtil9() {
     String s = "at_sign";
     byte[] bytes = {97, 116, 95, 115, 105, 103, 110};
-    assertArrayEquals(bytes, ByteUtil.convert(s));
+    assertArrayEquals(bytes, ByteUtils.convert(s));
   }
 
   @Test
   public void testByteUtil10() {
     byte[] bytec = {83, 105, 100, 104, 97, 114, 116, 104};
-    assertEquals("Sidharth", ByteUtil.convert(bytec));
+    assertEquals("Sidharth", ByteUtils.convert(bytec));
   }
 
 }
diff --git a/at_client/src/test/java/org/atsign/client/util/EncryptionUtilTest.java b/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
similarity index 54%
rename from at_client/src/test/java/org/atsign/client/util/EncryptionUtilTest.java
rename to at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
index 98e6d0a7..47ede773 100644
--- a/at_client/src/test/java/org/atsign/client/util/EncryptionUtilTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
@@ -1,4 +1,4 @@
-package org.atsign.client.util;
+package org.atsign.client.impl.util;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
@@ -6,18 +6,18 @@
 
 import org.junit.jupiter.api.Test;
 
-class EncryptionUtilTest {
+class EncryptionUtilsTest {
 
   @Test
   void testAesEncryptionWithRandomInitialisationVector() throws Exception {
-    String key = EncryptionUtil.generateAESKeyBase64();
+    String key = EncryptionUtils.generateAESKeyBase64();
     String text = "mary had a little lamb";
-    String iv = EncryptionUtil.generateRandomIvBase64(16);
+    String iv = EncryptionUtils.generateRandomIvBase64(16);
 
-    String encrypted = EncryptionUtil.aesEncryptToBase64(text, key, iv);
+    String encrypted = EncryptionUtils.aesEncryptToBase64(text, key, iv);
     assertThat(encrypted, not(equalTo(text)));
 
-    String decrypted = EncryptionUtil.aesDecryptFromBase64(encrypted, key, iv);
+    String decrypted = EncryptionUtils.aesDecryptFromBase64(encrypted, key, iv);
     assertThat(decrypted, equalTo(text));
   }
 }
diff --git a/at_client/src/test/java/org/atsign/common/FromStringTest.java b/at_client/src/test/java/org/atsign/client/impl/util/FromStringTest.java
similarity index 94%
rename from at_client/src/test/java/org/atsign/common/FromStringTest.java
rename to at_client/src/test/java/org/atsign/client/impl/util/FromStringTest.java
index 1ff4bc22..0ea16a80 100644
--- a/at_client/src/test/java/org/atsign/common/FromStringTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/FromStringTest.java
@@ -1,9 +1,12 @@
-package org.atsign.common;
+package org.atsign.client.impl.util;
 
-import static org.atsign.common.AtSign.createAtSign;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.junit.jupiter.api.Assertions.*;
 
-import org.atsign.common.Keys.AtKey;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.AtKey;
+import org.atsign.client.api.Metadata;
 import org.junit.jupiter.api.Test;
 
 public class FromStringTest {
diff --git a/at_client/src/test/java/org/atsign/client/impl/util/JsonUtilsTest.java b/at_client/src/test/java/org/atsign/client/impl/util/JsonUtilsTest.java
new file mode 100644
index 00000000..7214d87f
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/impl/util/JsonUtilsTest.java
@@ -0,0 +1,5 @@
+package org.atsign.client.impl.util;
+
+class JsonUtilsTest {
+
+}
diff --git a/at_client/src/test/java/org/atsign/common/KeysUtilTest.java b/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
similarity index 71%
rename from at_client/src/test/java/org/atsign/common/KeysUtilTest.java
rename to at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
index e541ff58..6cafc49b 100644
--- a/at_client/src/test/java/org/atsign/common/KeysUtilTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
@@ -1,7 +1,7 @@
-package org.atsign.common;
+package org.atsign.client.impl.util;
 
-import static org.atsign.client.util.EncryptionUtil.generateAESKeyBase64;
-import static org.atsign.client.util.EncryptionUtil.generateRSAKeyPair;
+import static org.atsign.client.impl.util.EncryptionUtils.generateAESKeyBase64;
+import static org.atsign.client.impl.util.EncryptionUtils.generateRSAKeyPair;
 import static org.junit.jupiter.api.Assertions.*;
 
 import java.io.File;
@@ -10,23 +10,23 @@
 import java.nio.file.Path;
 
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.util.KeysUtil;
+import org.atsign.client.api.AtSign;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
-public class KeysUtilTest {
+public class KeysUtilsTest {
 
   AtSign testAtSign = new AtSign("@testSaveKeysFile");
 
   @AfterEach
   public void tearDown() throws IOException {
-    Files.deleteIfExists(KeysUtil.getKeysFile(testAtSign, KeysUtil.expectedKeysFilesLocation).toPath());
-    Files.deleteIfExists(KeysUtil.getKeysFile(testAtSign, KeysUtil.legacyKeysFilesLocation).toPath());
+    Files.deleteIfExists(KeysUtils.getKeysFile(testAtSign, KeysUtils.expectedKeysFilesLocation).toPath());
+    Files.deleteIfExists(KeysUtils.getKeysFile(testAtSign, KeysUtils.legacyKeysFilesLocation).toPath());
   }
 
   @Test
   public void testSaveKeysFile() throws Exception {
-    File expected = KeysUtil.getKeysFile(testAtSign, KeysUtil.expectedKeysFilesLocation);
+    File expected = KeysUtils.getKeysFile(testAtSign, KeysUtils.expectedKeysFilesLocation);
     assertFalse(expected.exists());
 
     // Given a Map of keys (like Onboard creates)
@@ -37,7 +37,7 @@ public void testSaveKeysFile() throws Exception {
         .build();
 
     // When we call KeysUtil.saveKeys
-    KeysUtil.saveKeys(testAtSign, keys);
+    KeysUtils.saveKeys(testAtSign, keys);
 
     // Then we end up with a file with the expected name in the expected (canonical) location
     assertTrue(expected.exists());
@@ -51,10 +51,10 @@ public void testLoadKeysFile() throws Exception {
         .apkamKeyPair(generateRSAKeyPair())
         .selfEncryptKey(generateAESKeyBase64())
         .build();
-    KeysUtil.saveKeys(testAtSign, keys);
+    KeysUtils.saveKeys(testAtSign, keys);
 
     // When we call KeysUtil.loadKeys
-    AtKeys loadedKeys = KeysUtil.loadKeys(testAtSign);
+    AtKeys loadedKeys = KeysUtils.loadKeys(testAtSign);
 
     // Then the keys are loaded successfully
     assertContentsMatch(keys, loadedKeys);
@@ -68,8 +68,8 @@ public void testLoadKeysFileLegacy() throws Exception {
         .selfEncryptKey(generateAESKeyBase64())
         .build();
 
-    KeysUtil.saveKeys(testAtSign, keys);
-    File expected = KeysUtil.getKeysFile(testAtSign, KeysUtil.expectedKeysFilesLocation);
+    KeysUtils.saveKeys(testAtSign, keys);
+    File expected = KeysUtils.getKeysFile(testAtSign, KeysUtils.expectedKeysFilesLocation);
     assertTrue(expected.exists());
 
     // Given a correctly formatted keys file in the legacy location
@@ -77,13 +77,13 @@ public void testLoadKeysFileLegacy() throws Exception {
 
     // So, in order to set up the "Given" pre-conditions above, we'll need to
     // 1) move the generated file to the legacy location
-    File file = new File(KeysUtil.legacyKeysFilesLocation);
+    File file = new File(KeysUtils.legacyKeysFilesLocation);
     file.deleteOnExit();
     Files.createDirectories(file.toPath());
-    Files.move(expected.toPath(), KeysUtil.getKeysFile(testAtSign, KeysUtil.legacyKeysFilesLocation).toPath());
+    Files.move(expected.toPath(), KeysUtils.getKeysFile(testAtSign, KeysUtils.legacyKeysFilesLocation).toPath());
 
     // 2) delete the file we just generated in the expected location
-    Path expectedCanonicalFilePath = KeysUtil.getKeysFile(testAtSign, KeysUtil.expectedKeysFilesLocation).toPath();
+    Path expectedCanonicalFilePath = KeysUtils.getKeysFile(testAtSign, KeysUtils.expectedKeysFilesLocation).toPath();
     Files.deleteIfExists(expectedCanonicalFilePath);
 
     // Ensure the file does not exist in the expected place
@@ -91,7 +91,7 @@ public void testLoadKeysFileLegacy() throws Exception {
 
     // When we call KeysUtil.loadKeys
     // Then the keys are loaded successfully from the legacy location
-    AtKeys loadedKeys = KeysUtil.loadKeys(testAtSign);
+    AtKeys loadedKeys = KeysUtils.loadKeys(testAtSign);
     assertContentsMatch(keys, loadedKeys);
   }
 
diff --git a/at_client/src/test/java/org/atsign/common/JsonTest.java b/at_client/src/test/java/org/atsign/common/JsonTest.java
deleted file mode 100644
index 1f350c22..00000000
--- a/at_client/src/test/java/org/atsign/common/JsonTest.java
+++ /dev/null
@@ -1,7 +0,0 @@
-package org.atsign.common;
-
-import static org.junit.jupiter.api.Assertions.*;
-
-class JsonTest {
-
-}
diff --git a/at_client/src/test/java/org/atsign/cucumber/helpers/AtDemoData.java b/at_client/src/test/java/org/atsign/cucumber/helpers/AtDemoData.java
index 1fc629df..f6a90ea1 100644
--- a/at_client/src/test/java/org/atsign/cucumber/helpers/AtDemoData.java
+++ b/at_client/src/test/java/org/atsign/cucumber/helpers/AtDemoData.java
@@ -1,7 +1,7 @@
 package org.atsign.cucumber.helpers;
 
 
-import static org.atsign.client.util.Preconditions.checkFile;
+import static org.atsign.client.impl.common.Preconditions.checkFile;
 
 import java.io.File;
 import java.io.IOException;
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
index 57693193..b667e47d 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/ActivateSteps.java
@@ -1,7 +1,7 @@
 package org.atsign.cucumber.steps;
 
-import static org.atsign.client.connection.protocol.Authentication.authenticateWithPkam;
-import static org.atsign.client.connection.protocol.Data.matchDataJsonListOfStrings;
+import static org.atsign.client.impl.commands.AuthenticationCommands.authenticateWithPkam;
+import static org.atsign.client.impl.commands.DataResponses.matchDataJsonListOfStrings;
 import static org.atsign.cucumber.helpers.Helpers.getFirstValue;
 import static org.atsign.cucumber.helpers.Helpers.toCanonicalMaps;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -13,14 +13,14 @@
 import java.util.Map;
 import java.util.Stack;
 
-import org.atsign.client.cli.Activate;
-import org.atsign.client.connection.api.AtClientConnection;
-import org.atsign.client.connection.protocol.Enroll;
-import org.atsign.client.connection.protocol.Keys;
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtSign;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.cli.Activate;
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.impl.commands.EnrollCommands;
+import org.atsign.client.impl.commands.KeyCommands;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 import org.atsign.cucumber.helpers.AtDemoData;
 import org.opentest4j.TestAbortedException;
 
@@ -54,7 +54,7 @@ public ActivateSteps(AtClientContext context) {
   @Given("atsign keys for {atsign} are missing")
   public void assertMissingKeys(AtSign atsign) throws Exception {
     try {
-      KeysUtil.loadKeys(atsign);
+      KeysUtils.loadKeys(atsign);
     } catch (AtClientConfigException e) {
       if (e.getMessage().contains("loadKeys: No file")) {
         return;
@@ -231,22 +231,22 @@ public ActivateTeardown(AtSign atSign, File keysFile, String cramSecret, Enrollm
 
     public void run() {
 
-      try (AtClientConnection connection = createConnection(rootUrl, atSign, 0)) {
+      try (AtCommandExecutor executor = createConnection(rootUrl, atSign, 0)) {
 
-        authenticateWithPkam(connection, atSign, KeysUtil.loadKeys(keysFile));
+        authenticateWithPkam(executor, atSign, KeysUtils.loadKeys(keysFile));
 
         // delete keys that have been created
-        matchDataJsonListOfStrings(connection.sendSync("scan")).stream()
+        matchDataJsonListOfStrings(executor.sendSync("scan")).stream()
             .filter(k -> !isProtectedKey(atSign, k))
-            .forEach(k -> deleteKeyNoThrow(connection, atSign, k));
+            .forEach(k -> deleteKeyNoThrow(executor, atSign, k));
 
         // remove enrollments
-        Enroll.list(connection, "pending").forEach(id -> denyDeleteNoThrow(connection, atSign, id));
-        Enroll.list(connection, "denied").forEach(id -> deleteNoThrow(connection, atSign, id));
-        Enroll.list(connection, "approved").stream()
+        EnrollCommands.list(executor, "pending").forEach(id -> denyDeleteNoThrow(executor, atSign, id));
+        EnrollCommands.list(executor, "denied").forEach(id -> deleteNoThrow(executor, atSign, id));
+        EnrollCommands.list(executor, "approved").stream()
             .filter(id -> !id.equals(onboardEnrollmentId))
-            .forEach(id -> revokeDeleteNoThrow(connection, atSign, id));
-        revokeDeleteNoThrow(connection, atSign, onboardEnrollmentId);
+            .forEach(id -> revokeDeleteNoThrow(executor, atSign, id));
+        revokeDeleteNoThrow(executor, atSign, onboardEnrollmentId);
       } catch (Exception e) {
         log.error("teardown for {} failed : {}", atSign, e.getMessage());
       }
@@ -259,44 +259,44 @@ private boolean isProtectedKey(AtSign atSign, String key) {
           || key.contains(("__manage@"));
     }
 
-    protected void deleteKeyNoThrow(AtClientConnection connection, AtSign atSign, String key) {
+    protected void deleteKeyNoThrow(AtCommandExecutor executor, AtSign atSign, String key) {
       try {
         log.debug("teardown for {} deleting key {}", atSign, key);
-        Keys.deleteKey(connection, key);
+        KeyCommands.deleteKey(executor, key);
       } catch (Exception e) {
         log.error("teardown for {} failed to delete key {} in onboarded server : {}",
                   atSign, key, e.getMessage());
       }
     }
 
-    private void deleteNoThrow(AtClientConnection connection, AtSign atSign, EnrollmentId id) {
+    private void deleteNoThrow(AtCommandExecutor executor, AtSign atSign, EnrollmentId id) {
       try {
         log.debug("teardown for {} deleting enroll request {}", id);
-        delete(connection, id);
+        delete(executor, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll delete {} in onboarded server : {}",
                   atSign, id, e.getMessage());
       }
     }
 
-    private void denyDeleteNoThrow(AtClientConnection connection, AtSign atsign, EnrollmentId id) {
+    private void denyDeleteNoThrow(AtCommandExecutor executor, AtSign atsign, EnrollmentId id) {
       try {
         log.debug("teardown for {} denying enroll request {}", atsign, id);
-        Enroll.deny(connection, id);
+        EnrollCommands.deny(executor, id);
         log.debug("teardown for {} deleting enroll request {}", atsign, id);
-        Enroll.delete(connection, id);
+        EnrollCommands.delete(executor, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll deny and delete {} in onboarded server : {}",
                   atsign, id, e.getMessage());
       }
     }
 
-    private void revokeDeleteNoThrow(AtClientConnection connection, AtSign atSign, EnrollmentId id) {
+    private void revokeDeleteNoThrow(AtCommandExecutor executor, AtSign atSign, EnrollmentId id) {
       try {
         log.debug("teardown for {} revoking enroll request {}", atSign, id);
-        Enroll.revoke(connection, id);
+        EnrollCommands.revoke(executor, id);
         log.debug("teardown for {} deleting enroll request {}", atSign, id);
-        Enroll.delete(connection, id);
+        EnrollCommands.delete(executor, id);
       } catch (Exception e) {
         log.error("teardown for {} failed to enroll revoke and delete {} in onboarded server : {}",
                   atSign, id, e.getMessage());
@@ -305,15 +305,15 @@ private void revokeDeleteNoThrow(AtClientConnection connection, AtSign atSign, E
   }
 
   private File createAtKeysFile(AtSign atSign) {
-    String filename = atSign.toString() + KeysUtil.keysFileSuffix;
-    File file = new File(new File(KeysUtil.expectedKeysFilesLocation), filename);
+    String filename = atSign.toString() + KeysUtils.keysFileSuffix;
+    File file = new File(new File(KeysUtils.expectedKeysFilesLocation), filename);
     teardownCommands.add(new FileDelete(file));
     return file;
   }
 
   private File createAtKeysFile(AtSign atSign, String app, String device) {
-    String filename = atSign + "-" + app + "-" + device + KeysUtil.keysFileSuffix;
-    File file = new File(new File(KeysUtil.expectedKeysFilesLocation), filename);
+    String filename = atSign + "-" + app + "-" + device + KeysUtils.keysFileSuffix;
+    File file = new File(new File(KeysUtils.expectedKeysFilesLocation), filename);
     teardownCommands.add(new FileDelete(file));
     return file;
   }
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
index ad449957..4fc0277a 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/AtClientContext.java
@@ -1,7 +1,7 @@
 package org.atsign.cucumber.steps;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
-import static org.atsign.client.util.Preconditions.checkNotNull;
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 import static org.atsign.cucumber.helpers.Helpers.isHostPortReachable;
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -19,12 +19,12 @@
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.connection.protocol.Data;
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.commands.DataResponses;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
 import org.atsign.cucumber.helpers.AtDemoData;
 import org.atsign.virtualenv.VirtualEnv;
 import org.junit.jupiter.api.function.Executable;
@@ -114,7 +114,7 @@ public void assumeRootServerIsRunning() throws AtException {
   @Given("atsign keys path is {path}")
   public void setClientAtSignKeyDir(File path) {
     checkKeysPathExists(path);
-    KeysUtil.expectedKeysFilesLocation = path.getPath();
+    KeysUtils.expectedKeysFilesLocation = path.getPath();
   }
 
   @Given("atsign keys path is at_demo_data package {path}")
@@ -124,7 +124,7 @@ public void setClientAtSignKeyDirAsAtDemoDataDir(File path) {
 
   @Given("atsign keys suffix is {word}")
   public void setClientAtSignKeySuffix(String s) {
-    KeysUtil.keysFileSuffix = s;
+    KeysUtils.keysFileSuffix = s;
   }
 
   @Given("verbose logging is {word}")
@@ -134,12 +134,12 @@ public void setLogging(String onOrOff) throws AtException {
 
   @Given("AtClient with keys {path} for {atsign}")
   public void createCurrentAtClient(File keysFile, AtSign atSign) throws Exception {
-    createCurrentAtClient(atSign, KeysUtil.loadKeys(resolveKeysFile(keysFile)), false);
+    createCurrentAtClient(atSign, KeysUtils.loadKeys(resolveKeysFile(keysFile)), false);
   }
 
   public File resolveKeysFile(File keysFile) {
     if (keysFile.getParentFile() == null) {
-      return new File(KeysUtil.expectedKeysFilesLocation, keysFile.getName());
+      return new File(KeysUtils.expectedKeysFilesLocation, keysFile.getName());
     } else {
       return keysFile;
     }
@@ -152,7 +152,7 @@ private void createCurrentAtClient(AtSign atSign, AtKeys keys, boolean withMonit
 
   @Given("AtClient for {atsign}")
   public void createCurrentAtClient(AtSign atSign) throws Exception {
-    createCurrentAtClient(atSign, KeysUtil.loadKeys(atSign), false);
+    createCurrentAtClient(atSign, KeysUtils.loadKeys(atSign), false);
   }
 
   @Given("AtClient is closed")
@@ -190,12 +190,12 @@ public void createAtClientExpectFail(AtSign atSign) {
 
   @Given("AtClient with keys {path} and startMonitor for {atsign}")
   public void createAtClientWithMonitor(File keysFile, AtSign atSign) throws Exception {
-    createCurrentAtClient(atSign, KeysUtil.loadKeys(resolveKeysFile(keysFile)), true);
+    createCurrentAtClient(atSign, KeysUtils.loadKeys(resolveKeysFile(keysFile)), true);
   }
 
   @Given("AtClient and startMonitor for {atsign}")
   public void createAtClientWithMonitor(AtSign atSign) throws Exception {
-    createCurrentAtClient(atSign, KeysUtil.loadKeys(atSign), true);
+    createCurrentAtClient(atSign, KeysUtils.loadKeys(atSign), true);
   }
 
   @Given("{ordinal} {atsign} AtClient startMonitor")
@@ -310,7 +310,7 @@ public AtClient lookupOrCreateAtClient(AtSign atSign) throws Exception {
     } else if (list.size() == 1) {
       return list.get(0);
     } else {
-      return createAtClient(atSign, KeysUtil.loadKeys(atSign), false);
+      return createAtClient(atSign, KeysUtils.loadKeys(atSign), false);
     }
   }
 
@@ -483,7 +483,7 @@ private void deleteKeyNoThrow(AtClient client, String key) {
   private List<String> scanNoThrow(AtClient client) {
     try {
       String response = client.getCommandExecutor().sendSync("scan:showHidden:true .*");
-      return Data.matchDataJsonListOfStrings(response);
+      return DataResponses.matchDataJsonListOfStrings(response);
     } catch (Exception e) {
       log.error("failed to scan : {}", e.getMessage());
       return Collections.emptyList();
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/GetAtKeysSteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/GetAtKeysSteps.java
index 1f1cdb7d..9f177d43 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/GetAtKeysSteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/GetAtKeysSteps.java
@@ -10,8 +10,8 @@
 import java.util.stream.Collectors;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import io.cucumber.datatable.DataTable;
 import io.cucumber.datatable.DataTableFormatter;
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/MonitorSteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/MonitorSteps.java
index 20d65a71..5e1dd29c 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/MonitorSteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/MonitorSteps.java
@@ -13,7 +13,7 @@
 
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtEvents;
-import org.atsign.common.AtSign;
+import org.atsign.client.api.AtSign;
 
 import io.cucumber.datatable.DataTable;
 import io.cucumber.datatable.DataTableFormatter;
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java b/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
index 4e53f449..4e1c2f78 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
@@ -5,8 +5,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
 
 import io.cucumber.java.ParameterType;
 
@@ -33,7 +33,7 @@ public Integer ordinal(String s) {
 
   @ParameterType("(AtException|AtKeyNotFoundException|AtUnauthorizedException|AtUnauthenticatedException)")
   public Class<AtException> exception(String className) throws ClassNotFoundException {
-    return (Class<AtException>) Class.forName("org.atsign.common.exceptions." + className);
+    return (Class<AtException>) Class.forName("org.atsign.client.impl.exceptions." + className);
   }
 
   @ParameterType("\\w+")
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/PublicAtKeySteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/PublicAtKeySteps.java
index 12ca8568..3ca48c2a 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/PublicAtKeySteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/PublicAtKeySteps.java
@@ -7,8 +7,8 @@
 import java.util.regex.Matcher;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/QualifiedAtSign.java b/at_client/src/test/java/org/atsign/cucumber/steps/QualifiedAtSign.java
index 51bfb406..3b8fdac2 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/QualifiedAtSign.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/QualifiedAtSign.java
@@ -2,8 +2,8 @@
 
 import java.util.Objects;
 
-import org.atsign.client.util.EnrollmentId;
-import org.atsign.common.AtSign;
+import org.atsign.client.impl.common.EnrollmentId;
+import org.atsign.client.api.AtSign;
 
 public class QualifiedAtSign {
 
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/SelfAtKeySteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/SelfAtKeySteps.java
index 4594a193..adb7e001 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/SelfAtKeySteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/SelfAtKeySteps.java
@@ -7,8 +7,8 @@
 import java.util.regex.Matcher;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/SharedAtKeySteps.java b/at_client/src/test/java/org/atsign/cucumber/steps/SharedAtKeySteps.java
index a65fe116..22a44eee 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/SharedAtKeySteps.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/SharedAtKeySteps.java
@@ -6,8 +6,8 @@
 import java.util.regex.Matcher;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
 
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
diff --git a/at_shell/src/main/java/org/atsign/client/cli/REPL.java b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
index 334eb8db..eb81f73e 100644
--- a/at_shell/src/main/java/org/atsign/client/cli/REPL.java
+++ b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
@@ -9,16 +9,16 @@
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtEvents.AtEventType;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.client.util.KeysUtil;
-import org.atsign.common.AtException;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.AtIllegalArgumentException;
-import org.atsign.common.exceptions.AtExceptions.AtInvalidSyntaxException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.exceptions.AtIllegalArgumentException;
+import org.atsign.client.impl.exceptions.AtInvalidSyntaxException;
 import org.fusesource.jansi.Ansi;
 import org.fusesource.jansi.AnsiConsole;
 
@@ -48,7 +48,7 @@ public static void main(String[] args) {
       atClient = AtClients.builder()
           .url(rootUrl)
           .atSign(atSign)
-          .keys(KeysUtil.loadKeys(atSign))
+          .keys(KeysUtils.loadKeys(atSign))
           .isVerbose(verbose)
           .build();
       System.out.println(ansi().fg(Ansi.Color.GREEN).a("connected. ").reset().a("Type '/help' to see help").reset());
diff --git a/at_utils/src/main/java/org/atsign/client/util/CameraUtil.java b/at_utils/src/main/java/org/atsign/client/util/CameraUtil.java
index d7bf3576..03b35b04 100644
--- a/at_utils/src/main/java/org/atsign/client/util/CameraUtil.java
+++ b/at_utils/src/main/java/org/atsign/client/util/CameraUtil.java
@@ -6,8 +6,8 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
-import org.atsign.common.AtException;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 import com.github.sarxos.webcam.Webcam;
 
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
index 22b5be40..c0cccb47 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class PublicKeyDeleteExample {
 
@@ -24,7 +24,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
index a5410158..92163b07 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
@@ -2,14 +2,14 @@
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.exceptions.AtClientConfigException;
-import org.atsign.common.options.GetRequestOptions;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
+import org.atsign.client.api.AtClient.GetRequestOptions;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 public class PublicKeyGetBypassCacheExample {
   public static void main(String[] args) throws AtClientConfigException {
@@ -24,7 +24,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
index ffa04ad3..16d5ab65 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
@@ -2,13 +2,13 @@
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 public class PublicKeyGetExample {
   public static void main(String[] args) throws AtClientConfigException {
@@ -23,7 +23,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
index 2d4a02ec..5923b517 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.PublicKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class PublicKeyPutExample {
 
@@ -25,7 +25,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
index 545b67b9..50e2d505 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SelfKeyDeleteExample {
 
@@ -24,7 +24,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
index 9900daf8..a4a5a3d2 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
@@ -1,15 +1,15 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.Metadata;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.api.Metadata;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SelfKeyGetExample {
 
@@ -25,7 +25,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
index 4d9752a2..0bdc4c58 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
@@ -1,15 +1,15 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SelfKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SelfKeyPutExample {
 
@@ -28,7 +28,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign atSign = new AtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(atSign)
         .keys(loadKeys(atSign))
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
index fd28d692..cc60f7b2 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SharedKeyDeleteExample {
 
@@ -26,7 +26,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(sharedBy)
         .keys(loadKeys(sharedBy))
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
index 430a8d6b..d2e395b7 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SharedKeyGetOtherExample {
   /// Get the SharedKey sharedBy another person and sharedWith you
@@ -25,7 +25,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH); // your atSign
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(sharedWith)
         .keys(loadKeys(sharedWith))
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
index cf2d7322..e7a256dd 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
@@ -1,14 +1,14 @@
 package org.atsign.examples;
 
-import static org.atsign.client.util.KeysUtil.loadKeys;
+import static org.atsign.client.impl.util.KeysUtils.loadKeys;
 
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.api.impl.clients.AtClients;
-import org.atsign.common.AtSign;
-import org.atsign.common.Keys;
-import org.atsign.common.Keys.SharedKey;
-import org.atsign.common.exceptions.AtClientConfigException;
+import org.atsign.client.impl.AtClients;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.api.Keys;
+import org.atsign.client.api.Keys.SharedKey;
+import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class SharedKeyGetSelfExample {
   /// Get a SharedKey that you created and shared with another atSign
@@ -25,7 +25,7 @@ public static void main(String[] args) throws AtClientConfigException {
     AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
 
     // 3. build an AtClient
-    AtClients.AtClientsBuilder builder = AtClients.builder()
+    AtClients.AtClientBuilder builder = AtClients.builder()
         .url(ROOT_URL)
         .atSign(sharedBy)
         .keys(loadKeys(sharedBy))
diff --git a/pom.xml b/pom.xml
index 869514a7..db940519 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,6 +45,9 @@
     <config.spotless>config/java-format.xml</config.spotless>
     <config.checkstyle>config/checkstyle.xml</config.checkstyle>
 
+    <coverage.line>0.9</coverage.line>
+    <coverage.branch>0.9</coverage.branch>
+
     <!-- dependency versions -->
     <version.jackson>2.16.1</version.jackson>
     <version.bouncycastle>1.78.1</version.bouncycastle>
@@ -361,6 +364,33 @@
                 <goal>report</goal>
               </goals>
             </execution>
+            <execution>
+              <id>check</id>
+              <phase>verify</phase>
+              <goals>
+                <goal>check</goal>
+              </goals>
+
+              <configuration>
+                <rules>
+                  <rule>
+                    <element>BUNDLE</element>
+                    <limits>
+                      <limit>
+                        <counter>LINE</counter>
+                        <value>COVEREDRATIO</value>
+                        <minimum>${coverage.line}</minimum>
+                      </limit>
+                      <limit>
+                        <counter>BRANCH</counter>
+                        <value>COVEREDRATIO</value>
+                        <minimum>${coverage.branch}</minimum>
+                      </limit>
+                    </limits>
+                  </rule>
+                </rules>
+              </configuration>
+            </execution>
           </executions>
         </plugin>
 

From bac0135f32cb5669c2f96eb48c88b047b4dad77d Mon Sep 17 00:00:00 2001
From: akafredperry <fred@atsign.com>
Date: Thu, 12 Mar 2026 08:58:22 +0000
Subject: [PATCH 4/5] feature: javadoc

---
 .../java/org/atsign/client/api/AtClient.java  |  32 ++---
 .../atsign/client/api/AtCommandExecutor.java  |  16 +--
 .../java/org/atsign/client/api/AtEvents.java  |  12 +-
 .../org/atsign/client/api/AtKeyNames.java     |   2 +-
 .../java/org/atsign/client/api/Metadata.java  |   7 +-
 .../org/atsign/client/api/package-info.java   |   2 +-
 .../org/atsign/client/impl/AtClientImpl.java  |  46 +------
 .../client/impl/AtCommandExecutors.java       |   2 +-
 .../client/impl/AtEndpointSuppliers.java      |   8 +-
 .../java/org/atsign/client/impl/cli/Get.java  |   2 +-
 .../impl/cli/register/RegisterUtil.java       |  31 ++---
 .../impl/commands/AuthenticationCommands.java |   4 +-
 .../client/impl/commands/CommandBuilders.java |  47 +++----
 .../client/impl/commands/DataResponses.java   |  54 ++++----
 .../client/impl/commands/EnrollCommands.java  | 116 ++++++++++++++--
 .../client/impl/commands/ErrorResponses.java  |  28 ++--
 .../client/impl/commands/KeyCommands.java     |  37 +++++-
 .../client/impl/commands/LookupResponse.java  |   2 +-
 .../client/impl/commands/Notifications.java   |  42 ++++--
 .../impl/commands/PublicKeyCommands.java      |  74 +++++++++--
 .../client/impl/commands/Responses.java       |  74 +++++++----
 .../client/impl/commands/ScanCommands.java    |  10 +-
 .../client/impl/commands/SelfKeyCommands.java |  61 +++++++--
 .../impl/commands/SharedKeyCommands.java      |  71 +++++++++-
 .../client/impl/common/CommandElement.java    |   6 +-
 .../client/impl/common/CommandQueue.java      |   9 +-
 .../client/impl/common/Preconditions.java     |   2 +-
 .../client/impl/common/SimpleAtEventBus.java  |   1 +
 .../client/impl/common/package-info.java      |   4 +
 .../client/impl/exceptions/AtException.java   |   3 +-
 .../client/impl/exceptions/package-info.java  |   4 +
 .../impl/netty/NettyAtCommandEncoder.java     |   3 +-
 .../impl/netty/NettyAtCommandExecutor.java    |   2 +-
 .../impl/netty/NettyAtResponseDecoder.java    |   3 +-
 .../impl/netty/NettyAtThreadFactory.java      |   2 +-
 .../client/impl/netty/package-info.java       |   6 +
 .../atsign/client/impl/util/ByteUtils.java    |  29 ----
 .../client/impl/util/EncryptionUtils.java     | 124 +++++++++++++-----
 .../atsign/client/impl/util/JsonUtils.java    |  65 ++++++++-
 .../atsign/client/impl/util/KeysUtils.java    |  66 ++++++++--
 .../atsign/client/impl/util/StringUtils.java  |   2 +-
 .../atsign/client/impl/util/package-info.java |   4 +
 .../org/atsign/client/api/MetadataTest.java   |   2 +-
 .../client/impl/AtCommandExecutorsIT.java     |  82 ++++++++++++
 .../impl/commands/PublicKeyCommandsTest.java  |  20 +--
 .../impl/commands/SelfKeyCommandsTest.java    |  17 ++-
 .../impl/commands/SharedKeyCommandsTest.java  |   2 +-
 .../impl/netty/NettyAtCommandExecutorIT.java  |   1 -
 .../client/impl/util/ByteUtilsTest.java       |  85 ------------
 49 files changed, 872 insertions(+), 452 deletions(-)
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/common/package-info.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/exceptions/package-info.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/netty/package-info.java
 delete mode 100644 at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
 create mode 100644 at_client/src/main/java/org/atsign/client/impl/util/package-info.java
 create mode 100644 at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
 delete mode 100644 at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java

diff --git a/at_client/src/main/java/org/atsign/client/api/AtClient.java b/at_client/src/main/java/org/atsign/client/api/AtClient.java
index bbc802ce..5b44c581 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtClient.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtClient.java
@@ -22,7 +22,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   /**
    * The methods in this interface are from the perspective of this {@link AtSign}.
-   * For example when executing {@link #put(SelfKey, String)} the {@link SelfKey#sharedBy()}
+   * For example when executing put the sharedBy {@link AtSign}
    * should be the {@link AtSign} of the {@link AtClient}.
    *
    * @return the {@link AtSign} which this {@link AtClient} is representing.
@@ -40,7 +40,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to get a String associated with a shared key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SharedKey#sharedBy()} or the {@link SharedKey#sharedWith()} for the key.
+   * sharedBy or the sharedWith for the key.
    *
    * @param sharedKey A {@link SharedKey}
    * @return A {@link CompletableFuture} for the String value associated with this key.
@@ -50,7 +50,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to get a byte array associated with a shared key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SharedKey#sharedBy()} or the {@link SharedKey#sharedWith()} for the key.
+   * sharedBy or the sharedWith for the key.
    *
    * @param sharedKey A {@link SharedKey}
    * @return A {@link CompletableFuture} for the byte array value associated with this key.
@@ -59,8 +59,8 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   /**
    * Used to associate a String with a shared key.
-   * The {@link AtClient} {@link AtSign} should be the {@link SharedKey#sharedBy()} or the
-   * {@link SharedKey#sharedWith()} for the key.
+   * The {@link AtClient} {@link AtSign} should be the sharedBy or the
+   * sharedWith for the key.
    *
    * @param sharedKey A {@link SharedKey}.
    * @param value The string value (this cannot be null).
@@ -70,7 +70,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   /**
    * Used to delete a shared key.
-   * The {@link AtClient} {@link AtSign} should be the {@link SharedKey#sharedBy()} for the key.
+   * The {@link AtClient} {@link AtSign} should be the sharedBy for the key.
    *
    * @param sharedKey A {@link SharedKey}.
    * @return A {@link CompletableFuture} for this operation.
@@ -80,7 +80,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to get a String associated with a self key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SelfKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param selfKey A {@link SelfKey}
    * @return A {@link CompletableFuture} for the String value associated with this key.
@@ -90,7 +90,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to get a byte array associated with a self key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SelfKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param selfKey A {@link SelfKey}
    * @return A {@link CompletableFuture} for the byte array value associated with this key.
@@ -100,7 +100,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to associate a String with a self key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SelfKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param selfKey A {@link SelfKey}.
    * @param value The string value to be associated with the {@link SelfKey} (this cannot be null).
@@ -110,7 +110,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   /**
    * Used to delete a self key.
-   * The {@link AtClient} {@link AtSign} should be the {@link SelfKey#sharedBy()} for the key.
+   * The {@link AtClient} {@link AtSign} should be the sharedBy for the key.
    *
    * @param selfKey A {@link SelfKey}.
    * @return A {@link CompletableFuture} for this operation.
@@ -155,7 +155,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to associate a String with a public key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link PublicKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param publicKey A {@link PublicKey}.
    * @param value The string value associated with the {@link PublicKey} (this cannot be null).
@@ -165,7 +165,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
 
   /**
    * Used to delete a public key.
-   * The {@link AtClient} {@link AtSign} should be the {@link PublicKey#sharedBy()} for the key.
+   * The {@link AtClient} {@link AtSign} should be the sharedBy for the key.
    *
    * @param publicKey A {@link PublicKey}.
    * @return A {@link CompletableFuture} for this operation.
@@ -175,7 +175,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to associate a byte array with a shared key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SharedKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param sharedKey A {@link SharedKey}.
    * @param value The byte array to associated with the {@link SharedKey}
@@ -186,7 +186,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to associate a byte array with a self key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link SelfKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param selfKey A {@link SelfKey}.
    * @param value The byte array to associated with the {@link SelfKey}
@@ -197,7 +197,7 @@ public interface AtClient extends AtEvents.AtEventBus, AutoCloseable {
   /**
    * Used to associate a byte array with a public key from the perspective of the
    * {@link AtClient}'s {@link AtSign}.The {@link AtClient} {@link AtSign} should be the
-   * {@link PublicKey#sharedBy()} for the key.
+   * sharedBy for the key.
    *
    * @param publicKey A {@link PublicKey}.
    * @param value The byte array to associated with the {@link PublicKey}
@@ -241,7 +241,7 @@ default CompletableFuture<List<AtKey>> getAtKeys(String regex) {
   /**
    * Used to check if this {@link AtClient} has sent a monitor command.
    *
-   * @return
+   * @return true is monitor has been set (and not stopped).
    */
   boolean isMonitorRunning();
 
diff --git a/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java b/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
index 454d5e58..5c66fb5e 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtCommandExecutor.java
@@ -5,14 +5,14 @@
 import java.util.function.Consumer;
 
 /**
- * A core interface that represents something that is connected to an at server
- * command interface.
+ * Represents something that is capable of sending At Protocol commands,
+ * and receiving responses, to and from At Server command interface.
  * {@link AtCommandExecutor}s are closeable resources and should be treated accordingly.
  */
 public interface AtCommandExecutor extends AutoCloseable {
 
   /**
-   * Asynchronously executes an Atsign Protocol command that is expected to return a response.
+   * Asynchronously executes an At Protocol command that is expected to return a response.
    *
    * @param command the command to execute
    * @param future the future which will be completed with the response
@@ -20,7 +20,7 @@ public interface AtCommandExecutor extends AutoCloseable {
   void send(String command, CompletableFuture<String> future);
 
   /**
-   * Asynchronously executes an Atsign Protocol command that is expected to return a response.
+   * Asynchronously executes an At Protocol command that is expected to return a response.
    *
    * @param command the command to execute
    * @return the future which will be completed with the response
@@ -32,7 +32,7 @@ default CompletableFuture<String> send(String command) {
   }
 
   /**
-   * Synchronously executes an Atsign Protocol command that is expected to return a response.
+   * Synchronously executes an At Protocol command that is expected to return a response.
    * This method will return once the command has been sent to the AtSign server and the response
    * has been received.
    *
@@ -42,7 +42,7 @@ default CompletableFuture<String> send(String command) {
   String sendSync(String command) throws ExecutionException, InterruptedException;
 
   /**
-   * Asynchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   * Asynchronously executes an At Protocol command that is expected to return a stream of events.
    *
    * @param command the command to execute
    * @param consumer the consumer which the connection will invoke with each event
@@ -51,7 +51,7 @@ default CompletableFuture<String> send(String command) {
   void send(String command, Consumer<String> consumer, CompletableFuture<Void> future);
 
   /**
-   * Asynchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   * Asynchronously executes an At Protocol command that is expected to return a stream of events.
    *
    * @param command the command to execute
    * @param consumer the consumer which the connection will invoke with each event
@@ -64,7 +64,7 @@ default CompletableFuture<Void> send(String command, Consumer<String> consumer)
   }
 
   /**
-   * Synchronously executes an Atsign Protocol command that is expected to return a stream of events.
+   * Synchronously executes an At Protocol command that is expected to return a stream of events.
    * This method will return once the command has been sent to the AtSign server and some form of
    * acknowledgement has been received.
    *
diff --git a/at_client/src/main/java/org/atsign/client/api/AtEvents.java b/at_client/src/main/java/org/atsign/client/api/AtEvents.java
index 401d36cf..4c526664 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtEvents.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtEvents.java
@@ -4,29 +4,29 @@
 import java.util.Set;
 
 /**
- * Parent interface for related interfaces
+ * Parent interface for event related interfaces and enum.
  */
 public interface AtEvents {
 
   /**
-   * Represents something that will receive events
+   * Listener interface for events.
    */
   interface AtEventListener {
     void handleEvent(AtEventType eventType, Map<String, Object> eventData);
   }
 
   /**
-   * Represents something that can dispatch events to registered {@link AtEventListener}
+   * Represents something that can dispatch events to registered {@link AtEventListener} instances.
    */
   interface AtEventBus {
     /**
-     * @param listener to handle various events which originate from Secondaries
-     * @param eventTypes the set of EventTypes that the listener is interested in
+     * @param listener The handler / callback which will receive events.
+     * @param eventTypes The set of EventTypes that the listener is interested in.
      */
     void addEventListener(AtEventListener listener, Set<AtEventType> eventTypes);
 
     /**
-     * @param listener the listener to remove
+     * @param listener The listener to remove.
      */
     void removeEventListener(AtEventListener listener);
 
diff --git a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
index a1d0181f..4a1997d7 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtKeyNames.java
@@ -1,7 +1,7 @@
 package org.atsign.client.api;
 
 /**
- * Constants and Utility methods for "well known" standard keys
+ * Constants and utility methods for "well known" keys.
  */
 public class AtKeyNames {
 
diff --git a/at_client/src/main/java/org/atsign/client/api/Metadata.java b/at_client/src/main/java/org/atsign/client/api/Metadata.java
index 56284640..5ff8d603 100644
--- a/at_client/src/main/java/org/atsign/client/api/Metadata.java
+++ b/at_client/src/main/java/org/atsign/client/api/Metadata.java
@@ -2,7 +2,6 @@
 
 import java.time.OffsetDateTime;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
 
 import lombok.Builder;
 import lombok.Value;
@@ -55,13 +54,13 @@ public static class MetadataBuilder {
     // required for javadoc
   };
 
-  public static Metadata fromJson(String json) throws JsonProcessingException {
-    return JsonUtils.MAPPER.readValue(json, Metadata.class);
+  public static Metadata fromJson(String json) {
+    return JsonUtils.readValue(json, Metadata.class);
   }
 
   /**
    *
-   * @return the encoded metadata fields as recognized by an at server in an update command.
+   * @return the encoded metadata fields as recognized by an At Server in an update command.
    */
   @Override
   public String toString() {
diff --git a/at_client/src/main/java/org/atsign/client/api/package-info.java b/at_client/src/main/java/org/atsign/client/api/package-info.java
index b2fb5738..6869ea32 100644
--- a/at_client/src/main/java/org/atsign/client/api/package-info.java
+++ b/at_client/src/main/java/org/atsign/client/api/package-info.java
@@ -1,4 +1,4 @@
 /**
- * The core interfaces and data types for the AtSign Jaca SDK.
+ * The core interfaces and data types for the AtSign Java SDK.
  */
 package org.atsign.client.api;
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
index 8fab116f..0db6e7ef 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
@@ -119,7 +119,6 @@ public int publishEvent(AtEventType eventType, Map<String, Object> eventData) {
 
   @Override
   public CompletableFuture<String> get(SharedKey sharedKey) {
-    checkAtSignCanGet(atSign, sharedKey);
     return wrapAsync(() -> SharedKeyCommands.get(executor, atSign, keys, sharedKey));
   }
 
@@ -130,20 +129,17 @@ public CompletableFuture<byte[]> getBinary(SharedKey sharedKey) {
 
   @Override
   public CompletableFuture<Void> put(SharedKey sharedKey, String value) {
-    checkAtSignCanPut(atSign, sharedKey);
     return wrapAsync(() -> SharedKeyCommands.put(executor, atSign, keys, sharedKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(SharedKey sharedKey) {
-    checkAtSignCanPut(atSign, sharedKey);
     return wrapAsync(() -> KeyCommands.deleteKey(executor, sharedKey));
   }
 
   @Override
   public CompletableFuture<String> get(SelfKey selfKey) {
-    checkAtSignCanGet(atSign, selfKey);
-    return wrapAsync(() -> SelfKeyCommands.get(executor, keys, selfKey));
+    return wrapAsync(() -> SelfKeyCommands.get(executor, atSign, keys, selfKey));
   }
 
   @Override
@@ -153,13 +149,11 @@ public CompletableFuture<byte[]> getBinary(SelfKey selfKey) {
 
   @Override
   public CompletableFuture<Void> put(SelfKey selfKey, String value) {
-    checkAtSignCanPut(atSign, selfKey);
-    return wrapAsync(() -> SelfKeyCommands.put(executor, keys, selfKey, value));
+    return wrapAsync(() -> SelfKeyCommands.put(executor, atSign, keys, selfKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(SelfKey selfKey) {
-    checkAtSignCanPut(atSign, selfKey);
     return wrapAsync(() -> KeyCommands.deleteKey(executor, selfKey));
   }
 
@@ -185,13 +179,11 @@ public CompletableFuture<byte[]> getBinary(PublicKey publicKey, GetRequestOption
 
   @Override
   public CompletableFuture<Void> put(PublicKey publicKey, String value) {
-    checkAtSignCanPut(atSign, publicKey);
-    return wrapAsync(() -> PublicKeyCommands.put(executor, keys, publicKey, value));
+    return wrapAsync(() -> PublicKeyCommands.put(executor, atSign, keys, publicKey, value));
   }
 
   @Override
   public CompletableFuture<Void> delete(PublicKey publicKey) {
-    checkAtSignCanPut(atSign, publicKey);
     return wrapAsync(() -> KeyCommands.deleteKey(executor, publicKey));
   }
 
@@ -307,36 +299,4 @@ private static CompletableFuture<Void> wrapAsync(AtCommandThatReturnsVoid comman
       }
     });
   }
-
-  public static void checkAtSignCanPut(AtSign atSign, PublicKey key) {
-    if (!key.sharedBy().equals(atSign)) {
-      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
-    }
-  }
-
-  public static void checkAtSignCanGet(AtSign atSign, SelfKey key) {
-    if (!key.sharedBy().equals(atSign)) {
-      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
-    }
-  }
-
-  public static void checkAtSignCanPut(AtSign atSign, SelfKey key) {
-    if (!key.sharedBy().equals(atSign)) {
-      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
-    }
-  }
-
-  public static void checkAtSignCanGet(AtSign atSign, SharedKey key) {
-    if (!key.sharedBy().equals(atSign) && !key.sharedWith().equals(atSign)) {
-      throw new IllegalArgumentException(atSign + " is neither the sharedBy or sharedWith of " + key);
-    }
-  }
-
-  public static void checkAtSignCanPut(AtSign atSign, SharedKey key) {
-    if (!key.sharedBy().equals(atSign)) {
-      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
-    }
-  }
-
-
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
index 330454ca..73d0bb65 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
@@ -30,7 +30,7 @@
  * </pre>
  *
  * <b>NOTE:</b> If the url is prefixed with proxy (e.g. proxy:host:port) then the builder
- * will automatically attempt to connect to an at server at host:port.
+ * will automatically attempt to connect to an At Server at host:port.
  * <b>NOTE:</b> If atSign and keys are provided then the builder
  * will automatically configure the {@link AtCommandExecutor} to authenticate with PKAM.
  * <b>NOTE:</b> If reconnect is not set then the builder will default to a
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
index 53cf1011..6a18a61d 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
@@ -52,11 +52,11 @@ public static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSig
       return () -> proxyMatcher.group(1);
     }
 
-    Matcher directoryServerMatcher = PATTERN_ROOT_URL.matcher(url);
-    if (directoryServerMatcher.matches()) {
+    Matcher rootMatcher = PATTERN_ROOT_URL.matcher(url);
+    if (rootMatcher.matches()) {
       checkNotNull(atSign, "atSign must be set to resolve at server endpoint from " + url);
-      String hostname = directoryServerMatcher.group(1);
-      String port = directoryServerMatcher.group(2);
+      String hostname = rootMatcher.group(1);
+      String port = rootMatcher.group(2);
       return NettyAtEndpointSupplier.builder()
           .rootUrl(hostname + ":" + (port != null ? port : ROOT_SERVER_PORT))
           .atsign(atSign)
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/Get.java b/at_client/src/main/java/org/atsign/client/impl/cli/Get.java
index 0f83ed66..533210b5 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/Get.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/Get.java
@@ -43,7 +43,7 @@ public static void main(String[] args) throws Exception {
 
       String response = atClient.get(key).get();
 
-      log.info("get response : {}", response);
+      System.out.printf("get response : %s", response);
     }
   }
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
index 540d88a6..53422637 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
@@ -16,11 +16,9 @@
 
 import javax.net.ssl.HttpsURLConnection;
 
-import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.impl.exceptions.AtRegistrarException;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.atsign.client.impl.util.JsonUtils;
 
 /**
@@ -28,8 +26,6 @@
  */
 public class RegisterUtil {
 
-  ObjectMapper objectMapper = JsonUtils.MAPPER;
-
   /**
    * Calls API to get atsigns which are ready to be claimed. Returns a free atsign.
    *
@@ -49,7 +45,7 @@ public String getFreeAtsign(String registrarUrl, String apiKey) throws AtExcepti
       BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
       String response = bufferedReader.readLine();
       @SuppressWarnings("unchecked")
-      Map<String, Map<String, String>> responseData = objectMapper.readValue(response, Map.class);
+      Map<String, Map<String, String>> responseData = JsonUtils.readValue(response, Map.class);
       Map<String, String> data = responseData.get("data");
       return data.get("atsign");
     } else {
@@ -94,17 +90,17 @@ public Map<String, String> getAtsignWithSuperApiKey(String registrarUrl, String
     if (!activationKey.isEmpty()) {
       paramsMap.put("ActivationKey", activationKey);
     }
-    String paramsJson = objectMapper.writeValueAsString(paramsMap);
+    String paramsJson = JsonUtils.writeValueAsString(paramsMap);
     HttpsURLConnection httpsConnection =
         postRequestToAPI(new URL(registrarUrl + Constants.GET_ATSIGN_V3), apiKey, paramsJson);
     if (httpsConnection.getResponseCode() == HttpsURLConnection.HTTP_OK) {
       BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
       String responseRaw = bufferedReader.readLine();
       @SuppressWarnings("unchecked")
-      Map<String, String> responseData = objectMapper.readValue(responseRaw, Map.class);
+      Map<String, String> responseData = JsonUtils.readValue(responseRaw, Map.class);
       if (responseData.get("status").equals("success")) {
         @SuppressWarnings("unchecked")
-        Map<String, Map<String, String>> responseDataMap = objectMapper.readValue(responseRaw, Map.class);
+        Map<String, Map<String, String>> responseDataMap = JsonUtils.readValue(responseRaw, Map.class);
         return responseDataMap.get("value");
       } else {
         throw new AtRegistrarException("Failed getting atsign. Response from API: " + responseData.get("status"));
@@ -132,7 +128,7 @@ public Boolean registerAtsign(String email, AtSign atsign, String registrarUrl,
                                               new SimpleEntry<>("atsign", atsign.withoutPrefix()),
                                               new SimpleEntry<>("email", email))
         .collect(toMap(SimpleEntry::getKey, SimpleEntry::getValue));
-    String paramsJson = objectMapper.writeValueAsString(paramsMap);
+    String paramsJson = JsonUtils.writeValueAsString(paramsMap);
 
     HttpsURLConnection httpsConnection =
         postRequestToAPI(new URL(registrarUrl + Constants.REGISTER_ATSIGN), apiKey, paramsJson);
@@ -140,7 +136,7 @@ public Boolean registerAtsign(String email, AtSign atsign, String registrarUrl,
       BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
       String response = bufferedReader.readLine();
       @SuppressWarnings("unchecked")
-      Map<String, String> responseData = objectMapper.readValue(response, Map.class);
+      Map<String, String> responseData = JsonUtils.readValue(response, Map.class);
       String data = responseData.get("message");
       System.out.println("\tVerification code: " + data);
       return response.contains("Sent Successfully");
@@ -183,7 +179,7 @@ public String validateOtp(String email, AtSign atsign, String otp, String regist
                                               new SimpleEntry<>("otp", otp),
                                               new SimpleEntry<>("confirmation", confirmation.toString()))
         .collect(toMap(SimpleEntry::getKey, SimpleEntry::getValue));
-    String paramsJson = objectMapper.writeValueAsString(paramsMap);
+    String paramsJson = JsonUtils.writeValueAsString(paramsMap);
 
     HttpsURLConnection httpsConnection =
         postRequestToAPI(new URL(registrarUrl + Constants.VALIDATE_OTP), apiKey, paramsJson);
@@ -194,20 +190,19 @@ public String validateOtp(String email, AtSign atsign, String otp, String regist
       // appending HTTP_RESPONSE to the string buffer line-after-line
       String response = bufferedReader.readLine();
       @SuppressWarnings("unchecked")
-      Map<String, String> responseDataStringObject = objectMapper.readValue(response, Map.class);
+      Map<String, String> responseDataStringObject = JsonUtils.readValue(response, Map.class);
       // API in some cases returns response with a data field of Type
       // Map<String, Map<String, String>> the following if condition casts this
       // response to Map<String, String>
       if (response.startsWith("{\"data")) {
         @SuppressWarnings("unchecked")
-        Map<String, Map<String, String>> responseDataMapObject = objectMapper.readValue(response, Map.class);
+        Map<String, Map<String, String>> responseDataMapObject = JsonUtils.readValue(response, Map.class);
         responseDataStringObject = responseDataMapObject.get("data");
         // The following if condition logs the existing atsigns if the API response
         // contains a List<String> of atsigns.
         if (responseDataStringObject.containsKey("atsigns") || responseDataStringObject.containsKey("newAtsign")) {
           @SuppressWarnings("unchecked")
-          Map<String, Map<String, List<String>>> responseDataArrayListObject =
-              objectMapper.readValue(response, Map.class);
+          Map<String, Map<String, List<String>>> responseDataArrayListObject = JsonUtils.readValue(response, Map.class);
           System.out
               .println("Your existing atsigns: " + responseDataArrayListObject.get("data").get("atsigns").toString());
         }
@@ -249,14 +244,14 @@ public String activateAtsignWithSuperApiKey(String registrarUrl, String apiKey,
         .of(new SimpleEntry<>("atSign", atsign.withoutPrefix()), new SimpleEntry<>("ActivationKey", activationKey))
         .collect(toMap(SimpleEntry::getKey, SimpleEntry::getValue));
 
-    String paramsJson = objectMapper.writeValueAsString(paramsMap);
+    String paramsJson = JsonUtils.writeValueAsString(paramsMap);
     HttpsURLConnection httpsConnection =
         postRequestToAPI(new URL(registrarUrl + Constants.ACTIVATE_ATSIGN), apiKey, paramsJson);
     if (httpsConnection.getResponseCode() == HttpsURLConnection.HTTP_OK) {
       BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
       String response = bufferedReader.readLine();
       @SuppressWarnings("unchecked")
-      Map<String, String> responseData = objectMapper.readValue(response, Map.class);
+      Map<String, String> responseData = JsonUtils.readValue(response, Map.class);
       if (responseData.get("status").equals("success")) {
         return responseData.get("cramkey");
       } else {
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
index 02339b8c..b97b695b 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/AuthenticationCommands.java
@@ -20,7 +20,7 @@
 import org.atsign.client.impl.exceptions.AtUnauthenticatedException;
 
 /**
- * Utility methods for handling authentication within the AtSign protocol
+ * Utility methods for handling authentication within the At Protocol
  */
 public class AuthenticationCommands {
 
@@ -69,7 +69,7 @@ public static void authenticateWithPkam(AtCommandExecutor executor, AtSign atSig
    *
    * @param executor The executor with which to send the commands.
    * @param atSign The asign to authenticate.
-   * @param cramSecret The cramSecret that was assigned during at server provisioning.
+   * @param cramSecret The cramSecret that was assigned during At Server provisioning.
    * @throws AtException If authentication fails.
    */
   public static void authenticateWithCram(AtCommandExecutor executor, AtSign atSign, String cramSecret)
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java b/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
index 64e60c18..64a860ce 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/CommandBuilders.java
@@ -18,13 +18,12 @@
 import org.atsign.client.api.Keys.AtKey;
 import org.atsign.client.api.Metadata.MetadataBuilder;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
 
 import lombok.Builder;
 
 /**
  *
- * Builders for composing Atsign protocol command strings.
+ * Builders for composing At Protocol command strings.
  *
  */
 public class CommandBuilders {
@@ -32,7 +31,7 @@ public class CommandBuilders {
   private static final Metadata EMPTY_METADATA = Metadata.builder().build();
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>from</b> verb. The <b>from</b> verb
+   * A builder to compose an At Protocol command with the <b>from</b> verb. The <b>from</b> verb
    * is used to tell the Atsign server whom you claim to be and initiates the authentication workflow.
    *
    * @param atSign The {@link AtSign} you claim to be
@@ -46,7 +45,7 @@ public static String from(AtSign atSign) {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>cram</b> verb. The <b>cram</b> verb
+   * A builder to compose an At Protocol command with the <b>cram</b> verb. The <b>cram</b> verb
    * is used to boostrap authenticate one's own self as an owner of the Atsign server. It is intended
    * to be used once until a set of PKAM keys are cut on the owner's mobile device and from then on we
    * use the pkam verb.
@@ -62,7 +61,7 @@ public static String cram(String digest) {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>pol</b> verb. The <b>pol</b> verb
+   * A builder to compose an At Protocol command with the <b>pol</b> verb. The <b>pol</b> verb
    * is part of the pkam process to authenticate oneself while connecting to someone else's atServer.
    * The term 'pol' means 'proof of life' as it provides a near realtime assurance that the requestor
    * is who it claims to be.
@@ -75,7 +74,7 @@ public static String pol() {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>pkam</b> verb. The <b>pkam</b> verb
+   * A builder to compose an At Protocol command with the <b>pkam</b> verb. The <b>pkam</b> verb
    * follows the <b>from</b> verb. As an owner of the atServer, you should be able to take the
    * challenge thrown by the <b>from</b> verb and encrypt using the private key of the RSA key pair
    * with what the server has been bound with. Upon receiving the cram verb along with the digest, the
@@ -109,7 +108,7 @@ public static String pkam(String digest, String signingAlgo, String hashingAlgo,
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>update</b> verb. The <b>update</b>
+   * A builder to compose an At Protocol command with the <b>update</b> verb. The <b>update</b>
    * is used to insert key/value pairs into a Key Store. An update command can only be sent by the
    * {@link AtSign} that "owns" the key value and can only be sent to their own Atsign server.
    *
@@ -147,7 +146,7 @@ public static String pkam(String digest, String signingAlgo, String hashingAlgo,
    * @param value the value of the key / value. This overrides the metadata param if this is also set.
    * @param key a {@link AtKey} instance from which keyName, sharedBy, sharedWith and metadata will be
    *        taken from.
-   * @param rawKey the Atsign protocol key with cached and public qualifications
+   * @param rawKey the At Protocol key with cached and public qualifications
    * @return A correctly formed <b>update</b> verb command.
    * @throws IllegalArgumentException If mandatory fields are not set or if field values conflict.
    */
@@ -207,7 +206,7 @@ public enum LookupOperation {
   };
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>llookup</b> verb. The <b>llookup</b>
+   * A builder to compose an At Protocol command with the <b>llookup</b> verb. The <b>llookup</b>
    * verb is used to look up key values "owned" / shared by the {@link AtSign} that is sending the
    * command.
    *
@@ -257,7 +256,7 @@ public static String llookup(String keyName, AtSign sharedBy, AtSign sharedWith,
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>lookup</b> verb. The <b>lookup</b>
+   * A builder to compose an At Protocol command with the <b>lookup</b> verb. The <b>lookup</b>
    * verb is used to look up key values shared by other {@link AtSign}s with the {@link AtSign} that
    * is sending the command.
    *
@@ -294,7 +293,7 @@ public static String lookup(String keyName, AtSign sharedBy, LookupOperation ope
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>plookup</b> verb. The <b>plookup</b>
+   * A builder to compose an At Protocol command with the <b>plookup</b> verb. The <b>plookup</b>
    * verb is used to look up a public key value shared by an {@link AtSign} other than the one that
    * is sending the command.
    *
@@ -336,7 +335,7 @@ public static String plookup(String keyName, AtSign sharedBy, Boolean bypassCach
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>delete</b> verb. The <b>delete</b>
+   * A builder to compose an At Protocol command with the <b>delete</b> verb. The <b>delete</b>
    * verb is used to remove key/value pairs into a Key Store. An <b>delete</b> command can only be
    * sent by the {@link AtSign} that "owns" the key value and can only be sent to their own Atsign
    * server.
@@ -384,7 +383,7 @@ public static String delete(String keyName, AtSign sharedBy, AtSign sharedWith,
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>scan</b> verb. The <b>scan</b> verb
+   * A builder to compose an At Protocol command with the <b>scan</b> verb. The <b>scan</b> verb
    * is used to list the keys in an {@link AtSign}'s Atsign server.
    *
    * @param regex If set only show keys that match this regular expression pattern.
@@ -409,7 +408,7 @@ public static String scan(String regex, AtSign fromAtSign, Boolean showHidden) {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>notify:messageType:text</b> verb.
+   * A builder to compose an At Protocol command with the <b>notify:messageType:text</b> verb.
    * The <b>notify:messageType:text</b> verb is used to send an arbitrary message to another
    * {@link AtSign}.
    *
@@ -433,7 +432,7 @@ public enum NotifyOperation {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the
+   * A builder to compose an At Protocol command with the
    * <b>notify:(update|delete):messageType:key</b> verb.
    * The <b>notify:(update|delete):messageType:key</b> verb is used to send key change notifications
    * to other
@@ -473,7 +472,7 @@ public static String notifyKeyChange(NotifyOperation operation, AtSign recipient
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>notify:status</b> verb.
+   * A builder to compose an At Protocol command with the <b>notify:status</b> verb.
    * The <b>notify:status</b> verb is query the status of a previously sent notification.
    *
    * @param notificationId The unique id of a notification. This will have been the response for to a
@@ -516,7 +515,7 @@ public static class EnrollParameters {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>enroll</b> verb.
+   * A builder to compose an At Protocol command with the <b>enroll</b> verb.
    * The <b>enroll</b> verb is used to submit an APKAM enrollment.
    *
    * @param operation The specific enroll operation to perform see {@link EnrollOperation}.
@@ -608,7 +607,7 @@ public static String enroll(EnrollOperation operation, String status, Enrollment
 
     return new StringBuilder("enroll:")
         .append(operation)
-        .append(params != null ? encodeAsJson(params) : "")
+        .append(params != null ? JsonUtils.writeValueAsString(params) : "")
         .toString();
   }
 
@@ -620,7 +619,7 @@ public enum KeysOperation {
   };
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>keys</b> verb.
+   * A builder to compose an At Protocol command with the <b>keys</b> verb.
    * The <b>keys</b> verb is specifically used to update security keys in the Atsign server.
    *
    * @param operation put, get or delete.
@@ -641,7 +640,7 @@ public static String keys(KeysOperation operation, String keyName) {
   }
 
   /**
-   * A builder to compose an Atsign protocol command with the <b>otp</b> verb.
+   * A builder to compose an At Protocol command with the <b>otp</b> verb.
    * The <b>otp</b> verb is used to request a one time password for the enrollment workflow.
    *
    * @return A correctly formed <b>otp</b> verb command.
@@ -668,14 +667,6 @@ protected static Map<String, Object> toObjectMap(Object... nameValuePairs) {
     return map;
   }
 
-  protected static String encodeAsJson(Object o) {
-    try {
-      return JsonUtils.MAPPER.writeValueAsString(o);
-    } catch (JsonProcessingException e) {
-      throw new IllegalArgumentException("json encoding exception", e);
-    }
-  }
-
   private static boolean isTrue(Boolean bool) {
     return bool != null && bool;
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java b/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
index 0b8fcdbd..367a47c7 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/DataResponses.java
@@ -7,52 +7,50 @@
 import org.atsign.client.api.Metadata;
 import org.atsign.client.impl.util.JsonUtils;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-
 /**
- * Utilities for handling data responses in the AtSign protocol.
+ * Utilities for handling data responses in the At Protocol.
  */
 public class DataResponses {
 
   /**
    * models server response string which is non-empty JSON map
    */
-  protected static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
+  private static final Pattern DATA_JSON_NON_EMPTY_MAP = Pattern.compile("data:(\\{.+})");
 
   /**
    * models server response string which is JSON map
    */
-  protected static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
+  private static final Pattern DATA_JSON_MAP = Pattern.compile("data:(\\{.*})");
 
   /**
    * models server response string which is non-empty JSON list
    */
-  protected static final Pattern DATA_JSON_LIST = Pattern.compile("data:(\\[.*])");
+  private static final Pattern DATA_JSON_LIST = Pattern.compile("data:(\\[.*])");
 
   /**
    * models server response string which is integer
    */
-  protected static final Pattern DATA_INT = Pattern.compile("data:(-?\\d+)");
+  private static final Pattern DATA_INT = Pattern.compile("data:(-?\\d+)");
 
   /**
    * models server response string containing no whitespace
    */
-  public static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
+  private static final Pattern DATA_NON_WHITESPACE = Pattern.compile("data:(\\S+)");
 
   /**
    * models server data response
    */
-  public static final Pattern DATA = Pattern.compile("data:(.+)");
+  private static final Pattern DATA = Pattern.compile("data:(.+)");
 
   /**
    * models server response string containing no whitespace
    */
-  public static final Pattern DATA_SUCCESS = Pattern.compile("data:(success)");
+  private static final Pattern DATA_SUCCESS = Pattern.compile("data:(success)");
 
   /**
    * Use this to verify a "data:success" response.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return "success" if this matches.
    */
   public static String matchDataSuccess(String input) {
@@ -62,7 +60,7 @@ public static String matchDataSuccess(String input) {
   /**
    * Use this to verify a "data:xxxxx" response (no whitespace in the value).
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The value after the "data:" prefix.
    */
   public static String matchDataStringNoWhitespace(String input) {
@@ -72,7 +70,7 @@ public static String matchDataStringNoWhitespace(String input) {
   /**
    * Use this to verify a "data:x xx xx" response (whitespace permitted).
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The value after the "data:" prefix.
    */
   public static String matchData(String input) {
@@ -82,7 +80,7 @@ public static String matchData(String input) {
   /**
    * Use this to verify a "data:123" response (negative numbers permitted).
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The value after the "data:" prefix.
    */
   public static int matchDataInt(String input) {
@@ -92,7 +90,7 @@ public static int matchDataInt(String input) {
   /**
    * Use this to verify a "data:[...]" response where the value is a JSON encoded list.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link List} after the "data:" prefix.
    */
   public static List<Object> matchDataJsonList(String input) {
@@ -102,7 +100,7 @@ public static List<Object> matchDataJsonList(String input) {
   /**
    * Use this to verify a "data:[...]" response where the value is a JSON encoded list of Strings.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link List} after the "data:" prefix.
    */
   public static List<String> matchDataJsonListOfStrings(String input) {
@@ -112,7 +110,7 @@ public static List<String> matchDataJsonListOfStrings(String input) {
   /**
    * Use this to verify a "data:{...}" response where the value is a JSON encoded map of Strings.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @param allowEmpty If true then empty map is permitted.
    * @return The {@link Map} after the "data:" prefix.
    */
@@ -124,7 +122,7 @@ public static Map<String, String> matchDataJsonMapOfStrings(String input, boolea
   /**
    * Use this to verify a "data:{...}" response where the value is a JSON encoded map of objects.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @param allowEmpty If true then empty map is permitted.
    * @return The {@link Map} after the "data:" prefix.
    */
@@ -136,7 +134,7 @@ public static Map<String, Object> matchDataJsonMapOfObjects(String input, boolea
   /**
    * Use this to verify a "data:{...}" response where the value is a JSON encoded map of Strings.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link Map} after the "data:" prefix.
    */
   public static Map<String, String> matchDataJsonMapOfStrings(String input) {
@@ -146,7 +144,7 @@ public static Map<String, String> matchDataJsonMapOfStrings(String input) {
   /**
    * Use this to verify a "data:{...}" response where the value is a JSON encoded map of objects.
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link Map} after the "data:" prefix.
    */
   public static Map<String, Object> matchDataJsonMapOfObjects(String input) {
@@ -157,7 +155,7 @@ public static Map<String, Object> matchDataJsonMapOfObjects(String input) {
    * Use this to verify a "data:{...}" response where the value is a JSON encoded
    * {@link LookupResponse}
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link LookupResponse} after the "data:" prefix.
    */
   public static LookupResponse matchLookupResponse(String input) {
@@ -165,18 +163,14 @@ public static LookupResponse matchLookupResponse(String input) {
   }
 
   private static LookupResponse toLookupResponse(String input) {
-    try {
-      return JsonUtils.MAPPER.readValue(input, LookupResponse.class);
-    } catch (JsonProcessingException e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(input, LookupResponse.class);
   }
 
   /**
    * Use this to verify a "data:{...}" response where the value is a JSON encoded
    * {@link Metadata}
    *
-   * @param input The at server response to verify.
+   * @param input The At Server response to verify.
    * @return The {@link Metadata} after the "data:" prefix.
    */
   public static Metadata matchMetadata(String input) {
@@ -184,10 +178,6 @@ public static Metadata matchMetadata(String input) {
   }
 
   private static Metadata toMetaData(String input) {
-    try {
-      return JsonUtils.MAPPER.readValue(input, Metadata.class);
-    } catch (JsonProcessingException e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(input, Metadata.class);
   }
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
index 6f43e629..9b1694cf 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/EnrollCommands.java
@@ -1,11 +1,11 @@
 package org.atsign.client.impl.commands;
 
+import static org.atsign.client.impl.commands.CommandBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY;
 import static org.atsign.client.impl.commands.DataResponses.*;
 import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
-import static org.atsign.client.impl.util.EncryptionUtils.*;
 import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
-import static org.atsign.client.impl.commands.CommandBuilders.EnrollParameters.ENCRYPTED_APKAM_SYMMETRIC_KEY;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
 
 import java.util.List;
 import java.util.Map;
@@ -13,30 +13,34 @@
 import java.util.concurrent.ExecutionException;
 import java.util.stream.Collectors;
 
+import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtKeyNames;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.common.EnrollmentId;
 import org.atsign.client.impl.exceptions.AtException;
-import org.atsign.client.api.AtSign;
 
 /**
- * Atsign Protocol utilitiy code that relates to onboarding and enrolling atsigns.
+ * At Protocol composite commands for activating an AtServer, enrolling the first set of keys
+ * and enrolling subsequent sets of keys.
  */
 public class EnrollCommands {
 
   /**
-   * Performs the onboarding workflow which sets up the manage keys for an atserver.
+   * Performs the onboarding commands which activate an At Server and
+   * enroll the first set of keys. This initial enrollment automatically completes and creates the
+   * app/device keys that can approve subsequent enrollments.
    *
-   * @param executor A executor to an atserver command interface.
+   * @param executor The {@link AtCommandExecutor} to use.
    * @param atSign The AtSign that corresponds to the executor.
-   * @param keys The {@link AtKeys} for the {@link AtSign}.
+   * @param keys The {@link AtKeys} for the {@link AtSign}, these should already be populated.
    * @param cramSecret The CRAM secret.
    * @param appName The app name for this first enrollment.
    * @param deviceName The device name for this first enrollment.
    * @param deleteCramKey Whether the CRAM key should be removed from the AtServer.
-   * @return a new {@link AtKeys} instance that has the enrollment id set
-   * @throws AtException If the enrollment fails.
+   * @return A new copy of the {@link AtKeys} that has the enrollment id set. These need to be
+   *         persisted by the caller.
+   * @throws AtException If any of the commands fail.
    */
   public static AtKeys onboard(AtCommandExecutor executor,
                                AtSign atSign,
@@ -98,10 +102,23 @@ public static AtKeys onboard(AtCommandExecutor executor,
     return keys;
   }
 
+  /**
+   * Deletes the key which holds the CRAM secret prior to onboarding an At Server.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @throws AtException If the command fails.
+   */
   public static void deleteCramSecret(AtCommandExecutor executor) throws AtException {
     KeyCommands.deleteKey(executor, AtKeyNames.PRIVATE_AT_SECRET);
   }
 
+  /**
+   * Can be used to obtain a one time password for enrollment.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @return a unique one time password.
+   * @throws AtException If the command fails.
+   */
   public static String otp(AtCommandExecutor executor) throws AtException {
     try {
 
@@ -117,6 +134,25 @@ public static String otp(AtCommandExecutor executor) throws AtException {
     }
   }
 
+  /**
+   * Performs the enrollment request commands for a new application / device set of keys.
+   * <b>NOTE</b> The result of this command will be a pending request that must be approved
+   * ({@link #approve(AtCommandExecutor, AtKeys, EnrollmentId)}) using keys that have access
+   * to the manage namespace (the original keys from onboard) and then completed
+   * ({@link #complete(AtCommandExecutor, AtSign, AtKeys)}).
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param keys The {@link AtKeys} for the {@link AtSign}, this should have the APKAM keys populated.
+   *        The rest of the fields will be set once enrollment is complated.
+   * @param otp A one time password.
+   * @param appName The app name for this enrollment.
+   * @param deviceName The device name for this enrollment.
+   * @param namespaces A map of namespace names and access control e.g. r,rw.
+   * @return A new copy of the {@link AtKeys} that has the public encrypt key and enrollment id set.
+   *         These need to be persisted by the caller.
+   * @throws AtException If any of the commands fail.
+   */
   public static AtKeys enroll(AtCommandExecutor executor,
                               AtSign atSign,
                               AtKeys keys,
@@ -158,6 +194,20 @@ public static AtKeys enroll(AtCommandExecutor executor,
         .build();
   }
 
+  /**
+   * Performs the enrollment completion commands for a new application / device set of keys.
+   * <b>NOTE</b> This command would only be expected to succeed if the enrollment request
+   * has been approved.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param keys The {@link AtKeys} for the {@link AtSign}, this should have the APKAM keys populated.
+   *        The rest of the fields will be set once enrollment is completed.
+   * @return A new copy of the {@link AtKeys} that has the private encrypt key and self encrypt key
+   *         set.
+   *         These need to be persisted by the caller.
+   * @throws AtException If any of the commands fail.
+   */
   public static AtKeys complete(AtCommandExecutor executor, AtSign atSign, AtKeys keys) throws AtException {
 
     // attempt to authenticate with PKAM, this will succeed once the enroll request is approved
@@ -175,6 +225,13 @@ public static AtKeys complete(AtCommandExecutor executor, AtSign atSign, AtKeys
 
   }
 
+  /**
+   * Performs the commands to response processing to provide a list of {@link EnrollmentId}.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param status A filter for the request statuses.
+   * @throws AtException If any of the commands fail.
+   */
   public static List<EnrollmentId> list(AtCommandExecutor executor, String status) throws AtException {
     try {
 
@@ -196,6 +253,15 @@ public static List<EnrollmentId> list(AtCommandExecutor executor, String status)
     }
   }
 
+  /**
+   * Performs the enrollment approve commands for a new application / device set of keys.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param keys The {@link AtKeys} for the {@link AtSign} that have the authority to manage
+   *        enrollment requests. Typically the first set of keys from the onboard.
+   * @param enrollmentId The {@link EnrollmentId} to approve.
+   * @throws AtException If any of the commands fail.
+   */
   public static void approve(AtCommandExecutor executor, AtKeys keys, EnrollmentId enrollmentId) throws AtException {
     try {
 
@@ -237,18 +303,48 @@ public static void approve(AtCommandExecutor executor, AtKeys keys, EnrollmentId
 
   }
 
+  /**
+   * Performs the enrollment revoke commands for a pending application / device set of keys.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param enrollmentId The {@link EnrollmentId} to deny.
+   * @throws AtException If any of the commands fail.
+   */
   public static void deny(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
     singleArgEnrollAction(executor, "deny", enrollmentId, "denied");
   }
 
+  /**
+   * Performs the enrollment revoke commands for a previously approved application / device set of
+   * keys.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param enrollmentId The {@link EnrollmentId} to revoke.
+   * @throws AtException If any of the commands fail.
+   */
   public static void revoke(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
     singleArgEnrollAction(executor, "revoke", enrollmentId, "revoked");
   }
 
+  /**
+   * Performs the enrollment revoke commands for a previously revoked application / device set of
+   * keys.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param enrollmentId The {@link EnrollmentId} to unrevoke.
+   * @throws AtException If any of the commands fail.
+   */
   public static void unrevoke(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
     singleArgEnrollAction(executor, "unrevoke", enrollmentId, "approved");
   }
 
+  /**
+   * Performs the enrollment revoke commands for an application / device set of keys.
+   *
+   * @param executor An executor to an atserver command interface.
+   * @param enrollmentId The {@link EnrollmentId} to delete.
+   * @throws AtException If any of the commands fail.
+   */
   public static void delete(AtCommandExecutor executor, EnrollmentId enrollmentId) throws Exception {
     singleArgEnrollAction(executor, "delete", enrollmentId, "deleted");
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java b/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
index c0ce8942..60b22e10 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/ErrorResponses.java
@@ -9,24 +9,32 @@
 import org.atsign.client.impl.exceptions.AtException;
 
 /**
- * Utility methods for handling error responses in the AtSign protocol
+ * Utility methods for handling error responses in the At Protocol.
  */
 public class ErrorResponses {
 
   /**
-   * models server data response
+   * Models server data response
    */
-  public static final Pattern ERROR = Pattern.compile("error:(.+)");
+  private static final Pattern ERROR = Pattern.compile("error:(.+)");
 
-  public static String matchError(String input) {
-    return Responses.match(input, ERROR);
+  private static final Pattern ERROR_WITH_CODE = Pattern.compile("error:(AT\\d+)([^:]*):\\s*(.+)");
+
+  /**
+   * Use this to verify a "error:xxxx" response.
+   *
+   * @param response A response string from an AtSign command interface
+   * @return the response with the "error:" prefix removed
+   */
+  public static String matchError(String response) {
+    return Responses.match(response, ERROR);
   }
 
   /**
    * Utility method that can be used to wrap a response and throw a typed
    * {@link AtException} is the response represents an error.
    *
-   * @param response a response string from an AtSign command interface
+   * @param response A response string from an AtSign command interface
    * @return the response parameter if the response is NOT an error
    * @throws AtException a typed exception if the response is an error
    */
@@ -38,12 +46,16 @@ public static String throwExceptionIfError(String response) throws AtException {
     return response;
   }
 
-  public static AtException getAtExceptionIfError(String response) throws AtException {
+  private static AtException getAtExceptionIfError(String response) throws AtException {
     checkNotNull(response);
-    Matcher matcher = Pattern.compile("error:(AT\\d+)([^:]*):\\s*(.+)").matcher(response);
+    Matcher matcher = ERROR_WITH_CODE.matcher(response);
     if (matcher.matches()) {
       return toTypedException(matcher.group(1), matcher.group(3));
     }
+    matcher = ERROR.matcher(response);
+    if (matcher.matches()) {
+      return new AtException(matcher.group(1));
+    }
     return null;
   }
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
index 7a3baf25..965d294f 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/KeyCommands.java
@@ -1,29 +1,37 @@
 package org.atsign.client.impl.commands;
 
-import static org.atsign.client.impl.commands.DataResponses.*;
-import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
 import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.meta;
+import static org.atsign.client.impl.commands.DataResponses.matchDataJsonListOfStrings;
+import static org.atsign.client.impl.commands.DataResponses.matchMetadata;
+import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
 
-import org.atsign.client.api.AtKeyNames;
 import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtKeyNames;
 import org.atsign.client.api.Keys.AtKey;
 import org.atsign.client.api.Metadata;
+import org.atsign.client.impl.exceptions.AtException;
 
 import lombok.extern.slf4j.Slf4j;
 
 /**
- * Atsign Protocol utility code that relates to keys (the records) that are managed by an
- * atserver.
+ * At Protocol utility code that relates to keys (the records) that can be stored in an
+ * At Server.
  *
  */
 @Slf4j
 public class KeyCommands {
 
+  /**
+   * Sends the delete command and verifies the response.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param rawKey The key to delete.
+   * @throws AtException If any of the commands fail.
+   */
   public static void deleteKey(AtCommandExecutor executor, String rawKey) throws AtException {
     try {
 
@@ -39,10 +47,27 @@ public static void deleteKey(AtCommandExecutor executor, String rawKey) throws A
     }
   }
 
+  /**
+   * Sends the delete command and verifies the response for an {@link AtKey}
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param key The key to delete.
+   * @throws AtException If any of the commands fail.
+   */
   public static void deleteKey(AtCommandExecutor executor, AtKey key) throws AtException {
     deleteKey(executor, key.rawKey());
   }
 
+  /**
+   * Sends the scan command to list the matching keys. And optionally then does a lookup
+   * to obtain the metadata for each key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param regex A regular expression to match the key names.
+   * @param fetchMetadata If true then utility will lookup the metadata for each key.
+   * @return A list of {@link AtKey} subclasses that correspond to the scan results.
+   * @throws AtException If any of the commands fail.
+   */
   public static List<AtKey> getKeys(AtCommandExecutor executor, String regex, boolean fetchMetadata)
       throws AtException {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java b/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
index 3ee3e612..3faecc0a 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/LookupResponse.java
@@ -5,7 +5,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 /**
- * Data class used to hold a response to lookup, llookup or plookup commands
+ * Models the response to lookup, llookup or plookup commands
  */
 public class LookupResponse {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java b/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
index 8813cd42..1ba03664 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/Notifications.java
@@ -10,27 +10,47 @@
 import java.util.function.Consumer;
 import java.util.regex.Pattern;
 
-import lombok.extern.slf4j.Slf4j;
+import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtEvents;
 import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.exceptions.AtException;
+
+import lombok.extern.slf4j.Slf4j;
 
 /**
- * Utility methods for managing notifications within the AtSign protocol
+ * Utility methods for managing notifications within the At Protocol.
  */
 public class Notifications {
 
   /**
-   * models server response string which is non-empty JSON map
+   * Models server response string which is non-empty JSON map
    */
-  protected static final Pattern NOTIFICATION_JSON_NON_EMPTY_MAP = Pattern.compile("notification:\\s*(\\{.+})");
+  private static final Pattern NOTIFICATION_JSON_NON_EMPTY_MAP = Pattern.compile("notification:\\s*(\\{.+})");
 
+  /**
+   * Creates a {@link Consumer} that can be passed to {@link AtCommandExecutor#onReady(Consumer)} to
+   * request notifications. <b>NOTE</b> monitoring is contingent on authentication to this will
+   * authenticate
+   * with pkam prior to sending the monitor command.
+   *
+   * @param atSign The {@link AtSign} to authenticate.
+   * @param keys The {@link AtKeys} to authenticate with.
+   * @param consumer A consumer that will be invoked with each notification.
+   */
   public static Consumer<AtCommandExecutor> monitor(AtSign atSign, AtKeys keys, Consumer<String> consumer) {
     return throwOnReadyException(executor -> monitor(executor, atSign, keys, consumer));
   }
 
+  /**
+   * Sends the commands to perform PKAM authentication followed by monitor command.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The {@link AtSign} to authenticate.
+   * @param keys The {@link AtKeys} to authenticate with.
+   * @param consumer A consumer that will be invoked with each notification.
+   * @throws AtException If any of the commands fail.
+   */
   public static void monitor(AtCommandExecutor executor, AtSign atSign, AtKeys keys, Consumer<String> consumer)
       throws AtException {
     try {
@@ -46,8 +66,14 @@ public static void monitor(AtCommandExecutor executor, AtSign atSign, AtKeys key
     }
   }
 
-  public static Map<String, Object> matchNotification(String s) {
-    return Responses.match(s, NOTIFICATION_JSON_NON_EMPTY_MAP, Responses::decodeJsonMapOfObjects);
+  /**
+   * Use this to verify a "notification:{...}" response.
+   *
+   * @param input The At Server response to verify.
+   * @return The decoded map of fields from the notification JSON.
+   */
+  public static Map<String, Object> matchNotification(String input) {
+    return Responses.match(input, NOTIFICATION_JSON_NON_EMPTY_MAP, Responses::decodeJsonMapOfObjects);
   }
 
   /**
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
index a3b75128..45905494 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/PublicKeyCommands.java
@@ -1,27 +1,37 @@
 package org.atsign.client.impl.commands;
 
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 import static org.atsign.client.impl.commands.DataResponses.matchDataInt;
 import static org.atsign.client.impl.commands.DataResponses.matchLookupResponse;
 import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
 import static org.atsign.client.impl.util.EncryptionUtils.signSHA256RSA;
-import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 
 import java.util.concurrent.ExecutionException;
 
-import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtClient.GetRequestOptions;
 import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtSign;
 import org.atsign.client.api.Keys.PublicKey;
 import org.atsign.client.api.Metadata;
-import org.atsign.client.api.AtClient.GetRequestOptions;
+import org.atsign.client.impl.exceptions.AtException;
 
 /**
- * Atsign protocol utility code that relates to "public keys"
+ * At Protocol utility code that relates to "public keys".
  *
  */
 public class PublicKeyCommands {
 
+  /**
+   * Get the String value associated with a public key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link PublicKey}
+   * @param options If set then can be used to bypass caches.
+   * @return The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
   public static String get(AtCommandExecutor executor, AtSign atSign, PublicKey key, GetRequestOptions options)
       throws AtException {
     if (atSign.equals(key.sharedBy())) {
@@ -31,12 +41,21 @@ public static String get(AtCommandExecutor executor, AtSign atSign, PublicKey ke
     }
   }
 
-  public static String getSharedByMe(AtCommandExecutor executor, PublicKey publicKey) throws AtException {
+  /**
+   * Get the String value associated with a public key that has been shared by the {@link AtSign}
+   * that the {@link AtCommandExecutor} has authenticated with. This will use a llookup command.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param key The {@link PublicKey}
+   * @return The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+  public static String getSharedByMe(AtCommandExecutor executor, PublicKey key) throws AtException {
     try {
 
       // send a local lookup command and decode the response
       String llookupCommand = CommandBuilders.llookupCommandBuilder()
-          .key(publicKey)
+          .key(key)
           .operation(all)
           .build();
       String llookupResponse = executor.sendSync(llookupCommand);
@@ -45,7 +64,7 @@ public static String getSharedByMe(AtCommandExecutor executor, PublicKey publicK
       // set isCached in metadata
       if (response.key.contains("cached:")) {
         Metadata metadata = response.metaData.toBuilder().isCached(true).build();
-        publicKey.overwriteMetadata(metadata);
+        key.overwriteMetadata(metadata);
       }
 
       // return value
@@ -56,13 +75,23 @@ public static String getSharedByMe(AtCommandExecutor executor, PublicKey publicK
     }
   }
 
-  public static String getSharedByOther(AtCommandExecutor executor, PublicKey publicKey, GetRequestOptions options)
+  /**
+   * Get the String value associated with a public key that has been shared by somebody other than
+   * the {@link AtSign} that the {@link AtCommandExecutor} has authenticated with. This will use
+   * a plookup command.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param key The {@link PublicKey}
+   * @return The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+  public static String getSharedByOther(AtCommandExecutor executor, PublicKey key, GetRequestOptions options)
       throws AtException {
     try {
 
       // send public lookup command and decode the response
       String plookupCommand = CommandBuilders.plookupCommandBuilder()
-          .key(publicKey)
+          .key(key)
           .bypassCache(options != null ? options.isBypassCache() : null)
           .operation(all)
           .build();
@@ -72,7 +101,7 @@ public static String getSharedByOther(AtCommandExecutor executor, PublicKey publ
       // set isCached in metadata
       if (response.key.contains("cached:")) {
         Metadata metadata = response.metaData.toBuilder().isCached(true).build();
-        publicKey.overwriteMetadata(metadata);
+        key.overwriteMetadata(metadata);
       }
 
       // return value
@@ -83,18 +112,29 @@ public static String getSharedByOther(AtCommandExecutor executor, PublicKey publ
     }
   }
 
-  public static void put(AtCommandExecutor executor, AtKeys keys, PublicKey publicKey, String value)
+  /**
+   * Set a String value to be associated with a public key. A signature will be added to the key
+   * metadata using the AtSign's Private Encryption Key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link PublicKey}
+   * @param value The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+  public static void put(AtCommandExecutor executor, AtSign atSign, AtKeys keys, PublicKey key, String value)
       throws AtException {
+    checkAtSignCanPut(atSign, key);
     try {
 
       // add a signature to the metadata
       Metadata metadata = Metadata.builder()
           .dataSignature(signSHA256RSA(value, keys.getEncryptPrivateKey()))
           .build();
-      publicKey.updateMissingMetadata(metadata);
+      key.updateMissingMetadata(metadata);
 
       // send and update command
-      String updateCommand = CommandBuilders.updateCommandBuilder().key(publicKey).value(value).build();
+      String updateCommand = CommandBuilders.updateCommandBuilder().key(key).value(value).build();
       String updateResponse = executor.sendSync(updateCommand);
 
       // verify the response
@@ -105,4 +145,10 @@ public static void put(AtCommandExecutor executor, AtKeys keys, PublicKey public
     }
   }
 
+  private static void checkAtSignCanPut(AtSign atSign, PublicKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java b/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
index d6238927..48c60b97 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/Responses.java
@@ -1,53 +1,70 @@
 package org.atsign.client.impl.commands;
 
-import com.fasterxml.jackson.core.type.TypeReference;
-import org.atsign.client.impl.util.JsonUtils;
-
 import java.util.List;
 import java.util.Map;
 import java.util.function.Function;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import org.atsign.client.impl.util.JsonUtils;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+
 /**
- * Atsign protocol utility code that relates to processing responses from an atserver
+ * At Protocol utility code that relates to processing responses from an At Server.
  *
  */
 
 public class Responses {
 
+  /**
+   * Decodes a JSON string that represents a Map of Strings.
+   *
+   * @param json A JSON Object string.
+   * @return The map of Strings.
+   */
   public static Map<String, String> decodeJsonMapOfStrings(String json) {
-    try {
-      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(json, new TypeReference<>() {});
   }
 
+  /**
+   * Decodes a JSON string that represents a Map of Objects.
+   *
+   * @param json A JSON Object string.
+   * @return The Map of Objects.
+   */
   public static Map<String, Object> decodeJsonMapOfObjects(String json) {
-    try {
-      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(json, new TypeReference<>() {});
   }
 
+  /**
+   * Decodes a JSON string that represents a List of Objects.
+   *
+   * @param json A JSON list string.
+   * @return The List of Objects.
+   */
   public static List<Object> decodeJsonList(String json) {
-    try {
-      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(json, new TypeReference<>() {});
   }
 
+  /**
+   * Decodes a JSON string that represents a List of Strings.
+   *
+   * @param json A JSON list string.
+   * @return The List of Objects.
+   */
   public static List<String> decodeJsonListOfStrings(String json) {
-    try {
-      return JsonUtils.MAPPER.readValue(json, new TypeReference<>() {});
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+    return JsonUtils.readValue(json, new TypeReference<>() {});
   }
 
+  /**
+   * Verifies that the input matches a regular expression and returns the matched groups in the
+   * pattern.
+   *
+   * @param input The At Server response.
+   * @param pattern The expected regex for a successful command.
+   * @return The concatenation of any groups in the pattern, or the whole input if no groups.
+   */
   public static String match(String input, Pattern pattern) {
     Matcher matcher = pattern.matcher(input);
     if (!matcher.matches()) {
@@ -64,6 +81,15 @@ public static String match(String input, Pattern pattern) {
     return builder.toString();
   }
 
+  /**
+   * Verifies that the input matches a regular expression and returns the matched groups in the
+   * pattern with a transformation applied.
+   *
+   * @param input The At Server response.
+   * @param pattern The expected regex for a successful command.
+   * @return The transformed concatenation of any groups in the pattern, or the whole input if no
+   *         groups.
+   */
   public static <T> T match(String input, Pattern pattern, Function<String, T> transformer) {
     return transformer.apply(match(input, pattern));
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
index 8c39dffe..3754bf32 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/ScanCommands.java
@@ -9,12 +9,20 @@
 import org.atsign.client.impl.exceptions.AtException;
 
 /**
- * Atsign protocol utility code that relates querying the keys in an atserver.
+ * At Protocol utility code that relates querying the keys in an atserver.
  *
  */
 
 public class ScanCommands {
 
+  /**
+   * Sends the scan command and decodes the JSON response.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param showHidden scan command argument which controls whether hidden keys are returned.
+   * @param regex scan command argument which will filter the keys that are returned.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
   public static List<String> scan(AtCommandExecutor executor, boolean showHidden, String regex) throws AtException {
     try {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
index 8b423b5c..7e4c8688 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/SelfKeyCommands.java
@@ -1,28 +1,36 @@
 package org.atsign.client.impl.commands;
 
-import org.atsign.client.api.AtKeys;
-import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.exceptions.AtException;
-import org.atsign.client.api.Keys.SelfKey;
-import org.atsign.client.api.Metadata;
-
-import java.util.concurrent.ExecutionException;
-
+import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 import static org.atsign.client.impl.commands.DataResponses.matchDataInt;
 import static org.atsign.client.impl.commands.DataResponses.matchLookupResponse;
 import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
-import static org.atsign.client.impl.util.EncryptionUtils.*;
-import static org.atsign.client.impl.util.EncryptionUtils.aesEncryptToBase64;
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
-import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
+import static org.atsign.client.impl.util.EncryptionUtils.*;
+
+import java.util.concurrent.ExecutionException;
+
+import org.atsign.client.api.*;
+import org.atsign.client.api.Keys.SelfKey;
+import org.atsign.client.impl.exceptions.AtException;
 
 /**
- * Atsign protocol utility code that relates to "self keys"
+ * At Protocol utility code that relates to "self keys"
  *
  */
 public class SelfKeyCommands {
 
-  public static String get(AtCommandExecutor executor, AtKeys keys, SelfKey key) throws AtException {
+  /**
+   * Get the String value associated with a self key. The value will be decrypted with the AtSign's
+   * Self Encryption Key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link Keys.SelfKey}
+   * @return The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+  public static String get(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SelfKey key) throws AtException {
+    checkAtSignCanGet(atSign, key);
     try {
 
       // send local lookup command and decode response
@@ -44,7 +52,20 @@ public static String get(AtCommandExecutor executor, AtKeys keys, SelfKey key) t
     }
   }
 
-  public static void put(AtCommandExecutor executor, AtKeys keys, SelfKey key, String value) throws AtException {
+  /**
+   * Set a String value to be associated with a self key. The value will be encrypted with the
+   * AtSign's
+   * Self Encryption Key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link Keys.SelfKey}
+   * @param value The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+  public static void put(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SelfKey key, String value)
+      throws AtException {
+    checkAtSignCanPut(atSign, key);
     try {
 
       // add signature and iv
@@ -72,4 +93,16 @@ public static void put(AtCommandExecutor executor, AtKeys keys, SelfKey key, Str
     }
   }
 
+  private static void checkAtSignCanGet(AtSign atSign, SelfKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+  private static void checkAtSignCanPut(AtSign atSign, SelfKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java b/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
index 35863eb9..d84251f7 100644
--- a/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
+++ b/at_client/src/main/java/org/atsign/client/impl/commands/SharedKeyCommands.java
@@ -5,7 +5,6 @@
 import static org.atsign.client.impl.commands.ErrorResponses.throwExceptionIfError;
 import static org.atsign.client.impl.commands.CommandBuilders.LookupOperation.all;
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
-import static org.atsign.client.impl.common.Preconditions.checkTrue;
 import static org.atsign.client.impl.util.EncryptionUtils.*;
 
 import java.util.concurrent.ExecutionException;
@@ -18,14 +17,26 @@
 import org.atsign.client.impl.util.EncryptionUtils;
 
 /**
- * Atsign protocol utility code that relates to "shared keys"
+ * At Protocol utility code that relates to "shared keys".
  *
  */
 
 public class SharedKeyCommands {
 
+  /**
+   * Get the String value associated with a shared key. The value will be encrypted with a specific
+   * key for the sharedBy-sharedWith relationship.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link Keys.SharedKey}
+   * @return The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
+
   public static String get(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SharedKey key)
       throws AtException {
+    checkAtSignCanGet(atSign, key);
     if (key.sharedBy().equals(atSign)) {
       return getSharedByMe(executor, keys, key);
     } else if (key.sharedWith().equals(atSign)) {
@@ -35,9 +46,20 @@ public static String get(AtCommandExecutor executor, AtSign atSign, AtKeys keys,
     }
   }
 
+  /**
+   * Set a String value to be associated with a shared key. The value will be decrypted with a
+   * specific
+   * key for the sharedBy-sharedWith relationship.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param atSign The AtSign that corresponds to the executor.
+   * @param key The {@link Keys.SharedKey}
+   * @param value The associated value.
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
   public static void put(AtCommandExecutor executor, AtSign atSign, AtKeys keys, SharedKey key, String value)
       throws AtException {
-    checkTrue(key.sharedBy().equals(atSign), "sharedBy does not match this client's atsign");
+    checkAtSignCanPut(atSign, key);
     try {
 
       // get or create key for sharedBy - sharedWith
@@ -63,7 +85,7 @@ public static void put(AtCommandExecutor executor, AtSign atSign, AtKeys keys, S
     }
   }
 
-  public static String getSharedByMe(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
+  private static String getSharedByMe(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // send local lookup command and decode
@@ -81,7 +103,7 @@ public static String getSharedByMe(AtCommandExecutor executor, AtKeys keys, Shar
     }
   }
 
-  public static String getSharedByOther(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
+  private static String getSharedByOther(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // send lookup command and decode
@@ -99,6 +121,17 @@ public static String getSharedByOther(AtCommandExecutor executor, AtKeys keys, S
     }
   }
 
+  /**
+   * Get the specific encryption key which needs to be used for a sharedBy - sharedWith relationship
+   * where the AtSign that the {@link AtCommandExecutor} has authenticated with is the sharedBy
+   * AtSign. This will automatically decrypt the value with the AtKeys Private Encryption Key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param keys The {@link AtKeys} for the {@link AtSign} that is the sharedBy in the relationship.
+   * @param key The {@link Keys.SharedKey}
+   * @return The symmetric encryption key (in base64).
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
   public static String getEncryptKeySharedByMe(AtCommandExecutor executor, AtKeys keys, SharedKey key)
       throws AtException {
     try {
@@ -133,6 +166,17 @@ public static String getEncryptKeySharedByMe(AtCommandExecutor executor, AtKeys
     }
   }
 
+  /**
+   * Get the specific encryption key which needs to be used for a sharedBy - sharedWith relationship
+   * where the AtSign that the {@link AtCommandExecutor} has authenticated with is the sharedWith
+   * AtSign. This will automatically decrypt the value with the AtKeys Private Encryption Key.
+   *
+   * @param executor The {@link AtCommandExecutor} to use.
+   * @param keys The {@link AtKeys} for the {@link AtSign} that is the sharedWith in the relationship.
+   * @param key The {@link Keys.SharedKey}
+   * @return The symmetric encryption key (in base64).
+   * @throws AtException If any of the commands fail or the key does not exist.
+   */
   public static String getEncryptKeySharedByOther(AtCommandExecutor executor, AtKeys keys, SharedKey key)
       throws AtException {
     try {
@@ -165,7 +209,7 @@ public static String getEncryptKeySharedByOther(AtCommandExecutor executor, AtKe
     }
   }
 
-  public static String createEncryptKey(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
+  private static String createEncryptKey(AtCommandExecutor executor, AtKeys keys, SharedKey key) throws AtException {
     try {
 
       // generate a new encrypt key
@@ -206,7 +250,7 @@ public static String createEncryptKey(AtCommandExecutor executor, AtKeys keys, S
     }
   }
 
-  public static String getEncryptKey(AtCommandExecutor executor, AtSign sharedBy) throws AtException {
+  private static String getEncryptKey(AtCommandExecutor executor, AtSign sharedBy) throws AtException {
     try {
 
       // send plookup for atsign's public encryption key
@@ -224,4 +268,17 @@ public static String getEncryptKey(AtCommandExecutor executor, AtSign sharedBy)
     }
   }
 
+  private static void checkAtSignCanGet(AtSign atSign, SharedKey key) {
+    if (!key.sharedBy().equals(atSign) && !key.sharedWith().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is neither the sharedBy or sharedWith of " + key);
+    }
+  }
+
+  private static void checkAtSignCanPut(AtSign atSign, SharedKey key) {
+    if (!key.sharedBy().equals(atSign)) {
+      throw new IllegalArgumentException(atSign + " is not the sharedBy of " + key);
+    }
+  }
+
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
index 8cd620e6..aa57fae6 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
@@ -4,7 +4,11 @@
 import java.util.function.Consumer;
 
 /**
- * An "element" / holder for commands
+ * An "element" / holder for At Protocol commands.
+ * This is intended to be used by {@link org.atsign.client.api.AtCommandExecutor} implementations.
+ * This holder maintains the association to a {@link CompletableFuture} and the {@link Consumer}
+ * (if the command generates a stream of events). It also holds context information such as a
+ * timestamp and whether the command was sent from an onReady {@link Consumer}.
  */
 public class CommandElement {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
index 94f2bb24..1577b5e6 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
@@ -13,10 +13,11 @@
 import java.util.stream.Collectors;
 
 /**
- * A queue of {@link CommandElement} elements. This is used to hold pending commands, those
- * commands which have been sent but no response has been received (or event commands
- * where there will be a stream of responses). It is also used to hold queued commands
- * in the event that the pending {@link CommandQueue} is full.
+ * A queue of {@link CommandElement} elements.
+ * This is intended to be used by {@link org.atsign.client.api.AtCommandExecutor}
+ * implementations to hold pending commands, those commands which have been sent but no response has
+ * been received (or event commands where there will be a stream of responses). It is also used to
+ * hold queued commands in the event that the pending {@link CommandQueue} is full.
  */
 public class CommandQueue implements Iterable<CommandElement> {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java b/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
index b01751f9..9711915b 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/Preconditions.java
@@ -6,7 +6,7 @@
 import java.util.regex.Pattern;
 
 /**
- * Basic precondition helpers (we could use something like guava but we want to limit dependencies)
+ * Basic precondition helpers.
  */
 public class Preconditions {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java b/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
index cb30a7a8..9d73cf7c 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/SimpleAtEventBus.java
@@ -19,6 +19,7 @@
  */
 @Slf4j
 public class SimpleAtEventBus implements AtEventBus {
+
   private final ExecutorService executor = Executors.newCachedThreadPool();
 
   final Map<AtEventListener, Set<AtEventType>> eventListeners = new HashMap<>();
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/package-info.java b/at_client/src/main/java/org/atsign/client/impl/common/package-info.java
new file mode 100644
index 00000000..d3fe447b
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/common/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * Common classes used in the implementation of the At Protocol SDK.
+ */
+package org.atsign.client.impl.common;
diff --git a/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
index 582d9927..d0be5510 100644
--- a/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/AtException.java
@@ -3,7 +3,8 @@
 /**
  * Base class for all Atsign Platform {@link Exception}s
  */
-public abstract class AtException extends Exception {
+public class AtException extends Exception {
+
   public AtException(String message) {
     super(message);
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/exceptions/package-info.java b/at_client/src/main/java/org/atsign/client/impl/exceptions/package-info.java
new file mode 100644
index 00000000..39172591
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/exceptions/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * Typed {@link java.lang.Exception} classes for the SDK.
+ */
+package org.atsign.client.impl.exceptions;
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
index 6a9404e6..37b4f975 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandEncoder.java
@@ -6,7 +6,8 @@
 import io.netty.handler.codec.MessageToByteEncoder;
 
 /**
- * A Netty encoder which ensures that commands are terminated by a newline
+ * A Netty encoder which ensures that commands are terminated by a newline. As per the
+ * At Protocol specification.
  */
 public class NettyAtCommandEncoder extends MessageToByteEncoder<CharSequence> {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
index 8f960a08..3202da0d 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
@@ -43,7 +43,7 @@
 import lombok.Builder;
 
 /**
- * An implementation that uses Netty
+ * An implementation of {@link AtCommandExecutor} that uses Netty.
  */
 public class NettyAtCommandExecutor implements AtCommandExecutor {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
index 51c62c24..ddb06061 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtResponseDecoder.java
@@ -9,7 +9,8 @@
 import io.netty.util.CharsetUtil;
 
 /**
- *
+ * A decoder that will split AT Server and Directory Server responses into discrete
+ * Strings.
  */
 public final class NettyAtResponseDecoder extends ByteToMessageDecoder {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
index 741fd4e6..86195ac6 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
@@ -7,7 +7,7 @@
 /**
  * Wraps a thread factory (or the default netty thread factory) with one that sets thread locals.
  * This way we can detect when a command is invoked as part of OnReady and prevent
- * netty event thread from sending a command and then blocking on itself
+ * netty event thread from sending a command and then blocking on itself.
  */
 class NettyAtThreadFactory implements ThreadFactory {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/package-info.java b/at_client/src/main/java/org/atsign/client/impl/netty/package-info.java
new file mode 100644
index 00000000..2b9457fc
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/package-info.java
@@ -0,0 +1,6 @@
+/**
+ * An implementation of {@link org.atsign.client.api.AtCommandExecutor} and
+ * {@link org.atsign.client.impl.AtEndpointSupplier} which use Netty to connect to the
+ * tcp interfaces of the At Directory Server and At Servers.
+ */
+package org.atsign.client.impl.netty;
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
deleted file mode 100644
index fd44877b..00000000
--- a/at_client/src/main/java/org/atsign/client/impl/util/ByteUtils.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.atsign.client.impl.util;
-
-import lombok.extern.slf4j.Slf4j;
-
-import java.nio.charset.StandardCharsets;
-
-/**
- * Utility class with "no throw" methods for converting between byte arrays and Strings
- */
-@Slf4j
-public class ByteUtils {
-  public static String convert(byte[] data) {
-    try {
-      return new String(data, StandardCharsets.UTF_8);
-    } catch (Exception e) {
-      log.error("Error occurred while parsing the data to string", e);
-      return null;
-    }
-  }
-
-  public static byte[] convert(String data) {
-    try {
-      return data.getBytes(StandardCharsets.UTF_8);
-    } catch (Exception e) {
-      log.error("Error occurred while parsing the string to byte array data", e);
-      return null;
-    }
-  }
-}
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
index f8c18405..f464fb56 100644
--- a/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/EncryptionUtils.java
@@ -22,18 +22,34 @@
  */
 public class EncryptionUtils {
 
+  /**
+   * The signing algo "label"
+   */
   public static final String SIGNING_ALGO_RSA = "rsa2048";
+
+  /**
+   * The hashing algo "label"
+   */
   public static final String HASHING_ALGO_SHA256 = "sha256";
 
   static {
     Security.addProvider(new BouncyCastleProvider());
   }
 
-  public static String aesEncryptToBase64(String clearText, String keyBase64, String ivNonce)
+  /**
+   * Encrypts a String with the AES Cipher and encodes as Base 64.
+   *
+   * @param input The String to encrypt
+   * @param key The AES symmetric key to use.
+   * @param iv An initialization vector to use.
+   * @return The Base64 encoded encrypted String.
+   * @throws AtEncryptionException If something fails.
+   */
+  public static String aesEncryptToBase64(String input, String key, String iv)
       throws AtEncryptionException {
     try {
-      Cipher cipher = createAesCipher(Cipher.ENCRYPT_MODE, keyBase64, ivNonce);
-      byte[] encrypted = cipher.doFinal(clearText.getBytes());
+      Cipher cipher = createAesCipher(Cipher.ENCRYPT_MODE, key, iv);
+      byte[] encrypted = cipher.doFinal(input.getBytes());
       return Base64.getEncoder().encodeToString(encrypted);
     } catch (NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException
         | NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
@@ -42,18 +58,18 @@ public static String aesEncryptToBase64(String clearText, String keyBase64, Stri
   }
 
   /**
-   * Decrypts the text using AES {@link Cipher}
+   * Decrypts a Base64 encoded String with the AES Cipher.
    *
-   * @param text base64 encoded text to decrypt
-   * @param key base64 encoded AES key to use
-   * @param iv base64 encoded initialization vector to use
-   * @return decrypted text
-   * @throws AtDecryptionException with underlying cause
+   * @param input The Base64 encoded String to decrypt.
+   * @param key The AES symmetric key to use.
+   * @param iv An initialization vector that was used.
+   * @return The decrypted String.
+   * @throws AtDecryptionException If something fails.
    */
-  public static String aesDecryptFromBase64(String text, String key, String iv) throws AtDecryptionException {
+  public static String aesDecryptFromBase64(String input, String key, String iv) throws AtDecryptionException {
     try {
       Cipher cipher = createAesCipher(Cipher.DECRYPT_MODE, key, iv);
-      byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(text));
+      byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(input));
       return new String(decrypted);
     } catch (NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException | InvalidKeyException
         | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException e) {
@@ -61,6 +77,12 @@ public static String aesDecryptFromBase64(String text, String key, String iv) th
     }
   }
 
+  /**
+   * Generate a new RSA Key Pair.
+   *
+   * @return A new RSA {@link KeyPair}.
+   * @throws AtEncryptionException If something fails.
+   */
   public static KeyPair generateRSAKeyPair() throws AtEncryptionException {
     try {
       KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
@@ -71,6 +93,12 @@ public static KeyPair generateRSAKeyPair() throws AtEncryptionException {
     }
   }
 
+  /**
+   * Generate a new AES symmetric key.
+   *
+   * @return A new Base 64 encoded AES symmetric key.
+   * @throws AtEncryptionException If something fails.
+   */
   public static String generateAESKeyBase64() throws AtEncryptionException {
     try {
       KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
@@ -82,13 +110,20 @@ public static String generateAESKeyBase64() throws AtEncryptionException {
     }
   }
 
-  public static String rsaDecryptFromBase64(String cipherTextBase64, String privateKeyBase64)
-      throws AtDecryptionException {
+  /**
+   * Decrypts a Base64 encoded String with the RSA Cipher.
+   *
+   * @param input The Base64 encoded String to decrypt.
+   * @param key The private RSA key to use.
+   * @return The decrypted String.
+   * @throws AtDecryptionException If something fails.
+   */
+  public static String rsaDecryptFromBase64(String input, String key) throws AtDecryptionException {
     try {
-      PrivateKey privateKey = _privateKeyFromBase64(privateKeyBase64);
+      PrivateKey privateKey = toPrivateKey(key);
       Cipher decryptCipher = Cipher.getInstance("RSA");
       decryptCipher.init(Cipher.DECRYPT_MODE, privateKey);
-      byte[] decoded = Base64.getDecoder().decode(cipherTextBase64.getBytes(StandardCharsets.UTF_8));
+      byte[] decoded = Base64.getDecoder().decode(input.getBytes(StandardCharsets.UTF_8));
       byte[] decryptedMessageBytes = decryptCipher.doFinal(decoded);
       return new String(decryptedMessageBytes, StandardCharsets.UTF_8);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException | InvalidKeyException
@@ -97,12 +132,20 @@ public static String rsaDecryptFromBase64(String cipherTextBase64, String privat
     }
   }
 
-  public static String rsaEncryptToBase64(String clearText, String publicKeyBase64) throws AtEncryptionException {
+  /**
+   * Encrypts a String with the RSA Cipher and encodes as Base 64.
+   *
+   * @param input The String to encrypt
+   * @param key The RSA public key to use.
+   * @return The Base64 encoded encrypted String.
+   * @throws AtEncryptionException If something fails.
+   */
+  public static String rsaEncryptToBase64(String input, String key) throws AtEncryptionException {
     try {
-      PublicKey publicKey = _publicKeyFromBase64(publicKeyBase64);
+      PublicKey publicKey = toPublicKey(key);
       Cipher encryptCipher = Cipher.getInstance("RSA");
       encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey);
-      byte[] clearTextBytes = clearText.getBytes(StandardCharsets.UTF_8);
+      byte[] clearTextBytes = input.getBytes(StandardCharsets.UTF_8);
       byte[] encryptedMessageBytes = encryptCipher.doFinal(clearTextBytes);
       return Base64.getEncoder().encodeToString(encryptedMessageBytes);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException | InvalidKeyException
@@ -111,48 +154,57 @@ public static String rsaEncryptToBase64(String clearText, String publicKeyBase64
     }
   }
 
-  public static String signSHA256RSA(String value, String privateKeyBase64) throws AtEncryptionException {
+  /**
+   * Creates signature and encodes as Base 64.
+   *
+   * @param input The String to encrypt
+   * @param key The RSA private key to use.
+   * @return The Base64 encoded signature.
+   * @throws AtEncryptionException If something fails.
+   */
+  public static String signSHA256RSA(String input, String key) throws AtEncryptionException {
     try {
-      return _signSHA256RSA(value, _privateKeyFromBase64(privateKeyBase64));
+      PrivateKey pk = toPrivateKey(key);
+      Signature privateSignature = Signature.getInstance("SHA256withRSA");
+      privateSignature.initSign(pk);
+      privateSignature.update(input.getBytes(StandardCharsets.UTF_8));
+      byte[] signedBytes = privateSignature.sign();
+      return Base64.getEncoder().encodeToString(signedBytes);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException | SignatureException e) {
       throw new AtEncryptionException("SHA256 sign failed", e);
     }
   }
 
-  // non-public methods
-  public static String _signSHA256RSA(String input, PrivateKey pk)
-      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-    Signature privateSignature = Signature.getInstance("SHA256withRSA");
-    privateSignature.initSign(pk);
-    privateSignature.update(input.getBytes(StandardCharsets.UTF_8));
-    byte[] signedBytes = privateSignature.sign();
-    return Base64.getEncoder().encodeToString(signedBytes);
-  }
-
-  public static PublicKey _publicKeyFromBase64(String s) throws NoSuchAlgorithmException, InvalidKeySpecException {
+  private static PublicKey toPublicKey(String s) throws NoSuchAlgorithmException, InvalidKeySpecException {
     byte[] keyBytes = Base64.getDecoder().decode(s.getBytes(StandardCharsets.UTF_8));
     EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
     KeyFactory rsaKeyFactory = KeyFactory.getInstance("RSA");
     return rsaKeyFactory.generatePublic(keySpec);
   }
 
-  public static PrivateKey _privateKeyFromBase64(String s) throws NoSuchAlgorithmException, InvalidKeySpecException {
+  private static PrivateKey toPrivateKey(String s) throws NoSuchAlgorithmException, InvalidKeySpecException {
     byte[] keyBytes = Base64.getDecoder().decode(s.getBytes(StandardCharsets.UTF_8));
     PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
     KeyFactory rsaKeyFactory = KeyFactory.getInstance("RSA");
     return rsaKeyFactory.generatePrivate(keySpec);
   }
 
-  public static SecretKey _aesKeyFromBase64(String s) {
+  private static SecretKey toSecretKey(String s) {
     byte[] keyBytes = Base64.getDecoder().decode(s.getBytes());
     return new SecretKeySpec(keyBytes, "AES");
   }
 
-  public static IvParameterSpec _ivFromBase64(String s) {
+  private static IvParameterSpec toIvParameterSpec(String s) {
     byte[] ivBytes = Base64.getDecoder().decode(s.getBytes());
     return new IvParameterSpec(ivBytes);
   }
 
+  /**
+   * Creates random initialization vector.
+   *
+   * @param length of vector required.
+   * @return The Base 64 encoded vector.
+   */
   public static String generateRandomIvBase64(int length) {
     byte[] iv = new byte[length];
     SecureRandom secureRandom = new SecureRandom();
@@ -162,8 +214,8 @@ public static String generateRandomIvBase64(int length) {
 
   private static Cipher createAesCipher(int mode, String keyBase64, String ivNonce) throws NoSuchAlgorithmException,
       NoSuchProviderException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException {
-    SecretKey key = _aesKeyFromBase64(keyBase64);
-    IvParameterSpec iv = _ivFromBase64(ivNonce);
+    SecretKey key = toSecretKey(keyBase64);
+    IvParameterSpec iv = toIvParameterSpec(ivNonce);
     Cipher cipher = Cipher.getInstance("AES/SIC/PKCS7Padding", "BC");
     cipher.init(mode, key, iv);
     return cipher;
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
index 0babacbe..092a7cfc 100644
--- a/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/JsonUtils.java
@@ -7,9 +7,12 @@
 import java.time.format.DateTimeFormatter;
 
 import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.DeserializationContext;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
 import com.fasterxml.jackson.databind.module.SimpleModule;
 
@@ -18,7 +21,67 @@
  */
 public class JsonUtils {
 
-  public static final ObjectMapper MAPPER = objectMapper(false);
+  private static final ObjectMapper MAPPER = objectMapper(false);
+
+  private static final ObjectWriter PRETTY_WRITER = objectMapper(false).writerWithDefaultPrettyPrinter();
+
+  /**
+   * Decode a JSON String to a class instance.
+   *
+   * @param json The JSON to decode.
+   * @param klass The type to instantiate.
+   * @return An instance that corresponds to the JSON.
+   * @param <T> The type of the instance.
+   */
+  public static <T> T readValue(String json, Class<T> klass) {
+    try {
+      return MAPPER.readValue(json, klass);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /**
+   * Decode a JSON String to a class instance.
+   *
+   * @param json The JSON to decode.
+   * @param typeRef The type to instantiate.
+   * @return An instance that corresponds to the JSON.
+   * @param <T> The type of the instance.
+   */
+  public static <T> T readValue(String json, TypeReference<T> typeRef) {
+    try {
+      return MAPPER.readValue(json, typeRef);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /**
+   * Encode an Object to JSON.
+   *
+   * @param o The object to encode.
+   * @return The JSON representation of the Object.
+   */
+
+  public static String writeValueAsString(Object o) {
+    return writeValueAsString(o, false);
+  }
+
+  /**
+   * Encode an Object to JSON.
+   *
+   * @param o The object to encode.
+   * @param pretty If true then return multi-line indented JSON.
+   * @return The JSON representation of the Object.
+   */
+  public static String writeValueAsString(Object o, boolean pretty) {
+    try {
+      return pretty ? PRETTY_WRITER.writeValueAsString(o) : MAPPER.writeValueAsString(o);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
 
   private static ObjectMapper objectMapper(boolean isStrict) {
     ObjectMapper mapper = new ObjectMapper();
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
index 3daa1ac2..3bd620db 100644
--- a/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/KeysUtils.java
@@ -1,9 +1,9 @@
 package org.atsign.client.impl.util;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
 import static org.atsign.client.impl.util.EncryptionUtils.aesDecryptFromBase64;
 import static org.atsign.client.impl.util.EncryptionUtils.aesEncryptToBase64;
-import static org.atsign.client.impl.common.EnrollmentId.createEnrollmentId;
 
 import java.io.File;
 import java.io.IOException;
@@ -12,28 +12,25 @@
 import java.util.Map;
 import java.util.TreeMap;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import lombok.extern.slf4j.Slf4j;
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.common.EnrollmentId;
 import org.atsign.client.impl.common.TypedString;
 import org.atsign.client.impl.exceptions.AtClientConfigException;
+import org.atsign.client.impl.exceptions.AtDecryptionException;
 
 import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.atsign.client.impl.exceptions.AtDecryptionException;
+
+import lombok.extern.slf4j.Slf4j;
 
 /**
- * Utility class for loading a saving {@link AtKeys} from the file system
+ * Utility class for loading a saving {@link AtKeys} from the file system.
  */
 @Slf4j
 public class KeysUtils {
 
   static private final String EMPTY_IV = Base64.getEncoder().encodeToString(new byte[16]);
 
-  private static final ObjectMapper MAPPER = JsonUtils.MAPPER;
-
   private static final TypeReference<Map<String, String>> STRING_MAP_TYPE = new TypeReference<>() {};
 
   public static final String ATSIGN_KEYS_DIR = "ATSIGN_KEYS_DIR";
@@ -65,10 +62,24 @@ public class KeysUtils {
   private static final String APKAM_SYMMETRIC_KEY = "apkamSymmetricKey";
   private static final String ENROLLMENT_ID = "enrollmentId";
 
+  /**
+   * Persists {@link AtKeys} to the default file for the {@link AtSign}.
+   *
+   * @param atSign The {@link AtSign} which these keys relate to.
+   * @param keys The {@link AtKeys} to persist.
+   * @throws Exception If anything fails.
+   */
   public static void saveKeys(AtSign atSign, AtKeys keys) throws Exception {
     saveKeys(keys, getKeysFile(atSign));
   }
 
+  /**
+   * Persists {@link AtKeys} to a file.
+   *
+   * @param keys The {@link AtKeys} to persist.
+   * @param file The file to write / overwrite.
+   * @throws IOException If anything fails.
+   */
   public static void saveKeys(AtKeys keys, File file) throws IOException {
     if (file.getParentFile() != null && !file.getParentFile().exists()) {
       Files.createDirectories(file.getParentFile().toPath());
@@ -78,10 +89,25 @@ public static void saveKeys(AtKeys keys, File file) throws IOException {
     Files.write(file.toPath(), getAsJson(keys).getBytes(UTF_8));
   }
 
+  /**
+   * Instantiates a {@link AtKeys} loaded with the contents of the default
+   * keys file for the {@link AtSign}.
+   *
+   * @param atSign The {@link AtSign} which these keys relate to.
+   * @return A populated {@link AtKeys} instance.
+   * @throws AtClientConfigException If anything fails or the keys file does not exist.
+   */
   public static AtKeys loadKeys(AtSign atSign) throws AtClientConfigException {
     return loadKeys(getKeysFileFallbackToLegacyLocation(atSign));
   }
 
+  /**
+   * Instantiates a {@link AtKeys} loaded with the contents of a keys file.
+   *
+   * @param file The file to read.
+   * @return A populated {@link AtKeys} instance.
+   * @throws AtClientConfigException If anything fails or the keys file does not exist.
+   */
   public static AtKeys loadKeys(File file) throws AtClientConfigException {
     try {
       return createAtKeysFromJson(Files.readString(file.toPath()));
@@ -107,12 +133,26 @@ private static File getKeysFileFallbackToLegacyLocation(AtSign atSign) throws At
     return file;
   }
 
+  /**
+   * The default file for an {@link AtSign}. This will default the file location (directory)
+   * and filename.
+   *
+   * @param atSign The {@link AtSign} which these keys relate to.
+   * @return The file.
+   */
   public static File getKeysFile(AtSign atSign) {
     return getKeysFile(atSign, expectedKeysFilesLocation);
   }
 
-  public static File getKeysFile(AtSign atSign, String folderToLookIn) {
-    return new File(folderToLookIn, atSign + keysFileSuffix);
+  /**
+   * The default file for an {@link AtSign}. This will default the filename.
+   *
+   * @param atSign The {@link AtSign} which these keys relate to.
+   * @param dir The directory for the file.
+   * @return The file.
+   */
+  public static File getKeysFile(AtSign atSign, String dir) {
+    return new File(dir, atSign + keysFileSuffix);
   }
 
   private static String getFirstNonEmpty(String... candidates) {
@@ -139,7 +179,7 @@ private static String getAsJson(AtKeys keys) {
 
       map.put(VERSION_KEY, VERSION_1);
 
-      return MAPPER.writerWithDefaultPrettyPrinter().writeValueAsString(map);
+      return JsonUtils.writeValueAsString(map, true);
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
@@ -147,14 +187,14 @@ private static String getAsJson(AtKeys keys) {
 
   private static AtKeys createAtKeysFromJson(String json) throws AtClientConfigException {
     try {
-      Map<String, String> map = MAPPER.readValue(json, STRING_MAP_TYPE);
+      Map<String, String> map = JsonUtils.readValue(json, STRING_MAP_TYPE);
       String version = map.getOrDefault(VERSION_KEY, VERSION_1);
       if (version.equals(VERSION_1)) {
         return createAtKeysVersion1(map);
       } else {
         throw new AtClientConfigException("unsupported version of AtKeys json : " + version);
       }
-    } catch (JsonProcessingException | AtDecryptionException e) {
+    } catch (AtDecryptionException e) {
       throw new AtClientConfigException("failed to create AtKeys from json", e);
     }
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
index 94434ff8..4198d60b 100644
--- a/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
@@ -1,7 +1,7 @@
 package org.atsign.client.impl.util;
 
 /**
- * Utility class with static methods for common String operations
+ * Utility class with static methods for common String operations.
  */
 public class StringUtils {
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/package-info.java b/at_client/src/main/java/org/atsign/client/impl/util/package-info.java
new file mode 100644
index 00000000..339b8719
--- /dev/null
+++ b/at_client/src/main/java/org/atsign/client/impl/util/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * Utility classes.
+ */
+package org.atsign.client.impl.util;
diff --git a/at_client/src/test/java/org/atsign/client/api/MetadataTest.java b/at_client/src/test/java/org/atsign/client/api/MetadataTest.java
index ed164c89..fd8bb41e 100644
--- a/at_client/src/test/java/org/atsign/client/api/MetadataTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/MetadataTest.java
@@ -119,7 +119,7 @@ void testFromJsonEmptyObjectProducesAllNullFields() throws JsonProcessingExcepti
 
   @Test
   void testFromJsonInvalidJsonThrowsException() {
-    assertThrows(JsonProcessingException.class, () -> Metadata.fromJson("not-json"));
+    assertThrows(RuntimeException.class, () -> Metadata.fromJson("not-json"));
   }
 
   @Test
diff --git a/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java b/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
new file mode 100644
index 00000000..ed316daf
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
@@ -0,0 +1,82 @@
+package org.atsign.client.impl;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.File;
+
+import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.AtCommandExecutors.AtCommandExecutorBuilder;
+import org.atsign.client.impl.commands.ScanCommands;
+import org.atsign.client.impl.util.KeysUtils;
+import org.atsign.cucumber.helpers.Helpers;
+import org.atsign.virtualenv.VirtualEnv;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+class AtCommandExecutorsIT {
+
+  private static AtSign atSign;
+  private static AtKeys keys;
+
+  @BeforeAll
+  public static void classSetup() throws Exception {
+    if (!Helpers.isHostPortReachable("vip.ve.atsign.zone:64", SECONDS.toMillis(2))) {
+      VirtualEnv.setUp();
+    }
+    atSign = AtSign.createAtSign("colin");
+    keys = KeysUtils.loadKeys(new File("target/at_demo_data/lib/assets/atkeys/@colin.atKeys"));
+  }
+
+  @Test
+  void testBuildWithRootHost() throws Exception {
+    AtCommandExecutorBuilder builder = AtCommandExecutors.builder()
+        .url("vip.ve.atsign.zone")
+        .atSign(atSign)
+        .keys(keys)
+        .reconnect(ReconnectStrategy.NONE);
+    try (AtCommandExecutor executor = builder.build()) {
+      assertThat(ScanCommands.scan(executor, true, ".*"), is(not(empty())));
+    }
+  }
+
+  @Test
+  void testBuildWithRootHostButNoAuthentication() throws Exception {
+    AtCommandExecutorBuilder builder = AtCommandExecutors.builder()
+        .url("vip.ve.atsign.zone")
+        .atSign(atSign)
+        .reconnect(ReconnectStrategy.NONE);
+    try (AtCommandExecutor executor = builder.build()) {
+      assertThat(ScanCommands.scan(executor, true, ".*"), is(not(empty())));
+    }
+  }
+
+  @Test
+  void testBuildWithProxyUrl() throws Exception {
+    AtCommandExecutorBuilder builder = AtCommandExecutors.builder()
+        .url("proxy:vip.ve.atsign.zone:25026")
+        .atSign(atSign)
+        .keys(keys)
+        .reconnect(ReconnectStrategy.NONE);
+    try (AtCommandExecutor executor = builder.build()) {
+      assertThat(ScanCommands.scan(executor, true, ".*"), is(not(empty())));
+    }
+  }
+
+  @Test
+  void testBuildWithProxyUrlEnforcesAuthentication() throws Exception {
+    AtCommandExecutorBuilder builder = AtCommandExecutors.builder()
+        .url("proxy:vip.ve.atsign.zone:25026")
+        .reconnect(ReconnectStrategy.NONE);
+    Exception ex = assertThrows(Exception.class, () -> builder.build());
+    assertThat(ex.getMessage(), containsString("atSign must be set for a proxy url"));
+  }
+
+}
diff --git a/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
index 11f5592d..6f743bc5 100644
--- a/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/PublicKeyCommandsTest.java
@@ -8,29 +8,31 @@
 
 import java.util.concurrent.ExecutionException;
 
-import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtClient.GetRequestOptions;
 import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.util.EncryptionUtils;
+import org.atsign.client.api.AtKeys;
+import org.atsign.client.api.AtSign;
 import org.atsign.client.api.Keys;
 import org.atsign.client.impl.exceptions.AtKeyNotFoundException;
 import org.atsign.client.impl.exceptions.AtServerRuntimeException;
-import org.atsign.client.api.AtClient.GetRequestOptions;
+import org.atsign.client.impl.util.EncryptionUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 class PublicKeyCommandsTest {
 
   private Keys.PublicKey key;
-
   private AtKeys keys;
+  private AtSign atSign;
 
   @BeforeEach
   public void setup() throws Exception {
     keys = AtKeys.builder()
         .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
+    atSign = createAtSign("gary");
     key = Keys.publicKeyBuilder()
-        .sharedBy(createAtSign("gary"))
+        .sharedBy(atSign)
         .name("test")
         .build();
   }
@@ -135,7 +137,7 @@ void testPutSendsExpectedCommands() throws Exception {
         .stub("update:dataSignature:.+:isEncrypted:false:public:test@gary hello world", "data:123")
         .build();
 
-    PublicKeyCommands.put(executor, keys, key, "hello world");
+    PublicKeyCommands.put(executor, createAtSign("gary"), keys, key, "hello world");
   }
 
   @Test
@@ -148,7 +150,8 @@ void testPutThrowExceptionIfCommandFails() throws Exception {
         .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> PublicKeyCommands.put(executor, keys, key, "hello world"));
+    assertThrows(AtServerRuntimeException.class,
+                 () -> PublicKeyCommands.put(executor, createAtSign("gary"), keys, key, "hello world"));
   }
 
   @Test
@@ -161,7 +164,8 @@ void testPutExecutionException() throws Exception {
         .encryptKeyPair(EncryptionUtils.generateRSAKeyPair())
         .build();
 
-    assertThrows(RuntimeException.class, () -> PublicKeyCommands.put(executor, keys, key, "hello world"));
+    assertThrows(RuntimeException.class,
+                 () -> PublicKeyCommands.put(executor, createAtSign("gary"), keys, key, "hello world"));
   }
 
   private static String createMockLookupResponse(String key, String value) {
diff --git a/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
index dac22ae6..2a74780f 100644
--- a/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/SelfKeyCommandsTest.java
@@ -10,6 +10,7 @@
 
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtCommandExecutor;
+import org.atsign.client.api.AtSign;
 import org.atsign.client.api.Keys;
 import org.atsign.client.impl.exceptions.AtServerRuntimeException;
 import org.junit.jupiter.api.BeforeEach;
@@ -20,6 +21,7 @@ class SelfKeyCommandsTest {
   private Keys.SelfKey key;
 
   private AtKeys keys;
+  private AtSign atSign;
 
   @BeforeEach
   public void setup() throws Exception {
@@ -27,8 +29,9 @@ public void setup() throws Exception {
         .selfEncryptKey(generateAESKeyBase64())
         .encryptKeyPair(generateRSAKeyPair())
         .build();
+    atSign = createAtSign("gary");
     key = Keys.selfKeyBuilder()
-        .sharedBy(createAtSign("gary"))
+        .sharedBy(atSign)
         .name("test")
         .build();
   }
@@ -42,7 +45,7 @@ void testGet() throws Exception {
         .stub("llookup:all:test@gary", createMockLookupResponse("test@gary", encrypted, iv))
         .build();
 
-    String actual = SelfKeyCommands.get(executor, keys, key);
+    String actual = SelfKeyCommands.get(executor, atSign, keys, key);
 
     assertThat(actual, equalTo("hello me"));
   }
@@ -53,7 +56,7 @@ void testGetException() throws Exception {
         .stub("llookup:all:test@gary", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.get(executor, keys, key));
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.get(executor, atSign, keys, key));
   }
 
   @Test
@@ -62,7 +65,7 @@ void testGetExecutionException() throws Exception {
         .stubExecutionException("llookup:all:test@gary")
         .build();
 
-    assertThrows(RuntimeException.class, () -> SelfKeyCommands.get(executor, keys, key));
+    assertThrows(RuntimeException.class, () -> SelfKeyCommands.get(executor, atSign, keys, key));
   }
 
   @Test
@@ -71,7 +74,7 @@ void testPut() throws Exception {
         .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "data:123")
         .build();
 
-    SelfKeyCommands.put(executor, keys, key, "hello world");
+    SelfKeyCommands.put(executor, atSign, keys, key, "hello world");
     verify(executor).sendSync(argThat(s -> !s.contains("hello world")));
   }
 
@@ -81,7 +84,7 @@ void testPutAtException() throws Exception {
         .stub("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+", "error:AT0001:deliberate")
         .build();
 
-    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.put(executor, keys, key, "hello world"));
+    assertThrows(AtServerRuntimeException.class, () -> SelfKeyCommands.put(executor, atSign, keys, key, "hello world"));
   }
 
   @Test
@@ -90,7 +93,7 @@ void testPutExecutionException() throws Exception {
         .stubExecutionException("update:dataSignature:.+:isEncrypted:true:ivNonce:.+:test@gary .+")
         .build();
 
-    assertThrows(RuntimeException.class, () -> SelfKeyCommands.put(executor, keys, key, "hello world"));
+    assertThrows(RuntimeException.class, () -> SelfKeyCommands.put(executor, atSign, keys, key, "hello world"));
   }
 
   private static String createMockLookupResponse(String key, String encrypted, String iv) {
diff --git a/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
index 23b1255d..f7e627f5 100644
--- a/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/SharedKeyCommandsTest.java
@@ -57,7 +57,7 @@ void testGetNotSharedByMeOrWithMeThrowsException() throws Exception {
 
     RuntimeException ex =
         assertThrows(RuntimeException.class, () -> SharedKeyCommands.get(executor, createAtSign("alice"), keys, key));
-    assertThat(ex.getMessage(), containsString("the client atsign is neither the sharedBy or sharedWith"));
+    assertThat(ex.getMessage(), containsString("@alice is neither the sharedBy or sharedWith of @colin:test@gary"));
   }
 
   @Test
diff --git a/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
index 91936b99..30b8e805 100644
--- a/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
+++ b/at_client/src/test/java/org/atsign/client/impl/netty/NettyAtCommandExecutorIT.java
@@ -38,7 +38,6 @@ void testResolveAtServer() throws Exception {
     assertThat(provider.get().matches("\\S+:\\d+"), is(true));
   }
 
-
   @Test
   void testScan() throws Exception {
     NettyAtEndpointSupplier provider = NettyAtEndpointSupplier.builder()
diff --git a/at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java b/at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java
deleted file mode 100644
index 66ed8622..00000000
--- a/at_client/src/test/java/org/atsign/client/impl/util/ByteUtilsTest.java
+++ /dev/null
@@ -1,85 +0,0 @@
-package org.atsign.client.impl.util;
-
-
-import org.junit.jupiter.api.Test;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-public class ByteUtilsTest {
-
-
-  @Test
-  public void testByteUtil0() {
-    byte[] bytec = new byte[] {74, 101, 114, 101, 109, 121, 84, 117, 98, 111, 110, 103, 98, 97, 110, 117, 97, 32};
-    assertEquals("JeremyTubongbanua ", ByteUtils.convert(bytec));
-
-  }
-
-
-  @Test
-  public void testByteUtil1() {
-    String s = "ABC";
-    byte[] bytes = {65, 66, 67};
-    assertArrayEquals(bytes, ByteUtils.convert(s));
-  }
-
-  @Test
-  public void testByteUtil2() {
-    byte[] bytec = {64, 62, 75, 85, 96, 45};
-    assertEquals("@>KU`-", ByteUtils.convert(bytec));
-  }
-
-  @Test
-  public void testByteUtil3() {
-    String s = "@>KU`-";
-    byte[] bytes = {64, 62, 75, 85, 96, 45};
-    assertArrayEquals(bytes, ByteUtils.convert(s));
-  }
-
-  @Test
-  public void testByteUtil4() {
-    byte[] bytec = {64, 65, 69, 54};
-    assertEquals("@AE6", ByteUtils.convert(bytec));
-  }
-
-  @Test
-  public void testByteUtil5() {
-    String s = "TECHNOLOGY";
-    byte[] bytes = {84, 69, 67, 72, 78, 79, 76, 79, 71, 89};
-    assertArrayEquals(bytes, ByteUtils.convert(s));
-  }
-
-  @Test
-  public void testByteUtil6() {
-    byte[] bytec = new byte[] {75, 69, 82, 115, 121, 90, 43, 98};
-    assertEquals("KERsyZ+b", ByteUtils.convert(bytec));
-  }
-
-  @Test
-  public void testByteUtil7() {
-    String s = "+ada#4C0)";
-    byte[] bytes = {43, 97, 100, 97, 35, 52, 67, 48, 41};
-    assertArrayEquals(bytes, ByteUtils.convert(s));
-  }
-
-  @Test
-  public void testByteUtil8() {
-    byte[] bytec = new byte[] {45, 45, 43, 97, 115, 100, 99, 96, 96, 126, 50, 41};
-    assertEquals("--+asdc``~2)", ByteUtils.convert(bytec));
-  }
-
-  @Test
-  public void testByteUtil9() {
-    String s = "at_sign";
-    byte[] bytes = {97, 116, 95, 115, 105, 103, 110};
-    assertArrayEquals(bytes, ByteUtils.convert(s));
-  }
-
-  @Test
-  public void testByteUtil10() {
-    byte[] bytec = {83, 105, 100, 104, 97, 114, 116, 104};
-    assertEquals("Sidharth", ByteUtils.convert(bytec));
-  }
-
-}

From 425256e462f65fc83521859a09d6561301413785 Mon Sep 17 00:00:00 2001
From: akafredperry <fred@atsign.com>
Date: Fri, 13 Mar 2026 11:07:17 +0000
Subject: [PATCH 5/5] feature: adjusted timeouts and retry settings after
 testing with non virtual env

---
 .../java/org/atsign/client/api/AtClient.java  |  4 +-
 .../java/org/atsign/client/api/AtKeys.java    | 24 ++++-
 .../java/org/atsign/client/api/AtSign.java    |  6 +-
 .../main/java/org/atsign/client/api/Keys.java | 90 +++++++++++++++++++
 .../java/org/atsign/client/api/Metadata.java  |  3 +-
 .../org/atsign/client/impl/AtClientImpl.java  | 32 +++++--
 .../org/atsign/client/impl/AtClients.java     | 59 ++++++++++--
 .../client/impl/AtCommandExecutors.java       | 49 ++++++++++
 .../client/impl/AtEndpointSuppliers.java      | 37 +++++++-
 .../atsign/client/impl/cli/AbstractCli.java   | 18 ++--
 .../org/atsign/client/impl/cli/DumpKeys.java  |  4 +-
 .../ActivateAtsignWithSuperApiKey.java        |  6 +-
 .../impl/cli/register/GetFreeAtsign.java      |  2 +-
 .../impl/cli/register/RegisterAtsign.java     |  5 +-
 .../impl/cli/register/RegisterUtil.java       |  8 +-
 .../client/impl/cli/register/ValidateOtp.java |  5 +-
 .../client/impl/common/CommandElement.java    |  5 ++
 .../client/impl/common/CommandQueue.java      |  2 +-
 .../impl/{ => common}/ReconnectStrategy.java  |  4 +-
 .../impl/common/SimpleReconnectStrategy.java  |  1 -
 .../impl/netty/NettyAtCommandExecutor.java    | 66 ++++++++++----
 .../impl/netty/NettyAtEndpointSupplier.java   | 42 ++++++++-
 .../impl/netty/NettyAtThreadFactory.java      |  2 +-
 .../atsign/client/impl/util/StringUtils.java  |  2 +-
 .../org/atsign/client/api/AtSignTest.java     | 13 +--
 .../client/impl/AtCommandExecutorsIT.java     |  3 +-
 .../impl/commands/CommandBuildersTest.java    | 66 +++++++-------
 .../client/impl/util/EncryptionUtilsTest.java |  1 +
 .../client/impl/util/KeysUtilsTest.java       |  3 +-
 .../client/impl/util/StringUtilsTest.java     | 38 ++++++++
 .../atsign/cucumber/steps/ParameterTypes.java |  4 +-
 .../test/resources/simpleLogger.properties    |  2 +-
 .../main/java/org/atsign/client/cli/REPL.java |  3 +-
 .../examples/PublicKeyDeleteExample.java      | 17 +---
 .../PublicKeyGetBypassCacheExample.java       | 17 +---
 .../atsign/examples/PublicKeyGetExample.java  | 14 +--
 .../atsign/examples/PublicKeyPutExample.java  | 15 +---
 .../atsign/examples/SelfKeyDeleteExample.java | 14 +--
 .../atsign/examples/SelfKeyGetExample.java    | 15 +---
 .../atsign/examples/SelfKeyPutExample.java    | 16 +---
 .../examples/SharedKeyDeleteExample.java      | 16 +---
 .../examples/SharedKeyGetOtherExample.java    | 16 +---
 .../examples/SharedKeyGetSelfExample.java     | 16 +---
 43 files changed, 525 insertions(+), 240 deletions(-)
 rename at_client/src/main/java/org/atsign/client/impl/{ => common}/ReconnectStrategy.java (96%)
 create mode 100644 at_client/src/test/java/org/atsign/client/impl/util/StringUtilsTest.java

diff --git a/at_client/src/main/java/org/atsign/client/api/AtClient.java b/at_client/src/main/java/org/atsign/client/api/AtClient.java
index 5b44c581..c3570947 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtClient.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtClient.java
@@ -9,8 +9,8 @@
 import lombok.Value;
 
 /**
- * A core interface which enables users to interact with an AtServer as
- * a map-like interface (rather than having sending AtProtocol commands).
+ * Represents something which enables users to interact with an AtServer as
+ * a map-like interface.
  * Users are able to invoke put, get and delete operations for the different key
  * types ({@link PublicKey}, {@link SelfKey} and {@link SharedKey}).
  * Users can also subscribe to notifications, an {@link AtClient} is an
diff --git a/at_client/src/main/java/org/atsign/client/api/AtKeys.java b/at_client/src/main/java/org/atsign/client/api/AtKeys.java
index af60c70c..53d5aea2 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtKeys.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtKeys.java
@@ -12,11 +12,13 @@
 import org.atsign.client.impl.common.EnrollmentId;
 
 /**
- * An immutable class used to hold an {@link org.atsign.client.api.AtClient}s keys.
+ * An immutable class used to hold an {@link org.atsign.client.api.AtClient}s keys. These
+ * are use for authentication and encryption.
  * <p>
  * Examples:
  *
  * <pre>
+ *
  * AtKeys keys = AtKeys.builder()
  *     .selfEncryptKey(generateAESKeyBase64())
  *     .apkamKeyPair(generateRSAKeyPair())
@@ -128,8 +130,26 @@ public Map<String, String> getCache() {
     return Collections.unmodifiableMap(cache);
   }
 
+
   /**
-   * Builder utility.
+   * A builder for instantiating {@link AtKeys}.
+   *
+   * <pre>
+   *
+   * AtKeys keys = AtKeys.builder()
+   *     .selfEncryptKey(EncryptionUtil.generateAESKeyBase64())
+   *     .apkamKeyPair(EncryptionUtil.generateRSAKeyPair())
+   *     .apkamSymmetricKey(EncryptionUtil.generateAESKeyBase64())
+   *     .build();
+   * </pre>
+   *
+   * <b>NOTE</b> {@link AtKeys} are immutable, so use the toBuilder() method
+   * to create a modified instance.
+   *
+   * <pre>
+   *
+   * AtKeys newKeys = keys.toBuilder().enrollmentId(enrollmentId).build();
+   * </pre>
    */
   public static class AtKeysBuilder {
 
diff --git a/at_client/src/main/java/org/atsign/client/api/AtSign.java b/at_client/src/main/java/org/atsign/client/api/AtSign.java
index af913ee4..101b54a5 100644
--- a/at_client/src/main/java/org/atsign/client/api/AtSign.java
+++ b/at_client/src/main/java/org/atsign/client/api/AtSign.java
@@ -9,7 +9,7 @@
  */
 public class AtSign extends TypedString {
 
-  public AtSign(String s) {
+  private AtSign(String s) {
     super(formatAtSign(s));
   }
 
@@ -18,10 +18,10 @@ public String withoutPrefix() {
   }
 
   /**
-   * Factory method
+   * A factory method for instantiating {@link AtSign} instances.
    *
    * @param s the string representation of the Atsign (can be with our without @ prefix)
-   * @return null is s is null or blank, otherwise the corresponding {@link AtSign} for s
+   * @return null if param is null or blank, otherwise the corresponding {@link AtSign} for the param
    */
   public static AtSign createAtSign(String s) {
     return s != null && !s.isBlank() ? new AtSign(s) : null;
diff --git a/at_client/src/main/java/org/atsign/client/api/Keys.java b/at_client/src/main/java/org/atsign/client/api/Keys.java
index 2384c36d..635cb35b 100644
--- a/at_client/src/main/java/org/atsign/client/api/Keys.java
+++ b/at_client/src/main/java/org/atsign/client/api/Keys.java
@@ -177,6 +177,28 @@ public static PublicKey publicKey(AtSign sharedBy, String name, String namespace
     return new PublicKey(sharedBy, toName(name, namespace), metadata);
   }
 
+  /**
+   * A builder for instantiating {@link Keys.PublicKey} instances.
+   *
+   * <pre>
+
+   * Keys.PublicKey key = Keys.publicKeyBuilder()
+   *     .sharedBy(...)   // the AtSign which is sharing the key
+   *     .name(...)       // the key name
+   *     .namespace(...)
+   *     .ttl(...)
+   *     .ttb(...)
+   *     .ttr(...)
+   *     .ccd(...)
+   *     .isCached(...)
+   *     .isBinary(...)
+   *     .metadata(...)
+   *     .build();
+   * </pre>
+   */
+  public static class PublicKeyBuilder {
+  }
+
   /**
    * Models a "self key" in the Atsign Platform specification.
    */
@@ -208,6 +230,29 @@ public static SelfKey selfKey(AtSign sharedBy, AtSign sharedWith, String name, S
     return new SelfKey(sharedBy, sharedWith, toName(name, namespace), metadata);
   }
 
+  /**
+   * A builder for instantiating {@link Keys.SelfKey} instances.
+   *
+   * <pre>
+
+   * Keys.SelfKey key = Keys.selfKeyBuilder()
+   *     .sharedBy(...)   // the AtSign which is sharing the key
+   *     .sharedWith(...)
+   *     .name(...)       // the key name
+   *     .namespace(...)
+   *     .ttl(...)
+   *     .ttb(...)
+   *     .ttr(...)
+   *     .ccd(...)
+   *     .isHidden(...)
+   *     .isBinary(...)
+   *     .metadata(...)
+   *     .build();
+   * </pre>
+   */
+  public static class SelfKeyBuilder {
+  }
+
   /**
    * Models a "shared key" in the Atsign Platform specification.
    */
@@ -248,6 +293,31 @@ public static SharedKey sharedKey(AtSign sharedBy, AtSign sharedWith, String nam
     return new SharedKey(sharedBy, sharedWith, toName(name, namespace), metadata);
   }
 
+  /**
+   * A builder for instantiating {@link Keys.SharedKey} instances.
+   *
+   * <pre>
+
+   * Keys.SharedKey key = Keys.sharedKeyBuilder()
+   *     .sharedBy(...)   // the AtSign which is sharing the key
+   *     .sharedWith(...) // the AtSign which the key is being shared with
+   *     .name(...)       // the key name
+   *     .namespace(...)
+   *     .ttl(...)
+   *     .ttb(...)
+   *     .ttr(...)
+   *     .ccd(...)
+   *     .isCached(...)
+   *     .isHidden(...)
+   *     .isBinary(...)
+   *     .metadata(...)
+   *     .rawKey(...)     // the raw key i.e. @sharedWith:name@sharedBy
+   *     .build();
+   * </pre>
+   */
+  public static class SharedKeyBuilder {
+  }
+
   /**
    * Represents a "private hidden key" in the Atsign Platform
    */
@@ -276,6 +346,26 @@ public static AtKey key(String rawKey, Metadata metadata) {
     throw new IllegalArgumentException(rawKey + " does NOT match any raw key parser");
   }
 
+  /**
+   * A builder for instantiating typed {@link AtKey} instances from raw key names.
+   * e.g. @sharedWith:name@sharedBy or public:name@sharedBy. This builder will
+   * decode everything based on the raw key name.
+   *
+   * <pre>
+   *
+   * Keys.AtKey key = Keys.keyBuilder().rawKey(...).build();
+   * </pre>
+   *
+   * Metadata can also be provided.
+   *
+   * <pre>
+   *
+   * Keys.AtKey key = Keys.keyBuilder().rawKey(...).metadata(...).build();
+   * </pre>
+   */
+  public static class KeyBuilder {
+  }
+
   private interface RawKeyParser<T extends AtKey> extends Predicate<String> {
     T parse(String rawKey, Metadata metadata);
   }
diff --git a/at_client/src/main/java/org/atsign/client/api/Metadata.java b/at_client/src/main/java/org/atsign/client/api/Metadata.java
index 5ff8d603..48f66d8f 100644
--- a/at_client/src/main/java/org/atsign/client/api/Metadata.java
+++ b/at_client/src/main/java/org/atsign/client/api/Metadata.java
@@ -47,8 +47,7 @@ public class Metadata {
   /**
    * A builder for instantiating {@link Metadata} instances. Note: Metadata is immutable so if you
    * want to create a modified instance then use the toBuilder() method, override the fields and
-   * invoke
-   * build().
+   * invoke build().
    */
   public static class MetadataBuilder {
     // required for javadoc
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
index 0db6e7ef..4bb1696c 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtClientImpl.java
@@ -37,7 +37,7 @@
  *
  * <pre>
  * AtClientImplBuilder builder = AtClientImpl.builder()
- *     .atSign(createAtSign("colin"))
+ *     .atSign(...)
  *     .keys(...)
  *     .executor(...)
  *     .eventBus(...);
@@ -71,15 +71,35 @@ public AtCommandExecutor getCommandExecutor() {
 
   @Builder
   public AtClientImpl(AtSign atSign, AtKeys keys, AtCommandExecutor executor, AtEventBus eventBus) {
-    checkNotNull(keys.getEncryptPrivateKey(), "AtKeys have not been fully enrolled");
-    this.atSign = atSign;
-    this.keys = keys;
-    this.executor = executor;
-    this.eventBus = eventBus;
+    this.atSign = checkNotNull(atSign, "atSign not set");
+    this.keys = checkNotNull(keys, "keys not set");
+    this.executor = checkNotNull(executor, "executor not set");
+    this.eventBus = checkNotNull(eventBus, "eventBus not set");
     this.eventBus.addEventListener(this::handleEvent, EnumSet.allOf(AtEventType.class));
     this.eventBusBridge = new Notifications.EventBusBridge(eventBus, atSign);
+    checkNotNull(keys.getEncryptPrivateKey(), "keys have not been fully enrolled");
   }
 
+  /**
+   * A builder for instantiating {@link AtCommandExecutor} implementations that are included in
+   * this library. Example usage:
+   *
+   * <pre>
+   *
+   * AtClientImpl.builder()
+   *   .atSign(...)  // the AtSign that this client will authenticate as
+   *   .keys(...)    // the AtKeys that this client will use
+   *   .executor()   // the AtCommandExecutor this client will use
+   *   .eventBus()   // the AtEventBus this client will publish to
+   *   .build();
+   * }
+   * </pre>
+   */
+  public static class AtClientImplBuilder {
+    // required for javadoc
+  }
+
+
   @Override
   public void close() throws Exception {
     executor.close();
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtClients.java b/at_client/src/main/java/org/atsign/client/impl/AtClients.java
index 975dd1ab..a7df018d 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtClients.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtClients.java
@@ -1,26 +1,26 @@
 package org.atsign.client.impl;
 
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+
 import org.atsign.client.api.AtClient;
 import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.common.ReconnectStrategy;
 import org.atsign.client.impl.common.SimpleAtEventBus;
+import org.atsign.client.impl.common.SimpleReconnectStrategy;
 import org.atsign.client.impl.exceptions.AtException;
+import org.atsign.client.impl.util.KeysUtils;
 
 import lombok.Builder;
 
 /**
- * Utility methods / builders for instantiating {@link AtClient} implementations
- * that are included in this library.
- * Example usage:
+ * Utility methods for instantiating {@link AtClient} implementations that are included in this
+ * library. Example usage:
  *
  * <pre>
- * AtClientBuilder builder = AtClients.builder()
- *     .url("vip.ve.atsign.zone:64")
- *     .atSign(createAtSign("colin"))
- *     .keys(...);
  *
- * try (AtClient client = builder.build()) {
+ * try (AtClient client = AtClients.builder().atSign(createAtSign("colin")).build()) {
  *     client.startMonitor();
  *     client.put(...);
  *     client.get(...);
@@ -34,14 +34,21 @@ public class AtClients {
   public static AtClient createAtClient(String url,
                                         AtSign atSign,
                                         AtKeys keys,
+                                        Long timeoutMillis,
+                                        Long awaitReadyMillis,
                                         ReconnectStrategy reconnect,
                                         Boolean isVerbose)
       throws AtException {
 
+    checkNotNull(atSign, "atSign not set");
+    keys = keys != null ? keys : KeysUtils.loadKeys(atSign);
+
     AtCommandExecutor executor = AtCommandExecutors.builder()
         .url(url)
-        .keys(keys)
         .atSign(atSign)
+        .keys(keys)
+        .timeoutMillis(timeoutMillis)
+        .awaitReadyMillis(awaitReadyMillis)
         .reconnect(reconnect)
         .isVerbose(isVerbose)
         .build();
@@ -55,4 +62,38 @@ public static AtClient createAtClient(String url,
         .eventBus(eventBus)
         .build();
   }
+
+  /**
+   * A builder for instantiating {@link AtClient} implementations that are included in
+   * this library.
+   *
+   * <pre>
+   *
+   * AtClients.builder()
+   *   .atSign(...)        // the AtSign that this client will authenticate as
+   *   .url(...)           // the url for the root server or proxy (optional)
+   *   .keys(...)          // the AtKeys that this client will use (optional)
+   *   .timeoutMillis()    // timeout after which commands will complete exceptionally (optional)
+   *   .awaitReadyMillis() // how long to wait for executor to become ready during build() (optional)
+   *   .reconnect()        // a ReconnectStrategy (optional)
+   *   .isVerbose(...)     // true or false (optional)
+   *   .build();
+   * }
+   * </pre>
+   *
+   * If <b>url</b> is not set then the builder will default to
+   * {@link AtEndpointSuppliers#DEFAULT_ROOT_URL}.
+   * If <b>keys</b> is not set then the builder will default to attempting to load the keys
+   * which correspond to the atSign field in ~/.atsign/keys (or the environment variable
+   * / system property {@link KeysUtils#ATSIGN_KEYS_DIR} if set).
+   * If <b>timeoutMillis</b> is not set then builder will default to
+   * {@link AtCommandExecutors#DEFAULT_TIMEOUT_MILLIS}.
+   * If <b>awaitReadyMillis</b> is not set then the builder will default to
+   * {@link AtCommandExecutors#DEFAULT_TIMEOUT_MILLIS}.
+   * If <b>reconnect</b> is not set then the builder will default to a {@link SimpleReconnectStrategy}
+   * with no limit to the retry attempts.
+   */
+  public static class AtClientBuilder {
+    // required for javadoc
+  }
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
index 73d0bb65..d560f253 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtCommandExecutors.java
@@ -1,12 +1,16 @@
 package org.atsign.client.impl;
 
 
+import static org.atsign.client.impl.common.Preconditions.checkNotNull;
+
+import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
 
 import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.commands.AuthenticationCommands;
+import org.atsign.client.impl.common.ReconnectStrategy;
 import org.atsign.client.impl.common.SimpleReconnectStrategy;
 import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.impl.netty.NettyAtCommandExecutor;
@@ -38,22 +42,63 @@
  */
 public class AtCommandExecutors {
 
+  public static final long DEFAULT_TIMEOUT_MILLIS = TimeUnit.SECONDS.toMillis(5);
+
   @Builder(builderClassName = "AtCommandExecutorBuilder")
   public static AtCommandExecutor createCommandExecutor(String url,
                                                         AtSign atSign,
                                                         AtKeys keys,
+                                                        Long timeoutMillis,
+                                                        Long awaitReadyMillis,
                                                         ReconnectStrategy reconnect,
                                                         Boolean isVerbose)
       throws AtException {
 
+    if (AtEndpointSuppliers.isProxyUrl(url)) {
+      checkNotNull(atSign, "atSign not set");
+    }
+
     return NettyAtCommandExecutor.builder()
         .endpoint(AtEndpointSuppliers.builder().url(url).atSign(atSign).build())
         .isVerbose(isVerbose)
+        .timeoutMillis(defaultIfNotSet(timeoutMillis, DEFAULT_TIMEOUT_MILLIS))
+        .awaitReadyMillis(defaultIfNotSet(awaitReadyMillis, DEFAULT_TIMEOUT_MILLIS))
         .reconnect(defaultIfNotSet(reconnect))
         .onReady(createOnReady(atSign, keys))
         .build();
   }
 
+  /**
+   * A builder for instantiating {@link AtCommandExecutor} implementations that are included in
+   * this library. Example usage:
+   *
+   * <pre>
+   *
+   * AtCommandExecutors.builder()
+   *   .url(...)           // the url for the root server or proxy (optional)
+   *   .atSign(...)        // the AtSign that this client will authenticate as (optional)
+   *   .keys(...)          // the AtKeys that this client will use (optional)
+   *   .timeoutMillis()    // timeout after which commands will complete exceptionally (optional)
+   *   .awaitReadyMillis() // how long to wait for executor to become ready during build() (optional)
+   *   .reconnect()        // a ReconnectStrategy (optional)
+   *   .isVerbose(...)     // default false
+   *   .build();
+   * }
+   * </pre>
+   *
+   * If <b>url</b> is not set then the builder will default to
+   * {@link AtEndpointSuppliers#DEFAULT_ROOT_URL}.
+   * If <b>timeoutMillis</b> is not set then builder will default to
+   * {@link AtCommandExecutors#DEFAULT_TIMEOUT_MILLIS}.
+   * If <b>awaitReadyMillis</b> is not set then the builder will default to
+   * {@link AtCommandExecutors#DEFAULT_TIMEOUT_MILLIS}.
+   * If <b>reconnect</b> is not set then the builder will default to a {@link SimpleReconnectStrategy}
+   * with no limit to the retry attempts.
+   */
+  public static class AtCommandExecutorBuilder {
+    // required for javadoc
+  }
+
   private static Consumer<AtCommandExecutor> createOnReady(AtSign atSign, AtKeys keys) {
     Consumer<AtCommandExecutor> onReady;
     if (atSign != null && keys != null) {
@@ -69,4 +114,8 @@ private static ReconnectStrategy defaultIfNotSet(ReconnectStrategy reconnect) {
     return reconnect != null ? reconnect : SimpleReconnectStrategy.builder().build();
   }
 
+  private static long defaultIfNotSet(Long l, long defaultValue) {
+    return l != null ? l : defaultValue;
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
index 6a18a61d..f6ce24d8 100644
--- a/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
+++ b/at_client/src/main/java/org/atsign/client/impl/AtEndpointSuppliers.java
@@ -2,6 +2,7 @@
 
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
+import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -39,19 +40,22 @@ public class AtEndpointSuppliers {
   private static final Pattern PATTERN_PROXY_URL = Pattern.compile("proxy:(.+)");
 
   private static final Pattern PATTERN_ROOT_URL = Pattern.compile("([^:]+)(?::(\\d+))?");
+
+  public static final String DEFAULT_ROOT_URL = "root.atsign.org:64";
+
   public static final int ROOT_SERVER_PORT = 64;
 
-  @Builder
+  @Builder(builderClassName = "AtEndpointSuppliersBuilder")
   public static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSign) {
-    checkNotNull(url, "url not set");
+
+    url = url != null ? url : DEFAULT_ROOT_URL;
 
     Matcher proxyMatcher = PATTERN_PROXY_URL.matcher(url);
     if (proxyMatcher.matches()) {
-      checkNotNull(atSign, "atSign must be set for a proxy url");
-      checkNotNull(atSign, "keys must be set for a proxy url");
       return () -> proxyMatcher.group(1);
     }
 
+    checkNotNull(atSign, "atSign not set");
     Matcher rootMatcher = PATTERN_ROOT_URL.matcher(url);
     if (rootMatcher.matches()) {
       checkNotNull(atSign, "atSign must be set to resolve at server endpoint from " + url);
@@ -60,10 +64,35 @@ public static AtEndpointSupplier createEndpointSupplier(String url, AtSign atSig
       return NettyAtEndpointSupplier.builder()
           .rootUrl(hostname + ":" + (port != null ? port : ROOT_SERVER_PORT))
           .atsign(atSign)
+          .timeoutMillis(TimeUnit.SECONDS.toMillis(5))
+          .awaitReadyMillis(TimeUnit.SECONDS.toMillis(5))
+          .reconnect(SimpleReconnectStrategy.builder().maxReconnectRetries(3).build())
           .build();
     }
 
     throw new IllegalArgumentException("url is invalid");
   }
 
+  /**
+   * A builder for instantiating {@link AtEndpointSupplier} implementations that are included in
+   * this library.
+   *
+   * <pre>
+   *
+   * AtEndpointSuppliers.builder()
+   *   .url(...)     // the url for the root server or a proxy (optional)
+   *   .atSign(...)  // the AtSign that this supplier will resolve if using root server
+   *   .build();
+   * }
+   * </pre>
+   *
+   * If <b>url</b> is not set then the builder will default to {@link #DEFAULT_ROOT_URL}.
+   */
+  public static class AtEndpointSuppliersBuilder {
+    // required for javadoc
+  }
+
+  public static boolean isProxyUrl(String s) {
+    return s != null && PATTERN_PROXY_URL.matcher(s).matches();
+  }
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java b/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
index df271ee8..153eab1f 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/AbstractCli.java
@@ -1,25 +1,26 @@
 package org.atsign.client.impl.cli;
 
-import static org.atsign.client.impl.common.Preconditions.checkNotNull;
-
 import java.io.File;
 import java.util.concurrent.TimeUnit;
 
 import org.atsign.client.api.AtCommandExecutor;
-import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.api.AtKeys;
 import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.impl.AtEndpointSuppliers;
 import org.atsign.client.impl.commands.AuthenticationCommands;
 import org.atsign.client.impl.common.SimpleReconnectStrategy;
 import org.atsign.client.impl.exceptions.AtClientConfigException;
+import org.atsign.client.impl.exceptions.AtException;
 import org.atsign.client.impl.netty.NettyAtCommandExecutor;
 import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
-import org.atsign.client.impl.netty.NettyAtEndpointSupplier;
 import org.atsign.client.impl.util.KeysUtils;
 
 import picocli.CommandLine.ITypeConverter;
 import picocli.CommandLine.Option;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 /**
  * Base class for Command Line Interface utilities. Holds common fields such as root server
  * the {@link AtSign} which is connecting and the file which contains the {@link AtKeys}
@@ -31,7 +32,7 @@ public abstract class AbstractCli<T extends AbstractCli<T>> {
   protected String rootUrl = "root.atsign.org";
   protected AtSign atSign;
   protected File keysFile;
-  protected int connectionRetries = 1;
+  protected int connectionRetries = 2;
   private boolean verbose = false;
 
   protected abstract T self();
@@ -101,10 +102,7 @@ protected AtCommandExecutor createAuthenticatedConnection(String rootUrl, AtSign
 
   private static NettyAtCommandExecutorBuilder createCommandExecutorBuilder(String rootUrl, AtSign atSign, int retries,
                                                                             boolean verbose) {
-    NettyAtEndpointSupplier endpoint = NettyAtEndpointSupplier.builder()
-        .rootUrl(checkNotNull(rootUrl, "root server endpoint not set"))
-        .atsign(checkNotNull(atSign, "atsign not set"))
-        .build();
+    AtEndpointSupplier endpoint = AtEndpointSuppliers.builder().url(rootUrl).atSign(atSign).build();
     SimpleReconnectStrategy reconnect = SimpleReconnectStrategy.builder()
         .maxReconnectRetries(retries)
         .reconnectPauseMillis(TimeUnit.SECONDS.toMillis(2))
@@ -127,7 +125,7 @@ protected AtKeys getKeys() {
   static class AtSignConverter implements ITypeConverter<AtSign> {
     @Override
     public AtSign convert(String s) {
-      return new AtSign(s);
+      return createAtSign(s);
     }
   }
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java b/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
index e65f7f03..c3c1060b 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/DumpKeys.java
@@ -5,6 +5,8 @@
 import org.atsign.client.impl.util.KeysUtils;
 import org.atsign.client.api.AtSign;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 /**
  * Utility which, given an {@link AtSign} will load {@link AtKeys} from the
  * default location and dump the contents to stdout
@@ -12,7 +14,7 @@
 @Slf4j
 public class DumpKeys {
   public static void main(String[] args) throws Exception {
-    AtSign atSign = new AtSign(args[0]);
+    AtSign atSign = createAtSign(args[0]);
     AtKeys keys = KeysUtils.loadKeys(atSign);
     System.out.println(KeysUtils.dump(keys));
   }
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
index c18c810d..9348188b 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ActivateAtsignWithSuperApiKey.java
@@ -1,10 +1,11 @@
 package org.atsign.client.impl.cli.register;
 
-import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.exceptions.AtRegistrarException;
 
 import java.util.Map;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 class ActivateAtsignWithSuperApiKey extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
   @Override
   public RegisterApiResult<Map<String, String>> run() {
@@ -12,7 +13,8 @@ public RegisterApiResult<Map<String, String>> run() {
       result.data.put(
                       "cram", registerUtil
                           .activateAtsignWithSuperApiKey(params.get("registrarUrl"), params.get("apiKey"),
-                                                         new AtSign(params.get("atSign")), params.get("ActivationKey"))
+                                                         createAtSign(params.get("atSign")),
+                                                         params.get("ActivationKey"))
                           .split(":")[1]);
       result.apiCallStatus = ApiCallStatus.success;
       System.out.println("Your cram secret: " + result.data.get("cram"));
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
index c807e458..e245d531 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/GetFreeAtsign.java
@@ -13,7 +13,7 @@ public RegisterApiResult<Map<String, String>> run() {
       result.data.put("atSign",
                       registerUtil.getFreeAtsign(params.get("registrarUrl"), params.get("apiKey")));
       result.apiCallStatus = ApiCallStatus.success;
-      System.out.println("\tFetched new atsign: " + "@" + result.data.get("atSign"));
+      System.out.println("\tFetched createAtSign: " + "@" + result.data.get("atSign"));
     } catch (AtRegistrarException e) {
       result.atException = e;
     } catch (Exception e) {
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
index a6f7806a..56c301d1 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterAtsign.java
@@ -1,10 +1,11 @@
 package org.atsign.client.impl.cli.register;
 
-import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.exceptions.AtRegistrarException;
 
 import java.util.Map;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 class RegisterAtsign extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
 
   @Override
@@ -12,7 +13,7 @@ public RegisterApiResult<Map<String, String>> run() {
     System.out.println("Sending verification code to: " + params.get("email"));
     try {
       result.data.put("otpSent",
-                      registerUtil.registerAtsign(params.get("email"), new AtSign(params.get("atSign")),
+                      registerUtil.registerAtsign(params.get("email"), createAtSign(params.get("atSign")),
                                                   params.get("registrarUrl"), params.get("apiKey"))
                           .toString());
       result.apiCallStatus = ApiCallStatus.success;
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
index 53422637..9bfb9359 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/RegisterUtil.java
@@ -2,6 +2,7 @@
 
 import static java.util.AbstractMap.SimpleEntry;
 import static java.util.stream.Collectors.toMap;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -85,7 +86,7 @@ public Map<String, String> getAtsignWithSuperApiKey(String registrarUrl, String
       throws AtException, IOException {
     Map<String, String> paramsMap = new HashMap<>();
     if (!atsign.isEmpty()) {
-      paramsMap.put("atSign", new AtSign(atsign).withoutPrefix());
+      paramsMap.put("atSign", createAtSign(atsign).withoutPrefix());
     }
     if (!activationKey.isEmpty()) {
       paramsMap.put("ActivationKey", activationKey);
@@ -160,10 +161,11 @@ public Boolean registerAtsign(String email, AtSign atsign, String registrarUrl,
    *        will return list of already existing atsigns. If the user already has existing atsigns
    *        user will have to select a listed atsign old/new and place a second call to the same API
    *        endpoint with confirmation set to true with previously received OTP. The second follow-up
-   *        call is automated by this client using new atsign for user simplicity
+   *        call is automated by this client using createAtSign for user simplicity
    * @return Case 1("verified") - the API has registered the atsign to provided email and CRAM key
    *         present in HTTP_RESPONSE Body. Case 2("follow-up"): User already has existing atsigns and
-   *         new atsign registered successfully. To receive the CRAM key, follow-up by calling the API
+   *         createAtSign registered successfully. To receive the CRAM key, follow-up by calling the
+   *         API
    *         with one of the existing listed atsigns, with confirmation set to true. Case 3("retry"):
    *         Incorrect OTP send request again with correct OTP.
    * @throws IOException thrown if anything goes wrong while using the HttpsURLConnection.
diff --git a/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java b/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
index ef11fd32..82f71b70 100644
--- a/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
+++ b/at_client/src/main/java/org/atsign/client/impl/cli/register/ValidateOtp.java
@@ -1,11 +1,12 @@
 package org.atsign.client.impl.cli.register;
 
-import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.exceptions.AtRegistrarException;
 
 import java.util.Map;
 import java.util.Scanner;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 class ValidateOtp extends RegisterApiTask<RegisterApiResult<Map<String, String>>> {
   Scanner scanner = new Scanner(System.in);
 
@@ -20,7 +21,7 @@ public RegisterApiResult<Map<String, String>> run() {
         params.put("otp", scanner.nextLine());
         System.out.println("Validating verification code ...");
       }
-      String apiResponse = registerUtil.validateOtp(params.get("email"), new AtSign(params.get("atSign")),
+      String apiResponse = registerUtil.validateOtp(params.get("email"), createAtSign(params.get("atSign")),
                                                     params.get("otp"), params.get("registrarUrl"), params.get("apiKey"),
                                                     Boolean.parseBoolean(params.get("confirmation")));
       if ("retry".equals(apiResponse)) {
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
index aa57fae6..df96cc51 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandElement.java
@@ -96,4 +96,9 @@ public static boolean isConsumerResponse(String s) {
   public static boolean isErrorResponse(String s) {
     return s.startsWith("error:");
   }
+
+  public static boolean isPrompt(String s) {
+    return s.startsWith("@") && s.endsWith("@");
+  }
+
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
index 1577b5e6..0f9779d8 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/CommandQueue.java
@@ -1,7 +1,7 @@
 package org.atsign.client.impl.common;
 
 import static org.atsign.client.impl.common.CommandElement.isConsumerCommand;
-import static org.atsign.client.impl.netty.NettyAtCommandExecutor.isPrompt;
+import static org.atsign.client.impl.common.CommandElement.isPrompt;
 
 import java.util.Collection;
 import java.util.Deque;
diff --git a/at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/impl/common/ReconnectStrategy.java
similarity index 96%
rename from at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java
rename to at_client/src/main/java/org/atsign/client/impl/common/ReconnectStrategy.java
index 94e22acc..8dc110f6 100644
--- a/at_client/src/main/java/org/atsign/client/impl/ReconnectStrategy.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/ReconnectStrategy.java
@@ -1,4 +1,6 @@
-package org.atsign.client.impl;
+package org.atsign.client.impl.common;
+
+import org.atsign.client.impl.AtEndpointSupplier;
 
 /**
  * A strategy for controlling re-connection behavior for
diff --git a/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java b/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
index 1d593a04..3e56ab0d 100644
--- a/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
+++ b/at_client/src/main/java/org/atsign/client/impl/common/SimpleReconnectStrategy.java
@@ -1,7 +1,6 @@
 package org.atsign.client.impl.common;
 
 import lombok.Builder;
-import org.atsign.client.impl.ReconnectStrategy;
 
 import java.util.concurrent.TimeUnit;
 
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
index 3202da0d..42f45535 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtCommandExecutor.java
@@ -2,6 +2,7 @@
 
 import static java.util.concurrent.CompletableFuture.failedFuture;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.atsign.client.impl.common.CommandElement.isPrompt;
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
 import java.io.IOException;
@@ -18,7 +19,7 @@
 
 import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.impl.AtEndpointSupplier;
-import org.atsign.client.impl.ReconnectStrategy;
+import org.atsign.client.impl.common.ReconnectStrategy;
 import org.atsign.client.impl.common.CommandElement;
 import org.atsign.client.impl.common.CommandQueue;
 import org.atsign.client.impl.common.Preconditions;
@@ -178,11 +179,41 @@ protected NettyAtCommandExecutor(AtEndpointSupplier endpoint,
   }
 
   /**
-   * A builder for instantiating {@link NettyAtCommandExecutor} instances.
+   * A builder for instantiating {@link AtCommandExecutor} implementations that are included in
+   * this library. Example usage:
+   *
+   * <pre>
+   *
+   * NettyAtCommandExecutor.builder()
+   *   .endpoint(...)          // an endpoint supplier
+   *   .maxFrameLength(...)    // maximum message size supported (optional)
+   *   .sslContext(..)         // (optional)
+   *   .reconnect(...)         // a ReconnectStrategy (optional)
+   *   .onReady(...)           // commands to run when first prompt is received
+   *   .threadFactory(...)     // (optional)
+   *   .timeoutMillis()        // timeout after which commands will complete exceptionally (optional)
+   *   .heartbeatMillis(...)   // frequency for noop command (optional)
+   *   .queueLimit(...)        // max number of commands to queue (default 0 i.e. no queuing)
+   *   .awaitReadyMillis(...)  // how long to wait for executor to become ready during build() (optional)
+   *   .isVerbose(...)         // defaults to false
+   *   .build();
+   * }
+   * </pre>
+   *
+   * If <b>maxFrameLength</b> is not set then the builder defaults to
+   * {@link #DEFAULT_MAX_FRAME_LENGTH}.
+   * If <b>reconnect</b> is not set then the builder will default to a {@link ReconnectStrategy#NONE}
+   * which will never retry to connect or reconnect after disconnect.
+   * If <b>timeoutMillis</b> is not set then builder will default to
+   * {@link #DEFAULT_COMMAND_TIMEOUT_MILLIS}.
+   * If <b>heartbeatMillis</b> is not set then builder will default to
+   * {@link #DEFAULT_HEARTBEAT_MILLIS}.
+   * If <b>awaitReadyMillis</b> is not set then the builder will default to
+   * {@link #DEFAULT_AWAIT_READY_MILLIS}.
    */
   public static class NettyAtCommandExecutorBuilder {
     // required for javadoc
-  };
+  }
 
   @Override
   public void send(String command, CompletableFuture<String> future) {
@@ -324,7 +355,7 @@ private void checkForTimeout(CommandQueue commands, long timeoutMillis, String m
       AtTimeoutException ex = new AtTimeoutException(message);
       expired.forEach(x -> x.completeExceptionally(ex));
       if (commands == pending && sendNext()) {
-        log.info("sent queued command");
+        log.debug("sent queued command");
       }
     }
   }
@@ -373,7 +404,7 @@ private void send(CommandElement command) {
     } else if ((isReady() || threadFactory.isCurrentThreadOnReadyThread()) && pending.offer(command)) {
       writeAndFlushCommand(command);
     } else if (queue.offer(command)) {
-      log.info("{} command{} queued ({})", queue.size(), queue.size() > 1 ? "s" : "", getPendingStatus());
+      log.debug("{} command{} queued ({})", queue.size(), queue.size() > 1 ? "s" : "", getPendingStatus());
     } else {
       command.completeExceptionally(new AtTimeoutException(
           queue.getQueueCapacity() > 0 ? "queue is full" : "queue not enabled"));
@@ -448,7 +479,7 @@ private Runnable createOnReadyRunnable() {
       status.set(Status.Ready);
       checkForTimeouts();
       if (sendNext()) {
-        log.info("sent queued command");
+        log.debug("sent queued command");
       }
       threadFactory.clearCurrentThreadOnReadyThread();
     };
@@ -460,14 +491,15 @@ private void onResponse(String msg) {
     } else {
       log.debug("RCVD: {}", msg);
     }
+
     CommandElement command = pending.pop(msg);
     if (command != null) {
       command.complete(msg);
     } else {
-      log.error("no pending command : {}", msg);
+      log.warn("no pending command : {}", msg);
     }
     if (sendNext()) {
-      log.info("sent queued command");
+      log.debug("sent queued command");
     }
   }
 
@@ -478,7 +510,7 @@ protected void channelRead0(ChannelHandlerContext ctx, String msg) {
       lastReadMillis = clock.millis();
       if (isPrompt(msg)) {
         onPrompt();
-      } else {
+      } else if (!isHeartbeat(msg)) {
         onResponse(msg);
       }
     }
@@ -496,7 +528,7 @@ public void channelInactive(ChannelHandlerContext context) {
       } else {
         completeIsOnReadyExceptionally(pending, "connection closed");
         if (isForceReconnect.get()) {
-          log.info("connection force disconnected");
+          log.debug("connection force disconnected");
         } else {
           log.warn("connection unexpectedly unconnected");
           reconnectStrategy.onDisconnect(new IOException("connection closed"));
@@ -543,28 +575,26 @@ private static SslContext wrapSslContext(SSLContext context) {
   private void awaitStatus(Status status, long timeoutMillis) throws InterruptedException {
     long startMillis = clock.millis();
     while (clock.millis() < (startMillis + timeoutMillis)) {
-      // TODO: fix this
-      Thread.sleep(50);
+      Thread.sleep(100);
       if (this.status.get() == status) {
         break;
       }
     }
   }
 
-  public static boolean isPrompt(String s) {
-    return s.startsWith("@") && s.endsWith("@");
+  private static boolean isHeartbeat(String s) {
+    return "data:ok".equals(s);
   }
 
-  public static <T> T defaultIfNull(T o, T defaultValue) {
+  private static <T> T defaultIfNull(T o, T defaultValue) {
     return o != null ? o : defaultValue;
   }
 
-  public static long defaultIfUnset(Long l, long defaultValue) {
+  private static long defaultIfUnset(Long l, long defaultValue) {
     return l != null ? l : defaultValue;
   }
 
-  public static int defaultIfUnset(Integer i, int defaultValue) {
+  private static int defaultIfUnset(Integer i, int defaultValue) {
     return i != null ? i : defaultValue;
   }
-
 }
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
index 3a2bbe8c..9233d2c7 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtEndpointSupplier.java
@@ -2,11 +2,12 @@
 
 import static org.atsign.client.impl.common.Preconditions.checkNotNull;
 
-
 import javax.net.ssl.SSLContext;
 
-import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.api.AtCommandExecutor;
 import org.atsign.client.api.AtSign;
+import org.atsign.client.impl.AtEndpointSupplier;
+import org.atsign.client.impl.common.ReconnectStrategy;
 import org.atsign.client.impl.exceptions.AtSecondaryNotFoundException;
 import org.atsign.client.impl.netty.NettyAtCommandExecutor.NettyAtCommandExecutorBuilder;
 
@@ -23,15 +24,50 @@ public class NettyAtEndpointSupplier implements AtEndpointSupplier {
   private final NettyAtCommandExecutorBuilder executorBuilder;
 
   @Builder
-  public NettyAtEndpointSupplier(String rootUrl, AtSign atsign, Long timeoutMillis, SSLContext sslContext) {
+  public NettyAtEndpointSupplier(String rootUrl,
+                                 AtSign atsign,
+                                 Long timeoutMillis,
+                                 Long awaitReadyMillis,
+                                 ReconnectStrategy reconnect,
+                                 SSLContext sslContext) {
     this.atsign = checkNotNull(atsign, "atSign not set");
     String hostAndPort = checkNotNull(rootUrl, "rootUrl not set");
     this.executorBuilder = NettyAtCommandExecutor.builder()
         .endpoint(() -> hostAndPort)
         .timeoutMillis(timeoutMillis)
+        .awaitReadyMillis(awaitReadyMillis)
+        .reconnect(reconnect)
         .sslContext(sslContext);
   }
 
+  /**
+   * A builder for instantiating {@link AtCommandExecutor} implementations that are included in
+   * this library. Example usage:
+   *
+   * <pre>
+   *
+   * NettyAtEndpointSupplier.builder()
+   *   .rootUrl(...)       // the endpoint for the root / directory server
+   *   .atSign(...)        // the AtSign to resolve endpoint for
+   *   .timeoutMillis()    // timeout after which commands will complete exceptionally (optional)
+   *   .awaitReadyMillis() // how long to wait for executor to become ready during build() (optional)
+   *   .reconnect()        // a ReconnectStrategy (optional)
+   *   .sslContext()       // (optional)
+   *   .build();
+   * }
+   * </pre>
+   *
+   * If <b>timeoutMillis</b> is not set then builder will default to
+   * {@link NettyAtCommandExecutor#DEFAULT_COMMAND_TIMEOUT_MILLIS}.
+   * If <b>awaitReadyMillis</b> is not set then the builder will default to
+   * {@link NettyAtCommandExecutor#DEFAULT_AWAIT_READY_MILLIS}.
+   * If <b>reconnect</b> is not set then the builder will default to a {@link ReconnectStrategy#NONE}
+   * which will never retry to connect or reconnect after disconnect.
+   */
+  public static class NettyAtEndpointSupplierBuilder {
+    // required for javadoc
+  }
+
   @Override
   public String get() throws AtSecondaryNotFoundException {
     try (NettyAtCommandExecutor executor = executorBuilder.build()) {
diff --git a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
index 86195ac6..86ab9dbb 100644
--- a/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
+++ b/at_client/src/main/java/org/atsign/client/impl/netty/NettyAtThreadFactory.java
@@ -18,7 +18,7 @@ class NettyAtThreadFactory implements ThreadFactory {
   private final ThreadFactory delegate;
 
   public NettyAtThreadFactory(ThreadFactory delegate) {
-    this.delegate = delegate != null ? delegate : new DefaultThreadFactory("netty");
+    this.delegate = delegate != null ? delegate : new DefaultThreadFactory("netty", true);
   }
 
   @Override
diff --git a/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
index 4198d60b..6bfda69c 100644
--- a/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
+++ b/at_client/src/main/java/org/atsign/client/impl/util/StringUtils.java
@@ -10,7 +10,7 @@ public static boolean isBlank(String s) {
   }
 
   public static boolean isNumeric(String s) {
-    return s.matches("\\d+");
+    return s != null && s.matches("-?\\d+");
   }
 
 }
diff --git a/at_client/src/test/java/org/atsign/client/api/AtSignTest.java b/at_client/src/test/java/org/atsign/client/api/AtSignTest.java
index 109396e8..2109bebb 100644
--- a/at_client/src/test/java/org/atsign/client/api/AtSignTest.java
+++ b/at_client/src/test/java/org/atsign/client/api/AtSignTest.java
@@ -1,5 +1,6 @@
 package org.atsign.client.api;
 
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.nullValue;
@@ -10,16 +11,16 @@ class AtSignTest {
 
   @Test
   void testStaticCreateMethod() {
-    assertThat(AtSign.createAtSign("@fred"), equalTo(new AtSign("@fred")));
-    assertThat(AtSign.createAtSign("fred"), equalTo(new AtSign("@fred")));
-    assertThat(AtSign.createAtSign(null), nullValue());
-    assertThat(AtSign.createAtSign(""), nullValue());
+    assertThat(createAtSign("@fred"), equalTo(createAtSign("@fred")));
+    assertThat(createAtSign("fred"), equalTo(createAtSign("@fred")));
+    assertThat(createAtSign(null), nullValue());
+    assertThat(createAtSign(""), nullValue());
   }
 
   @Test
   void testWithoutPrefixReturnsExpectedResult() {
-    assertThat(new AtSign("fred").withoutPrefix(), equalTo("fred"));
-    assertThat(new AtSign("@fred").withoutPrefix(), equalTo("fred"));
+    assertThat(createAtSign("fred").withoutPrefix(), equalTo("fred"));
+    assertThat(createAtSign("@fred").withoutPrefix(), equalTo("fred"));
   }
 
   @Test
diff --git a/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java b/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
index ed316daf..8a796e97 100644
--- a/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
+++ b/at_client/src/test/java/org/atsign/client/impl/AtCommandExecutorsIT.java
@@ -12,6 +12,7 @@
 import org.atsign.client.api.AtSign;
 import org.atsign.client.impl.AtCommandExecutors.AtCommandExecutorBuilder;
 import org.atsign.client.impl.commands.ScanCommands;
+import org.atsign.client.impl.common.ReconnectStrategy;
 import org.atsign.client.impl.util.KeysUtils;
 import org.atsign.cucumber.helpers.Helpers;
 import org.atsign.virtualenv.VirtualEnv;
@@ -76,7 +77,7 @@ void testBuildWithProxyUrlEnforcesAuthentication() throws Exception {
         .url("proxy:vip.ve.atsign.zone:25026")
         .reconnect(ReconnectStrategy.NONE);
     Exception ex = assertThrows(Exception.class, () -> builder.build());
-    assertThat(ex.getMessage(), containsString("atSign must be set for a proxy url"));
+    assertThat(ex.getMessage(), containsString("atSign not set"));
   }
 
 }
diff --git a/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java b/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
index 633a7db9..9136c86b 100644
--- a/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/commands/CommandBuildersTest.java
@@ -294,8 +294,8 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
 
     // with shared key
     SharedKey sk1 = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
-        .sharedWith(new AtSign("@alice"))
+        .sharedBy(createAtSign("@bob"))
+        .sharedWith(createAtSign("@alice"))
         .name("test")
         .ttl(TimeUnit.MINUTES.toMillis(10))
         .isBinary(true)
@@ -308,7 +308,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
 
     // with public key
     PublicKey pk1 = Keys.publicKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
+        .sharedBy(createAtSign("@bob"))
         .name("test")
         .isCached(true)
         .build();
@@ -320,7 +320,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
 
     // with self key
     SelfKey sk2 = Keys.selfKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
+        .sharedBy(createAtSign("@bob"))
         .name("test")
         .ttl(TimeUnit.MINUTES.toMillis(10))
         .build();
@@ -351,7 +351,7 @@ public void testUpdateBuilderGeneratesExpectedOutput() {
   @Test
   public void testUpdateBuilderGeneratesExpectedOutputForPublicKeyWithNamespace() {
     PublicKey key = Keys.publicKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -366,7 +366,7 @@ public void testUpdateBuilderGeneratesExpectedOutputForPublicKeyWithNamespace()
   @Test
   public void testUpdateBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
     SelfKey key = Keys.selfKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -381,8 +381,8 @@ public void testUpdateBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
   @Test
   public void testUpdateBuilderGeneratesExpectedOutputForSharedKeyWithNamespace() {
     SharedKey key = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
-        .sharedWith(new AtSign("@bob"))
+        .sharedBy(createAtSign("@alice"))
+        .sharedWith(createAtSign("@bob"))
         .name("test")
         .namespace("testns")
         .build();
@@ -484,7 +484,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     assertThat(ex.getMessage(), containsString("both rawKey and key fields are set"));
 
     // with public key
-    PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
+    PublicKey pk = Keys.publicKeyBuilder().sharedBy(createAtSign("@bob")).name("publickey").build();
     command = CommandBuilders.llookupCommandBuilder()
         .key(pk)
         .operation(LookupOperation.meta)
@@ -498,8 +498,8 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
     // with shared key
     SharedKey sk = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
-        .sharedWith(new AtSign("@alice"))
+        .sharedBy(createAtSign("@bob"))
+        .sharedWith(createAtSign("@alice"))
         .name("sharedkey")
         .build();
     command = CommandBuilders.llookupCommandBuilder()
@@ -509,7 +509,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     assertEquals("llookup:@alice:sharedkey@bob", command);
 
     // with self key
-    SelfKey selfKey1 = Keys.selfKeyBuilder().sharedBy(new AtSign("@bob")).name("test").build();
+    SelfKey selfKey1 = Keys.selfKeyBuilder().sharedBy(createAtSign("@bob")).name("test").build();
     command = CommandBuilders.llookupCommandBuilder()
         .key(selfKey1)
         .operation(LookupOperation.all)
@@ -517,7 +517,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
     assertEquals("llookup:all:test@bob", command);
 
     // with self key (shared with self)
-    AtSign as = new AtSign("@bob");
+    AtSign as = createAtSign("@bob");
     SelfKey selfKey2 = Keys.selfKeyBuilder().sharedBy(as).sharedWith(as).name("test").build();
     command = CommandBuilders.llookupCommandBuilder()
         .key(selfKey2)
@@ -527,7 +527,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
     // with cached public key
     PublicKey pk2 = Keys.publicKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
+        .sharedBy(createAtSign("@bob"))
         .name("publickey")
         .isCached(true)
         .build();
@@ -539,8 +539,8 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
     // with cached shared key
     SharedKey sk2 = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@bob"))
-        .sharedWith(new AtSign("@alice"))
+        .sharedBy(createAtSign("@bob"))
+        .sharedWith(createAtSign("@alice"))
         .name("sharedkey")
         .isCached(true)
         .build();
@@ -557,7 +557,7 @@ public void testLlookupBuilderGeneratesExpectedOutput() {
 
   @Test
   public void testLlookupBuilderGeneratesExpectedOutputForPublicKeyWithNamespace() {
-    PublicKey key = Keys.publicKeyBuilder().sharedBy(new AtSign("@alice"))
+    PublicKey key = Keys.publicKeyBuilder().sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -571,7 +571,7 @@ public void testLlookupBuilderGeneratesExpectedOutputForPublicKeyWithNamespace()
   @Test
   public void testLlookupBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
     SelfKey key = Keys.selfKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -584,8 +584,8 @@ public void testLlookupBuilderGeneratesExpectedOutputForSelfKeyWithNamespace() {
 
   @Test
   public void testLlookupBuilderGeneratesExpectedOutputForSharedKeyWithNamespace() {
-    SharedKey key = Keys.sharedKeyBuilder().sharedBy(new AtSign("@alice"))
-        .sharedWith(new AtSign("@bob"))
+    SharedKey key = Keys.sharedKeyBuilder().sharedBy(createAtSign("@alice"))
+        .sharedWith(createAtSign("@bob"))
         .name("test")
         .namespace("testns")
         .build();
@@ -639,8 +639,8 @@ public void lookupVerbBuilderTest() {
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with shared key
-    SharedKey sk = Keys.sharedKeyBuilder().sharedBy(new AtSign("@sharedby"))
-        .sharedWith(new AtSign("@sharedwith"))
+    SharedKey sk = Keys.sharedKeyBuilder().sharedBy(createAtSign("@sharedby"))
+        .sharedWith(createAtSign("@sharedwith"))
         .name("test")
         .build();
     command = CommandBuilders.lookupCommandBuilder()
@@ -652,8 +652,8 @@ public void lookupVerbBuilderTest() {
 
   @Test
   public void testLookupVerbBuilderForSharedKeyWithNamespace() {
-    SharedKey key = Keys.sharedKeyBuilder().sharedBy(new AtSign("@alice"))
-        .sharedWith(new AtSign("@bob"))
+    SharedKey key = Keys.sharedKeyBuilder().sharedBy(createAtSign("@alice"))
+        .sharedWith(createAtSign("@bob"))
         .name("test")
         .namespace("testns")
         .build();
@@ -709,7 +709,7 @@ public void plookupVerbBuilderTest() {
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with
-    PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
+    PublicKey pk = Keys.publicKeyBuilder().sharedBy(createAtSign("@bob")).name("publickey").build();
     command = CommandBuilders.plookupCommandBuilder()
         .key(pk)
         .operation(LookupOperation.all)
@@ -729,7 +729,7 @@ public void plookupVerbBuilderTest() {
   @Test
   public void testPlookupVerbBuilderForPublicKeyWithNamespace() {
     PublicKey key = Keys.publicKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -812,22 +812,22 @@ public void deleteVerbBuilderTest() {
     assertThat(ex.getMessage(), containsString("sharedBy not set"));
 
     // with self key
-    SelfKey selfKey = Keys.selfKeyBuilder().sharedBy(new AtSign("@alice")).name("test").build();
+    SelfKey selfKey = Keys.selfKeyBuilder().sharedBy(createAtSign("@alice")).name("test").build();
     command = CommandBuilders.deleteCommandBuilder()
         .key(selfKey)
         .build();
     assertEquals("delete:test@alice", command);
 
     // with public key
-    PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name("publickey").build();
+    PublicKey pk = Keys.publicKeyBuilder().sharedBy(createAtSign("@bob")).name("publickey").build();
     command = CommandBuilders.deleteCommandBuilder()
         .key(pk)
         .build();
 
     // with shared key
     SharedKey sk = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
-        .sharedWith(new AtSign("@bob"))
+        .sharedBy(createAtSign("@alice"))
+        .sharedWith(createAtSign("@bob"))
         .name("test")
         .build();
     command = CommandBuilders.deleteCommandBuilder()
@@ -839,7 +839,7 @@ public void deleteVerbBuilderTest() {
   @Test
   public void testDeleteVerbBuilderForPublicKeyWithNamespace() {
     PublicKey key = Keys.publicKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -852,7 +852,7 @@ public void testDeleteVerbBuilderForPublicKeyWithNamespace() {
   @Test
   public void testDeleteVerbBuilderForSelfKeyWithNamespace() {
     SelfKey key = Keys.selfKeyBuilder()
-        .sharedBy(new AtSign("@alice"))
+        .sharedBy(createAtSign("@alice"))
         .name("test")
         .namespace("testns")
         .build();
@@ -865,7 +865,7 @@ public void testDeleteVerbBuilderForSelfKeyWithNamespace() {
   @Test
   public void testDeleteVerbBuilderForSharedKeyWithNamespace() {
     SharedKey key = Keys.sharedKeyBuilder()
-        .sharedBy(new AtSign("@alice")).sharedWith(new AtSign("@bob"))
+        .sharedBy(createAtSign("@alice")).sharedWith(createAtSign("@bob"))
         .name("test")
         .namespace("testns")
         .build();
diff --git a/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java b/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
index 47ede773..5d69eafc 100644
--- a/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/EncryptionUtilsTest.java
@@ -20,4 +20,5 @@ void testAesEncryptionWithRandomInitialisationVector() throws Exception {
     String decrypted = EncryptionUtils.aesDecryptFromBase64(encrypted, key, iv);
     assertThat(decrypted, equalTo(text));
   }
+
 }
diff --git a/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java b/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
index 6cafc49b..dcddb6ae 100644
--- a/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
+++ b/at_client/src/test/java/org/atsign/client/impl/util/KeysUtilsTest.java
@@ -1,5 +1,6 @@
 package org.atsign.client.impl.util;
 
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.atsign.client.impl.util.EncryptionUtils.generateAESKeyBase64;
 import static org.atsign.client.impl.util.EncryptionUtils.generateRSAKeyPair;
 import static org.junit.jupiter.api.Assertions.*;
@@ -16,7 +17,7 @@
 
 public class KeysUtilsTest {
 
-  AtSign testAtSign = new AtSign("@testSaveKeysFile");
+  AtSign testAtSign = createAtSign("@testSaveKeysFile");
 
   @AfterEach
   public void tearDown() throws IOException {
diff --git a/at_client/src/test/java/org/atsign/client/impl/util/StringUtilsTest.java b/at_client/src/test/java/org/atsign/client/impl/util/StringUtilsTest.java
new file mode 100644
index 00000000..bae7db6d
--- /dev/null
+++ b/at_client/src/test/java/org/atsign/client/impl/util/StringUtilsTest.java
@@ -0,0 +1,38 @@
+package org.atsign.client.impl.util;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.*;
+
+class StringUtilsTest {
+
+  @Test
+  void testIsBlankReturnsExpectedResult() {
+    assertThat(StringUtils.isBlank(""), is(true));
+    assertThat(StringUtils.isBlank(null), is(true));
+    assertThat(StringUtils.isBlank(" "), is(true));
+    assertThat(StringUtils.isBlank("  "), is(true));
+
+    assertThat(StringUtils.isBlank("a"), is(false));
+    assertThat(StringUtils.isBlank("abc"), is(false));
+    assertThat(StringUtils.isBlank("abc "), is(false));
+    assertThat(StringUtils.isBlank(" abc"), is(false));
+    assertThat(StringUtils.isBlank(" abc "), is(false));
+    assertThat(StringUtils.isBlank(" ab c"), is(false));
+  }
+
+  @Test
+  void testIsNumericReturnsExpectedResult() {
+    assertThat(StringUtils.isNumeric("1"), is(true));
+    assertThat(StringUtils.isNumeric("123"), is(true));
+    assertThat(StringUtils.isNumeric("-1"), is(true));
+    assertThat(StringUtils.isNumeric("-123"), is(true));
+
+    assertThat(StringUtils.isNumeric(""), is(false));
+    assertThat(StringUtils.isNumeric(null), is(false));
+    assertThat(StringUtils.isNumeric(" "), is(false));
+    assertThat(StringUtils.isNumeric("a"), is(false));
+  }
+}
diff --git a/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java b/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
index 4e1c2f78..76f4814a 100644
--- a/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
+++ b/at_client/src/test/java/org/atsign/cucumber/steps/ParameterTypes.java
@@ -10,11 +10,13 @@
 
 import io.cucumber.java.ParameterType;
 
+import static org.atsign.client.api.AtSign.createAtSign;
+
 public class ParameterTypes {
 
   @ParameterType("@\\S+")
   public AtSign atsign(String s) {
-    return new AtSign(s);
+    return createAtSign(s);
   }
 
   @ParameterType("\\S+")
diff --git a/at_client/src/test/resources/simpleLogger.properties b/at_client/src/test/resources/simpleLogger.properties
index 21d6eb02..70f7fb47 100644
--- a/at_client/src/test/resources/simpleLogger.properties
+++ b/at_client/src/test/resources/simpleLogger.properties
@@ -2,4 +2,4 @@ org.slf4j.simpleLogger.defaultLogLevel=info
 org.slf4j.simpleLogger.showDateTime=true
 org.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss.SSS
 
-#org.slf4j.simpleLogger.log.org.atsign.client.connection.netty=debug
+#org.slf4j.simpleLogger.log.org.atsign.client=debug
diff --git a/at_shell/src/main/java/org/atsign/client/cli/REPL.java b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
index eb81f73e..818d0e31 100644
--- a/at_shell/src/main/java/org/atsign/client/cli/REPL.java
+++ b/at_shell/src/main/java/org/atsign/client/cli/REPL.java
@@ -2,6 +2,7 @@
 
 import static org.atsign.client.api.AtEvents.AtEventType.decryptedUpdateNotification;
 import static org.atsign.client.api.AtEvents.AtEventType.updateNotification;
+import static org.atsign.client.api.AtSign.createAtSign;
 import static org.fusesource.jansi.Ansi.ansi;
 
 import java.util.*;
@@ -38,7 +39,7 @@ public static void main(String[] args) {
     }
 
     String rootUrl = args[0];
-    AtSign atSign = new AtSign(args[1]);
+    AtSign atSign = createAtSign(args[1]);
     boolean seeEncryptedNotifications = args.length > 2 ? Boolean.parseBoolean(args[2]) : false;
     boolean verbose = args.length > 3 ? Boolean.parseBoolean(args[3]) : false;
 
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
index c0cccb47..9709fcff 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyDeleteExample.java
@@ -1,36 +1,27 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
-
+import static org.atsign.client.api.AtSign.createAtSign;
 
 import org.atsign.client.api.AtClient;
-import org.atsign.client.impl.AtClients;
 import org.atsign.client.api.AtSign;
 import org.atsign.client.api.Keys;
 import org.atsign.client.api.Keys.PublicKey;
+import org.atsign.client.impl.AtClients;
 import org.atsign.client.impl.exceptions.AtClientConfigException;
 
 public class PublicKeyDeleteExample {
 
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
-    boolean VERBOSE = true;
 
     String KEY_NAME = "test";
 
     // 2. create AtSign instance
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create public key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
index 92163b07..53cb3fe3 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetBypassCacheExample.java
@@ -9,31 +9,22 @@
 import org.atsign.client.impl.exceptions.AtClientConfigException;
 import org.atsign.client.api.AtClient.GetRequestOptions;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 public class PublicKeyGetBypassCacheExample {
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish arguments
-    String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@alice"; // atSign that we will pkam auth (must have keys in keys directory)
-    boolean VERBOSE = true; // true for more print logs
-
     String KEY_NAME = "publickey"; // name of the key we will get
 
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create the key
-      PublicKey pk = Keys.publicKeyBuilder().sharedBy(new AtSign("@bob")).name(KEY_NAME).build();
+      PublicKey pk = Keys.publicKeyBuilder().sharedBy(createAtSign("@bob")).name(KEY_NAME).build();
 
       // 5. get the value associated with the key
       String response = atClient.get(pk, GetRequestOptions.builder().bypassCache(true).build()).get();
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
index 16d5ab65..e49ca1cf 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyGetExample.java
@@ -8,28 +8,20 @@
 import org.atsign.client.api.Keys.PublicKey;
 import org.atsign.client.impl.exceptions.AtClientConfigException;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 public class PublicKeyGetExample {
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish arguments
-    String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
-    boolean VERBOSE = true; // true for more print logs
 
     String KEY_NAME = "test"; // name of the key we will get
 
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create the key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
index 5923b517..ed095615 100644
--- a/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/PublicKeyPutExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -14,24 +14,15 @@ public class PublicKeyPutExample {
 
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
-    boolean VERBOSE = true; // true for more print logs
-
     String KEY_NAME = "test"; // name of the key we will create and put
     String VALUE = "I love pineapple on pizza 12345"; // value we will associate with the key
 
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create a new public key
       PublicKey pk = Keys.publicKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
index 50e2d505..d84811f3 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyDeleteExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -14,23 +14,15 @@ public class SelfKeyDeleteExample {
 
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64"; // root url of the atsign server for fetching secondary address
     String ATSIGN_STR = "@33thesad"; // atSign that we will pkam auth (must have keys in keys directory)
-    boolean VERBOSE = true; // true for more print logs
 
     String KEY_NAME = "test"; // name of the key we will create and put
 
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create self key
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
index a4a5a3d2..d47e3d9c 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyGetExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -15,23 +15,14 @@ public class SelfKeyGetExample {
 
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
-    boolean VERBOSE = true;
-
     String KEY_NAME = "test";
 
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create selfkey
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
index 0bdc4c58..9b7dff5d 100644
--- a/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
+++ b/examples/src/main/java/org/atsign/examples/SelfKeyPutExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 import java.util.concurrent.TimeUnit;
 
@@ -15,26 +15,16 @@ public class SelfKeyPutExample {
 
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR = "@33thesad";
-    boolean VERBOSE = true;
-
     String KEY_NAME = "test";
     String VALUE = "I hate pineapple on pizza!!!";
     long ttl = TimeUnit.SECONDS.toMillis(30);
 
-
     // 2. create AtSign object
-    AtSign atSign = new AtSign(ATSIGN_STR);
+    AtSign atSign = createAtSign(ATSIGN_STR);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(atSign)
-        .keys(loadKeys(atSign))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(atSign).build()) {
 
       // 4. create selfkey
       SelfKey sk = Keys.selfKeyBuilder().sharedBy(atSign).name(KEY_NAME).ttl(ttl).build();
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
index cc60f7b2..1d080f74 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyDeleteExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -15,24 +15,16 @@ public class SharedKeyDeleteExample {
   /// Delete a SharedKey that you shared with another atSign, the key must be on your own secondary server (belonging to the sharedBy atSign)
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // my atSign (sharedBy)
     String ATSIGN_STR_SHARED_WITH = "@farinataanxious"; // other atSign (sharedWith)
-    boolean VERBOSE = true;
     String KEY_NAME = "test";
 
     // 2. create AtSign objects
-    AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
-    AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
+    AtSign sharedBy = createAtSign(ATSIGN_STR_SHARED_BY);
+    AtSign sharedWith = createAtSign(ATSIGN_STR_SHARED_WITH);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(sharedBy)
-        .keys(loadKeys(sharedBy))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(sharedBy).build()) {
 
       // 4. create SharedKey instance
       SharedKey sk = Keys.sharedKeyBuilder().sharedBy(sharedBy).sharedWith(sharedWith).name(KEY_NAME).build();
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
index d2e395b7..4d531906 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetOtherExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -14,24 +14,16 @@ public class SharedKeyGetOtherExample {
   /// Get the SharedKey sharedBy another person and sharedWith you
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // their atSign (key is sharedBy this atSign)
     String ATSIGN_STR_SHARED_WITH = "@farinataanxious"; // your atSign (key is sharedWith you)
-    boolean VERBOSE = true;
     String KEY_NAME = "test";
 
     // 2. create AtSign objects
-    AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
-    AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH); // your atSign
+    AtSign sharedBy = createAtSign(ATSIGN_STR_SHARED_BY);
+    AtSign sharedWith = createAtSign(ATSIGN_STR_SHARED_WITH); // your atSign
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(sharedWith)
-        .keys(loadKeys(sharedWith))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(sharedWith).build()) {
 
       // 4. create SharedKey instance
       // key is sharedBy the other person and sharedWith you.
diff --git a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
index e7a256dd..04c6b0f0 100644
--- a/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
+++ b/examples/src/main/java/org/atsign/examples/SharedKeyGetSelfExample.java
@@ -1,6 +1,6 @@
 package org.atsign.examples;
 
-import static org.atsign.client.impl.util.KeysUtils.loadKeys;
+import static org.atsign.client.api.AtSign.createAtSign;
 
 
 import org.atsign.client.api.AtClient;
@@ -14,24 +14,16 @@ public class SharedKeyGetSelfExample {
   /// Get a SharedKey that you created and shared with another atSign
   public static void main(String[] args) throws AtClientConfigException {
     // 1. establish constants
-    String ROOT_URL = "root.atsign.org:64";
     String ATSIGN_STR_SHARED_BY = "@33thesad"; // my atSign (sharedBy)
     String ATSIGN_STR_SHARED_WITH = "@farinataanxious"; // other atSign (sharedWith)
-    boolean VERBOSE = true;
     String KEY_NAME = "test";
 
     // 2. create AtSign objects
-    AtSign sharedBy = new AtSign(ATSIGN_STR_SHARED_BY);
-    AtSign sharedWith = new AtSign(ATSIGN_STR_SHARED_WITH);
+    AtSign sharedBy = createAtSign(ATSIGN_STR_SHARED_BY);
+    AtSign sharedWith = createAtSign(ATSIGN_STR_SHARED_WITH);
 
     // 3. build an AtClient
-    AtClients.AtClientBuilder builder = AtClients.builder()
-        .url(ROOT_URL)
-        .atSign(sharedBy)
-        .keys(loadKeys(sharedBy))
-        .isVerbose(VERBOSE);
-
-    try (AtClient atClient = builder.build()) {
+    try (AtClient atClient = AtClients.builder().atSign(sharedBy).build()) {
 
       // 4. create SharedKey instance
       SharedKey sk = Keys.sharedKeyBuilder().sharedBy(sharedBy).sharedWith(sharedWith).name(KEY_NAME).build();