diff --git a/src/server/firebase/Location.js b/src/server/firebase/Location.js
index 10306bd..e310dca 100644
--- a/src/server/firebase/Location.js
+++ b/src/server/firebase/Location.js
@@ -135,21 +135,6 @@ export async function createLocations(
   device,
   org,
 ) {
-  if (isDeniedCompany(org)) {
-    throw new AccessDeniedError(
-      'This is a question from the CEO of Transistor Software.\n' +
-        'Why are you spamming my demo server1?\n' +
-        'Please email me at chris@transistorsoft.com.',
-    );
-  }
-
-  if (isDeniedDevice(device.model)) {
-    throw new AccessDeniedError(
-      'This is a question from the CEO of Transistor Software.\n' +
-        'Why are you spamming my demo server2?\n' +
-        'Please email me at chris@transistorsoft.com.',
-    );
-  }
   const batch = firestore.batch();
   await Promise.reduce(
     locations,
@@ -172,6 +157,21 @@ export async function createLocations(
 }
 
 export async function create(params) {
+  if (Array.isArray(params)) {
+    return Promise.reduce(
+      params,
+      async (p, pp) => {
+        try {
+          await create(pp);
+        } catch (e) {
+          console.error('create', e);
+          throw e;
+        }
+      },
+      0,
+    );
+  }
+
   const {
     company_token: token = 'UNKNOWN',
     location: list = [],
@@ -185,6 +185,21 @@ export async function create(params) {
         : []
     );
 
+  if (isDeniedCompany(token)) {
+    throw new AccessDeniedError(
+      'This is a question from the CEO of Transistor Software.\n' +
+          'Why are you spamming my demo server1?\n' +
+          'Please email me at chris@transistorsoft.com.',
+    );
+  }
+
+  if (isDeniedDevice(device.model)) {
+    throw new AccessDeniedError(
+      'This is a question from the CEO of Transistor Software.\n' +
+          'Why are you spamming my demo server2?\n' +
+          'Please email me at chris@transistorsoft.com.',
+    );
+  }
   return createLocations(locations, device, token);
 }
 
diff --git a/src/server/models/Location.js b/src/server/models/Location.js
index cda0208..56d5e1b 100644
--- a/src/server/models/Location.js
+++ b/src/server/models/Location.js
@@ -76,14 +76,6 @@ export async function getLatestLocation(params, isAdmin) {
 }
 
 export async function createLocation(location, deviceInfo, org) {
-  if (isDeniedDevice(deviceInfo.model)) {
-    throw new AccessDeniedError(
-      'This is a question from the CEO of Transistor Software.\n' +
-        'Why are you spamming my demo server2?\n' +
-        'Please email me at chris@transistorsoft.com.',
-    );
-  }
-
   const now = new Date();
   const device = await findOrCreate(org, { ...deviceInfo });
 
@@ -122,14 +114,6 @@ export async function createLocations(
   device,
   org,
 ) {
-  if (isDeniedCompany(org)) {
-    throw new AccessDeniedError(
-      'This is a question from the CEO of Transistor Software.\n' +
-        'Why are you spamming my demo server1?\n' +
-        'Please email me at chris@transistorsoft.com.',
-    );
-  }
-
   return Promise.reduce(
     locations,
     async (p, location) => {
@@ -151,6 +135,21 @@ export async function createLocations(
 export async function create(
   params,
 ) {
+  if (Array.isArray(params)) {
+    return Promise.reduce(
+      params,
+      async (p, pp) => {
+        try {
+          await create(pp);
+        } catch (e) {
+          console.error('create', e);
+          throw e;
+        }
+      },
+      0,
+    );
+  }
+
   const {
     company_token: token = 'UNKNOWN',
     location: list = [],
@@ -163,7 +162,20 @@ export async function create(
         ? [list]
         : []
     );
-
+  if (isDeniedCompany(token)) {
+    throw new AccessDeniedError(
+      'This is a question from the CEO of Transistor Software.\n' +
+          'Why are you spamming my demo server1?\n' +
+          'Please email me at chris@transistorsoft.com.',
+    );
+  }
+  if (isDeniedDevice(device.model)) {
+    throw new AccessDeniedError(
+      'This is a question from the CEO of Transistor Software.\n' +
+        'Why are you spamming my demo server2?\n' +
+        'Please email me at chris@transistorsoft.com.',
+    );
+  }
   return createLocations(locations, device, token);
 }
 
diff --git a/src/server/routes/firebase-api.js b/src/server/routes/firebase-api.js
index 997c35b..11d62e9 100644
--- a/src/server/routes/firebase-api.js
+++ b/src/server/routes/firebase-api.js
@@ -271,13 +271,12 @@ router.get('/locations', checkAuth(verify), async (req, res) => {
  * POST /locations
  */
 router.post('/locations', checkAuth(verify), async (req, res) => {
-  const { org } = req.jwt;
+  const { org, deviceId } = req.jwt;
   const { body } = req;
   const data = isEncryptedRequest(req)
     ? decrypt(body.toString())
     : body;
-  const { device: { uuid = 'UNKNOWN' } } = data || { device: {} };
-  const device = await getDevice({ id: uuid, org });
+  const device = await getDevice({ id: deviceId, org });
   // eslint-disable-next-line no-console
   console.info(
     'v3',
diff --git a/tests/api.test.js b/tests/api.test.js
index e6598e9..c982f27 100644
--- a/tests/api.test.js
+++ b/tests/api.test.js
@@ -148,6 +148,16 @@ describe('jwt api', () => {
       expect(res).to.be.json;
     });
 
+    test('POST /locations []', async () => {
+      const res = await chai
+        .request(server)
+        .post('/api/jwt/locations')
+        .set('Authorization', `Bearer ${token}`)
+        .send([{ location }]);
+      expect(res).have.status(200);
+      expect(res).to.be.json;
+    });
+
     test('/locations', async () => {
       const res = await chai
         .request(server)
diff --git a/tests/firebase.test.js b/tests/firebase.test.js
index b66e92e..9a81d2a 100644
--- a/tests/firebase.test.js
+++ b/tests/firebase.test.js
@@ -23,7 +23,7 @@ beforeAll(async () => {
   ({ accessToken: token } = res.body);
 });
 
-describe('jwt api', () => {
+describe('firebase api', () => {
   test('/register', async () => {
     const res = await chai
       .request(server)
@@ -152,6 +152,20 @@ describe('jwt api', () => {
       expect(res).to.be.json;
     });
 
+    test('POST /locations []', async () => {
+      const res = await chai
+        .request(server)
+        .post('/api/firebase/locations')
+        .set('Authorization', `Bearer ${token}`)
+        .send([{
+          location,
+          device: { model: 'test', uuid: 'uuid' },
+          company_token: 'org',
+        }]);
+      expect(res).have.status(200);
+      expect(res).to.be.json;
+    });
+
     test('/locations', async () => {
       const res = await chai
         .request(server)
diff --git a/tests/site-api.test.js b/tests/site-api.test.js
index 343ab6f..d897b5f 100644
--- a/tests/site-api.test.js
+++ b/tests/site-api.test.js
@@ -89,6 +89,20 @@ describe('site api', () => {
       expect(res).to.be.json;
     });
 
+    test('POST /locations []', async () => {
+      const res = await chai
+        .request(server)
+        .post('/api/site/locations')
+        .set('Authorization', `Bearer ${token}`)
+        .send([{
+          location,
+          device: { model: 'test', uuid: 'test' },
+          company_token: 'test',
+        }]);
+      expect(res).have.status(200);
+      expect(res).to.be.json;
+    });
+
     test('/locations', async () => {
       const res = await chai
         .request(server)