diff --git a/server/auth_callout.go b/server/auth_callout.go
index 73fab2da..091bf6ad 100644
--- a/server/auth_callout.go
+++ b/server/auth_callout.go
@@ -204,8 +204,13 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options) (authorize
 	}
 	defer acc.unsubscribeInternal(sub)
 
-	// Build our request claims.
-	claim := jwt.NewAuthorizationRequestClaims(AuthRequestSubject)
+	// Build our request claims - jwt subject should be nkey
+	jwtSub := acc.Name
+	if opts.AuthCallout != nil {
+		jwtSub = opts.AuthCallout.Issuer
+	}
+	claim := jwt.NewAuthorizationRequestClaims(jwtSub)
+	claim.Audience = AuthRequestSubject
 	// Set expected public user nkey.
 	claim.UserNkey = pub
 
@@ -229,11 +234,6 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options) (authorize
 
 	authTimeout := secondsToDuration(s.getOpts().AuthTimeout)
 	claim.Expires = time.Now().Add(time.Duration(authTimeout)).UTC().Unix()
-	if opts.AuthCallout != nil {
-		claim.Audience = opts.AuthCallout.Issuer
-	} else {
-		claim.Audience = acc.Name
-	}
 
 	// Grab client info for the request.
 	c.mu.Lock()
diff --git a/server/leafnode.go b/server/leafnode.go
index 89acd7f7..9a5b7639 100644
--- a/server/leafnode.go
+++ b/server/leafnode.go
@@ -1857,7 +1857,7 @@ func (c *client) updateSmap(sub *subscription, delta int32) {
 
 	n := c.leaf.smap[key]
 	// We will update if its a queue, if count is zero (or negative), or we were 0 and are N > 0.
-	update := sub.queue != nil || n == 0 || n+delta <= 0
+	update := sub.queue != nil || (n <= 0 && n+delta > 0) || (n > 0 && n+delta <= 0)
 	n += delta
 	if n > 0 {
 		c.leaf.smap[key] = n