diff --git a/server/auth.go b/server/auth.go
index 9b774b99..252ae6a8 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -251,7 +251,7 @@ func (s *Server) isClientAuthorized(c *client) bool {
 		if c.opts.Sig == "" {
 			return false
 		}
-		sig, err := base64.RawURLEncoding.DecodeString(c.opts.Sig)
+		sig, err := base64.StdEncoding.DecodeString(c.opts.Sig)
 		if err != nil {
 			return false
 		}
diff --git a/server/nkey.go b/server/nkey.go
index b9741629..4598d1b3 100644
--- a/server/nkey.go
+++ b/server/nkey.go
@@ -19,8 +19,8 @@ import (
 
 // Raw length of the nonce challenge
 const (
-	nonceRawLen = 16
-	nonceLen    = 22 // base64.RawURLEncoding.EncodedLen(nonceRawLen)
+	nonceRawLen = 11
+	nonceLen    = 16 // base64.StdEncoding.EncodedLen(nonceRawLen)
 )
 
 // nonceRequired tells us if we should send a nonce.
@@ -35,5 +35,5 @@ func (s *Server) generateNonce(n []byte) {
 	var raw [nonceRawLen]byte
 	data := raw[:]
 	s.prand.Read(data)
-	base64.RawURLEncoding.Encode(n, data)
+	base64.StdEncoding.Encode(n, data)
 }
diff --git a/server/nkey_test.go b/server/nkey_test.go
index d990d8b7..f0837f2c 100644
--- a/server/nkey_test.go
+++ b/server/nkey_test.go
@@ -37,7 +37,7 @@ type nonceInfo struct {
 }
 
 // This is a seed for a user. We can extract public and private keys from this for testing.
-const seed = "SUAOB32VQGYIOM622XYNXN4Q6GQR5I6DFZPPYZMNI5MMNVAQZDAL3OLH554ISOUTJM4EC6NWS5UHMS4CMONVVRW3VXXEQULMR6MDLPOEUVFPU"
+const seed = "SUAKYRHVIOREXV7EUZTBHUHL7NUMHPMAS7QMDU3GTIUWEI5LDNOXD43IZY"
 
 func nkeyBasicSetup() (*Server, *client, *bufio.Reader, string) {
 	kp, _ := nkeys.FromSeed(seed)
@@ -161,7 +161,7 @@ func TestNkeyClientConnect(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed signing nonce: %v", err)
 	}
-	sig := base64.RawURLEncoding.EncodeToString(sigraw)
+	sig := base64.StdEncoding.EncodeToString(sigraw)
 
 	// PING needed to flush the +OK to us.
 	cs = fmt.Sprintf("CONNECT {\"nkey\":%q,\"sig\":\"%s\",\"verbose\":true,\"pedantic\":true}\r\nPING\r\n", pubKey, sig)
@@ -199,7 +199,7 @@ func TestMixedClientConnect(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed signing nonce: %v", err)
 	}
-	sig := base64.RawURLEncoding.EncodeToString(sigraw)
+	sig := base64.StdEncoding.EncodeToString(sigraw)
 
 	// PING needed to flush the +OK to us.
 	cs := fmt.Sprintf("CONNECT {\"nkey\":%q,\"sig\":\"%s\",\"verbose\":true,\"pedantic\":true}\r\nPING\r\n", pubKey, sig)
@@ -252,7 +252,7 @@ func BenchmarkNonceGeneration(b *testing.B) {
 	prand := mrand.New(mrand.NewSource(time.Now().UnixNano()))
 	for i := 0; i < b.N; i++ {
 		prand.Read(data)
-		base64.RawURLEncoding.Encode(b64, data)
+		base64.StdEncoding.Encode(b64, data)
 	}
 }
 
@@ -260,9 +260,9 @@ func BenchmarkPublicVerify(b *testing.B) {
 	data := make([]byte, nonceRawLen)
 	nonce := make([]byte, nonceLen)
 	mrand.Read(data)
-	base64.RawURLEncoding.Encode(nonce, data)
+	base64.StdEncoding.Encode(nonce, data)
 
-	user, err := nkeys.CreateUser(nil)
+	user, err := nkeys.CreateUser()
 	if err != nil {
 		b.Fatalf("Error creating User Nkey: %v", err)
 	}
diff --git a/vendor/github.com/nats-io/nkeys/keypair.go b/vendor/github.com/nats-io/nkeys/keypair.go
index 604e433f..41ad188f 100644
--- a/vendor/github.com/nats-io/nkeys/keypair.go
+++ b/vendor/github.com/nats-io/nkeys/keypair.go
@@ -15,6 +15,7 @@ package nkeys
 
 import (
 	"bytes"
+	"crypto/rand"
 	"io"
 
 	"golang.org/x/crypto/ed25519"
@@ -26,12 +27,15 @@ type kp struct {
 }
 
 // createPair will create a KeyPair based on the rand entropy and a type/prefix byte. rand can be nil.
-func createPair(rand io.Reader, prefix PrefixByte) (KeyPair, error) {
-	_, privateKey, err := ed25519.GenerateKey(rand)
+func createPair(prefix PrefixByte) (KeyPair, error) {
+	var rawSeed [32]byte
+
+	_, err := io.ReadFull(rand.Reader, rawSeed[:])
 	if err != nil {
 		return nil, err
 	}
-	seed, err := EncodeSeed(prefix, privateKey)
+
+	seed, err := EncodeSeed(prefix, rawSeed[:])
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/nats-io/nkeys/main.go b/vendor/github.com/nats-io/nkeys/main.go
index 76f4aade..5004e2a8 100644
--- a/vendor/github.com/nats-io/nkeys/main.go
+++ b/vendor/github.com/nats-io/nkeys/main.go
@@ -17,7 +17,6 @@ package nkeys
 
 import (
 	"errors"
-	"io"
 )
 
 // Errors
@@ -42,32 +41,32 @@ type KeyPair interface {
 	Verify(input []byte, sig []byte) error
 }
 
-// CreateUser will create an User typed KeyPair.
-func CreateUser(rand io.Reader) (KeyPair, error) {
-	return createPair(rand, PrefixByteUser)
+// CreateUser will create a User typed KeyPair.
+func CreateUser() (KeyPair, error) {
+	return createPair(PrefixByteUser)
 }
 
 // CreateAccount will create an Account typed KeyPair.
-func CreateAccount(rand io.Reader) (KeyPair, error) {
-	return createPair(rand, PrefixByteAccount)
+func CreateAccount() (KeyPair, error) {
+	return createPair(PrefixByteAccount)
 }
 
-// CreateServer will create a server typed KeyPair.
-func CreateServer(rand io.Reader) (KeyPair, error) {
-	return createPair(rand, PrefixByteServer)
+// CreateServer will create a Server typed KeyPair.
+func CreateServer() (KeyPair, error) {
+	return createPair(PrefixByteServer)
 }
 
-// CreateCluster will create a cluster typed KeyPair.
-func CreateCluster(rand io.Reader) (KeyPair, error) {
-	return createPair(rand, PrefixByteCluster)
+// CreateCluster will create a Cluster typed KeyPair.
+func CreateCluster() (KeyPair, error) {
+	return createPair(PrefixByteCluster)
 }
 
-// CreateOperator will create an operator typed KeyPair.
-func CreateOperator(rand io.Reader) (KeyPair, error) {
-	return createPair(rand, PrefixByteOperator)
+// CreateOperator will create an Operator typed KeyPair.
+func CreateOperator() (KeyPair, error) {
+	return createPair(PrefixByteOperator)
 }
 
-// FromPublicKey will create a KeyPair capable fo verifying signatures.
+// FromPublicKey will create a KeyPair capable of verifying signatures.
 func FromPublicKey(public string) (KeyPair, error) {
 	raw, err := decode(public)
 	if err != nil {
@@ -88,3 +87,12 @@ func FromSeed(seed string) (KeyPair, error) {
 	}
 	return &kp{seed}, nil
 }
+
+// Create a KeyPair from the raw 32 byte seed for a given type.
+func FromRawSeed(prefix PrefixByte, rawSeed []byte) (KeyPair, error) {
+	seed, err := EncodeSeed(prefix, rawSeed)
+	if err != nil {
+		return nil, err
+	}
+	return &kp{seed}, nil
+}
diff --git a/vendor/github.com/nats-io/nkeys/nk/main.go b/vendor/github.com/nats-io/nkeys/nk/main.go
index b5abac4e..13a4321e 100644
--- a/vendor/github.com/nats-io/nkeys/nk/main.go
+++ b/vendor/github.com/nats-io/nkeys/nk/main.go
@@ -14,6 +14,7 @@
 package main
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"flag"
 	"io"
@@ -26,7 +27,7 @@ import (
 )
 
 func usage() {
-	log.Fatalf("Usage: nk [-gen type] [-sign file] [-verify file] [-inkey keyfile] [-pubin keyfile] [-pubout] [-e entropy]\n")
+	log.Fatalf("Usage: nk [-gen type] [-sign file] [-verify file] [-inkey keyfile] [-pubin keyfile] [-sigfile file] [-pubout] [-e entropy]\n")
 }
 
 func main() {
@@ -116,7 +117,7 @@ func sign(fname, keyFile string) {
 	if err != nil {
 		log.Fatal(err)
 	}
-	log.Printf("%s", base64.RawURLEncoding.EncodeToString(sigraw))
+	log.Printf("%s", base64.StdEncoding.EncodeToString(sigraw))
 }
 
 func verify(fname, keyFile, pubFile, sigFile string) {
@@ -157,23 +158,37 @@ func verify(fname, keyFile, pubFile, sigFile string) {
 	if err != nil {
 		log.Fatal(err)
 	}
-	sig, err := base64.RawURLEncoding.DecodeString(string(sigEnc))
+	sig, err := base64.StdEncoding.DecodeString(string(sigEnc))
 	if err != nil {
 		log.Fatal(err)
 	}
 	if err := kp.Verify(content, sig); err != nil {
 		log.Fatal(err)
 	}
-	log.Printf("verification succeeded")
+	log.Printf("Verified OK")
 }
 
 func createKey(keyType, entropy string) {
 	keyType = strings.ToLower(keyType)
-	var kp nkeys.KeyPair
-	var err error
+	var pre nkeys.PrefixByte
 
-	var ef io.Reader
+	switch keyType {
+	case "user":
+		pre = nkeys.PrefixByteUser
+	case "account":
+		pre = nkeys.PrefixByteAccount
+	case "server":
+		pre = nkeys.PrefixByteServer
+	case "cluster":
+		pre = nkeys.PrefixByteCluster
+	case "operator":
+		pre = nkeys.PrefixByteOperator
+	default:
+		log.Fatalf("Usage: nk -gen [user|account|server|cluster|operator]\n")
+	}
 
+	// See if we override entropy.
+	ef := rand.Reader
 	if entropy != "" {
 		r, err := os.Open(entropy)
 		if err != nil {
@@ -182,20 +197,13 @@ func createKey(keyType, entropy string) {
 		ef = r
 	}
 
-	switch keyType {
-	case "user":
-		kp, err = nkeys.CreateUser(ef)
-	case "account":
-		kp, err = nkeys.CreateAccount(ef)
-	case "server":
-		kp, err = nkeys.CreateServer(ef)
-	case "cluster":
-		kp, err = nkeys.CreateCluster(ef)
-	case "operator":
-		kp, err = nkeys.CreateOperator(ef)
-	default:
-		log.Fatalf("Usage: nk -gen [user|account|server|cluster|operator]\n")
+	// Create raw seed from source or random.
+	var rawSeed [32]byte
+	_, err := io.ReadFull(ef, rawSeed[:]) // Or some other random source.
+	if err != nil {
+		log.Fatalf("Error reading from %s: %v", ef, err)
 	}
+	kp, err := nkeys.FromRawSeed(pre, rawSeed[:])
 	if err != nil {
 		log.Fatalf("Error creating %s: %v", keyType, err)
 	}
diff --git a/vendor/github.com/nats-io/nkeys/strkey.go b/vendor/github.com/nats-io/nkeys/strkey.go
index ab774a0c..37dd3c46 100644
--- a/vendor/github.com/nats-io/nkeys/strkey.go
+++ b/vendor/github.com/nats-io/nkeys/strkey.go
@@ -83,7 +83,7 @@ func EncodeSeed(public PrefixByte, src []byte) (string, error) {
 		return "", err
 	}
 
-	if len(src) != ed25519.PrivateKeySize {
+	if len(src) != ed25519.SeedSize {
 		return "", ErrInvalidSeedLen
 	}
 
diff --git a/vendor/manifest b/vendor/manifest
index 70691995..131169ce 100644
--- a/vendor/manifest
+++ b/vendor/manifest
@@ -5,7 +5,7 @@
 			"importpath": "github.com/nats-io/nkeys",
 			"repository": "https://github.com/nats-io/nkeys",
 			"vcs": "git",
-			"revision": "b1c20ce69b6a01afa42403ea6f7b408d6cbc8e4e",
+			"revision": "9206fa847ab4dfdf7378fb1965717f32978852e2",
 			"branch": "master",
 			"notests": true
 		},