diff --git a/fedireads/incoming.py b/fedireads/incoming.py
index 5e5a457e..6ca51d0e 100644
--- a/fedireads/incoming.py
+++ b/fedireads/incoming.py
@@ -90,6 +90,7 @@ def shared_inbox(request):
 
 
 def get_public_key(key_actor):
+    ''' try a stored key or load it from remote '''
     try:
         user = models.User.objects.get(remote_id=key_actor)
         public_key = user.public_key
diff --git a/fedireads/remote_user.py b/fedireads/remote_user.py
index 955f6bfb..1a3a65e1 100644
--- a/fedireads/remote_user.py
+++ b/fedireads/remote_user.py
@@ -26,6 +26,9 @@ def get_or_create_remote_user(actor):
         response.raise_for_status()
     data = response.json()
 
+    # make sure our actor is who they say they are
+    assert actor == data['id']
+
     actor_parts = urlparse(actor)
     with transaction.atomic():
         user = create_remote_user(data)