diff --git a/src/aphront/response/AphrontJSONResponse.php b/src/aphront/response/AphrontJSONResponse.php
index ac9f6fe710..32984bfd13 100644
--- a/src/aphront/response/AphrontJSONResponse.php
+++ b/src/aphront/response/AphrontJSONResponse.php
@@ -22,15 +22,31 @@
 final class AphrontJSONResponse extends AphrontResponse {
 
   private $content;
+  private $addJSONShield;
 
   public function setContent($content) {
     $this->content = $content;
     return $this;
   }
 
+  public function setAddJSONShield($should_add) {
+    $this->addJSONShield = $should_add;
+    return $this;
+  }
+
+  public function shouldAddJSONShield() {
+    if ($this->addJSONShield === null) {
+      return true;
+    }
+    return (bool) $this->addJSONShield;
+  }
+
   public function buildResponseString() {
     $response = $this->encodeJSONForHTTPResponse($this->content);
-    return $this->addJSONShield($response, $use_javelin_shield = false);
+    if ($this->shouldAddJSONShield()) {
+      $response = $this->addJSONShield($response, $use_javelin_shield = false);
+    }
+    return $response;
   }
 
   public function getHeaders() {
@@ -40,5 +56,4 @@ final class AphrontJSONResponse extends AphrontResponse {
     $headers = array_merge(parent::getHeaders(), $headers);
     return $headers;
   }
-
 }
diff --git a/src/applications/auth/oauth/provider/PhabricatorOAuthProviderPhabricator.php b/src/applications/auth/oauth/provider/PhabricatorOAuthProviderPhabricator.php
index 68096386cc..44173470df 100644
--- a/src/applications/auth/oauth/provider/PhabricatorOAuthProviderPhabricator.php
+++ b/src/applications/auth/oauth/provider/PhabricatorOAuthProviderPhabricator.php
@@ -104,8 +104,6 @@ extends PhabricatorOAuthProvider {
   }
 
   public function setUserData($data) {
-    // need to strip the javascript shield from conduit
-    $data = substr($data, 8);
     $data = idx(json_decode($data, true), 'result');
     $this->validateUserData($data);
     $this->userData = $data;
diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
index 1f8930f6ac..180baa93e5 100644
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -164,6 +164,7 @@ final class PhabricatorConduitAPIController
       case 'json':
       default:
         return id(new AphrontJSONResponse())
+          ->setAddJSONShield(false)
           ->setContent($response->toDictionary());
     }
   }
@@ -218,8 +219,6 @@ final class PhabricatorConduitAPIController
     }
 
     // handle oauth
-    // TODO - T897 (make error codes for OAuth more correct to spec)
-    // and T891 (strip shield from Conduit response)
     $access_token = $request->getStr('access_token');
     $method_scope = $metadata['scope'];
     if ($access_token &&