diff --git a/relay/listener.go b/relay/listener.go
index 8e439ad..f157c44 100644
--- a/relay/listener.go
+++ b/relay/listener.go
@@ -13,6 +13,8 @@ import (
 	"gopkg.in/antage/eventsource.v1"
 )
 
+const BYTES_PER_KEY = 16
+
 var sessions = make(map[string]*eventsource.EventSource)
 var backsessions = make(map[*eventsource.EventSource]string)
 var slock = sync.Mutex{}
@@ -47,9 +49,6 @@ func listenUpdates(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	// will return past items then track changes from these keys:
-	keys, _ := r.URL.Query()["key"]
-
 	es = eventsource.New(
 		&eventsource.Settings{
 			Timeout:        time.Second * 5,
@@ -88,21 +87,40 @@ func listenUpdates(w http.ResponseWriter, r *http.Request) {
 
 	es.ServeHTTP(w, r)
 
-	// past events
-	inkeys := make([]string, 0, len(keys))
-	for _, key := range keys {
-		// to prevent sql attack here we will check if these keys are valid 32-byte hex
-		parsed, err := hex.DecodeString(key)
-		if err != nil || len(parsed) != 32 {
-			continue
+	// grab keys from which we will return items and track new events:
+	defer r.Body.Close()
+
+	var nkeys = make([]byte, 1)
+	_, err = r.Body.Read(nkeys)
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to read number of keys")
+		w.WriteHeader(400)
+		return
+	}
+
+	keys := make([]string, int(nkeys[0]))
+	for k := 0; k < int(nkeys[0]); k++ {
+		var key = make([]byte, BYTES_PER_KEY)
+		_, err = r.Body.Read(key)
+		if err != nil {
+			log.Warn().Err(err).Msg("failed to read key")
+			w.WriteHeader(400)
+			return
 		}
-		inkeys = append(inkeys, fmt.Sprintf("'%x'", parsed))
+		keys[k] = hex.EncodeToString(key)
+	}
+
+	// past events
+	likekeys := make([]string, len(keys))
+	for k, key := range keys {
+		// this is not an sql attack because we know we are using hex keys only
+		likekeys[k] = fmt.Sprintf("pubkey LIKE '%x%%'", key)
 	}
 	var lastUpdates []Event
 	err := db.Select(&lastUpdates, `
         SELECT *, (SELECT count(*) FROM event AS r WHERE r.ref = event.id) AS rel
         FROM event
-        WHERE pubkey IN (`+strings.Join(inkeys, ",")+`)
+        WHERE `+strings.Join(likekeys, " OR ")+`
         ORDER BY created_at DESC
         LIMIT 50
     `)
diff --git a/relay/main.go b/relay/main.go
index 7493e14..a3aa3ff 100644
--- a/relay/main.go
+++ b/relay/main.go
@@ -38,7 +38,7 @@ func main() {
 	}
 
 	router.Path("/query_users").Methods("GET").HandlerFunc(queryUsers)
-	router.Path("/listen_updates").Methods("GET").HandlerFunc(listenUpdates)
+	router.Path("/listen_updates").Methods("POST").HandlerFunc(listenUpdates)
 	router.Path("/save_update").Methods("POST").HandlerFunc(saveUpdate)
 	router.Path("/request_user").Methods("POST").HandlerFunc(requestUser)
 	router.Path("/request_note").Methods("POST").HandlerFunc(requestNote)