diff --git a/composer.json b/composer.json
index 6464524..593e579 100644
--- a/composer.json
+++ b/composer.json
@@ -9,6 +9,17 @@
             "email": "barnaby@waterpigs.co.uk"
         }
     ],
+    "autoload": {
+        "files": ["src/functions.php"],
+        "psr-4": {
+            "Taproot\\IndieAuth": "src"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Taproot\\IndieAuth\\Test": "tests"
+        }
+    },
     "require": {
         "psr/http-message": "^1.0",
         "psr/log": "^1.1",
diff --git a/src/Taproot/IndieAuth/ClosureRequestHandler.php b/src/Middleware/ClosureRequestHandler.php
similarity index 93%
rename from src/Taproot/IndieAuth/ClosureRequestHandler.php
rename to src/Middleware/ClosureRequestHandler.php
index 9559697..5269817 100644
--- a/src/Taproot/IndieAuth/ClosureRequestHandler.php
+++ b/src/Middleware/ClosureRequestHandler.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-namespace Taproot\IndieAuth;
+namespace Taproot\IndieAuth\Middleware;
 
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
diff --git a/src/Taproot/IndieAuth/DoubleSubmitCookieCsrfMiddleware.php b/src/Middleware/DoubleSubmitCookieCsrfMiddleware.php
similarity index 85%
rename from src/Taproot/IndieAuth/DoubleSubmitCookieCsrfMiddleware.php
rename to src/Middleware/DoubleSubmitCookieCsrfMiddleware.php
index f280cb8..47bc661 100644
--- a/src/Taproot/IndieAuth/DoubleSubmitCookieCsrfMiddleware.php
+++ b/src/Middleware/DoubleSubmitCookieCsrfMiddleware.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-namespace Taproot\IndieAuth;
+namespace Taproot\IndieAuth\Middleware;
 
 use Nyholm\Psr7\Response;
 use Psr\Http\Message\ServerRequestInterface;
@@ -11,21 +11,7 @@ use Dflydev\FigCookies;
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
-
-// From https://github.com/indieweb/indieauth-client-php/blob/main/src/IndieAuth/Client.php, thanks aaronpk.
-function generateRandomString($numBytes) {
-	if (function_exists('random_bytes')) {
-		$bytes = random_bytes($numBytes);
-	} elseif (function_exists('openssl_random_pseudo_bytes')){
-		$bytes = openssl_random_pseudo_bytes($numBytes);
-	} else {
-		$bytes = '';
-		for($i=0, $bytes=''; $i < $numBytes; $i++) {
-			$bytes .= chr(mt_rand(0, 255));
-		}
-	}
-	return bin2hex($bytes);
-}
+use function Taproot\IndieAuth\generateRandomString;
 
 class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface {
 	const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
diff --git a/src/Taproot/IndieAuth/NoOpMiddleware.php b/src/Middleware/NoOpMiddleware.php
similarity index 93%
rename from src/Taproot/IndieAuth/NoOpMiddleware.php
rename to src/Middleware/NoOpMiddleware.php
index f39cd88..f0b5bde 100644
--- a/src/Taproot/IndieAuth/NoOpMiddleware.php
+++ b/src/Middleware/NoOpMiddleware.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-namespace Taproot\IndieAuth;
+namespace Taproot\IndieAuth\Middleware;
 
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ResponseInterface;
diff --git a/src/Taproot/IndieAuth/Server.php b/src/Server.php
similarity index 85%
rename from src/Taproot/IndieAuth/Server.php
rename to src/Server.php
index 008c657..9b9f015 100644
--- a/src/Taproot/IndieAuth/Server.php
+++ b/src/Server.php
@@ -35,54 +35,6 @@ use function PHPSTORM_META\type;
  * Example CSRF protection cookie middleware: https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
  */
 
-// TODO: maybe move these to a functions file so they’re usable by consumers even when the class isn’t loaded.
-// Alternatively, make them static methods so they can be autoloaded.
-function isIndieAuthAuthorizationCodeRedeemingRequest(ServerRequestInterface $request) {
-	return strtolower($request->getMethod()) == 'post'
-		&& array_key_exists('grant_type', $request->getParsedBody())
-		&& $request->getParsedBody()['grant_type'] == 'authorization_code';
-}
-
-function isIndieAuthAuthorizationRequest(ServerRequestInterface $request, $permittedMethods=['get']) {
-	return in_array(strtolower($request->getMethod()), array_map('strtolower', $permittedMethods))
-		&& array_key_exists('response_type', $request->getQueryParams())
-		&& $request->getQueryParams()['response_type'] == 'code';
-}
-
-function isAuthorizationApprovalRequest(ServerRequestInterface $request) {
-	return strtolower($request->getMethod()) == 'post'
-		&& array_key_exists('taproot_indieauth_action', $request->getParsedBody())
-		&& $request->getParsedBody()['taproot_indieauth_action'] == 'approve';
-}
-
-function buildQueryString(array $parameters) {
-	$qs = [];
-	foreach ($parameters as $k => $v) {
-		$qs[] = urlencode($k) . '=' . urlencode($v);
-	}
-	return join('&', $qs);
-}
-
-/**
- * Append Query Parameters
- * 
- * Converts `$queryParams` into a query string, then checks `$uri` for an
- * existing query string. Then appends the newly generated query string
- * with either ? or & as appropriate.
- */
-function appendQueryParams(string $uri, array $queryParams) {
-	$queryString = buildQueryString($queryParams);
-	$separator = parse_url($uri, \PHP_URL_QUERY) ? '&' : '?';
-	return "{$uri}{$separator}{$queryString}";
-}
-
-function trySetLogger($target, LoggerInterface $logger) {
-	if ($target instanceof LoggerAwareInterface) {
-		$target->setLogger($logger);
-	}
-	return $target;
-}
-
 class Server {
 	const CUSTOMIZE_AUTHORIZATION_CODE = 'customise_authorization_code';
 	const SHOW_AUTHORIZATION_PAGE = 'show_authorization_page';
@@ -92,9 +44,9 @@ class Server {
 
 	public $callbacks;
 
-	public TokenStorageInterface $authorizationCodeStorage;
+	public Storage\TokenStorageInterface $authorizationCodeStorage;
 
-	public TokenStorageInterface $accessTokenStorage;
+	public Storage\TokenStorageInterface $accessTokenStorage;
 
 	public MiddlewareInterface $csrfMiddleware;
 
@@ -133,9 +85,9 @@ class Server {
 		$this->callbacks = $callbacks;
 		
 		$authorizationCodeStorage = $config['authorizationCodeStorage'];
-		if (!$authorizationCodeStorage instanceof TokenStorageInterface) {
+		if (!$authorizationCodeStorage instanceof Storage\TokenStorageInterface) {
 			if (is_string($authorizationCodeStorage)) {
-				$authorizationCodeStorage = new FilesystemJsonStorage($authorizationCodeStorage, 600, true);
+				$authorizationCodeStorage = new Storage\FilesystemJsonStorage($authorizationCodeStorage, 600, true);
 			} else {
 				throw new Exception('$authorizationCodeStorage parameter must be either a string (path) or an instance of Taproot\IndieAuth\TokenStorageInterface.');
 			}
@@ -144,10 +96,10 @@ class Server {
 		$this->authorizationCodeStorage = $authorizationCodeStorage;
 
 		$accessTokenStorage = $config['accessTokenStorage'];
-		if (!$accessTokenStorage instanceof TokenStorageInterface) {
+		if (!$accessTokenStorage instanceof Storage\TokenStorageInterface) {
 			if (is_string($accessTokenStorage)) {
 				// Create a default access token storage with a TTL of 7 days.
-				$accessTokenStorage = new FilesystemJsonStorage($accessTokenStorage, 60 * 60 * 24 * 7, true);
+				$accessTokenStorage = new Storage\FilesystemJsonStorage($accessTokenStorage, 60 * 60 * 24 * 7, true);
 			} else {
 				throw new Exception('$accessTokenStorage parameter must be either a string (path) or an instance of Taproot\IndieAuth\TokenStorageInterface.');
 			}
@@ -160,7 +112,7 @@ class Server {
 		$csrfMiddleware = $config['csrfMiddleware'];
 		if (!$csrfMiddleware instanceof MiddlewareInterface) {
 			// Default to the statless Double-Submit Cookie CSRF Middleware, with default settings.
-			$csrfMiddleware = new DoubleSubmitCookieCsrfMiddleware($this->csrfKey);
+			$csrfMiddleware = new Middleware\DoubleSubmitCookieCsrfMiddleware($this->csrfKey);
 		}
 		trySetLogger($csrfMiddleware, $this->logger);
 		$this->csrfMiddleware = $csrfMiddleware;
@@ -214,7 +166,7 @@ class Server {
 
 		// Because the special case above isn’t allowed to be CSRF-protected, we have to do some rather silly
 		// gymnastics here to selectively-CSRF-protect requests which do need it.
-		return $this->csrfMiddleware->process($request, new ClosureRequestHandler(function (ServerRequestInterface $request) {
+		return $this->csrfMiddleware->process($request, new Middleware\ClosureRequestHandler(function (ServerRequestInterface $request) {
 			// If this is an authorization or approval request (allowing POST requests as well to accommodate 
 			// approval requests and custom auth form submission.
 			if (isIndieAuthAuthorizationRequest($request, ['get', 'post'])) {
diff --git a/src/Taproot/IndieAuth/FilesystemJsonStorage.php b/src/Storage/FilesystemJsonStorage.php
similarity index 97%
rename from src/Taproot/IndieAuth/FilesystemJsonStorage.php
rename to src/Storage/FilesystemJsonStorage.php
index 8112f95..ddff741 100644
--- a/src/Taproot/IndieAuth/FilesystemJsonStorage.php
+++ b/src/Storage/FilesystemJsonStorage.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-namespace Taproot\IndieAuth;
+namespace Taproot\IndieAuth\Storage;
 
 use DirectoryIterator;
 
diff --git a/src/Taproot/IndieAuth/TokenStorageInterface.php b/src/Storage/TokenStorageInterface.php
similarity index 88%
rename from src/Taproot/IndieAuth/TokenStorageInterface.php
rename to src/Storage/TokenStorageInterface.php
index 864d316..7814896 100644
--- a/src/Taproot/IndieAuth/TokenStorageInterface.php
+++ b/src/Storage/TokenStorageInterface.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-namespace Taproot\IndieAuth;
+namespace Taproot\IndieAuth\Storage;
 
 // TODO: document.
 
diff --git a/src/functions.php b/src/functions.php
new file mode 100644
index 0000000..13e5c84
--- /dev/null
+++ b/src/functions.php
@@ -0,0 +1,74 @@
+<?php
+
+namespace Taproot\IndieAuth;
+
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Log\LoggerAwareInterface;
+use Psr\Log\LoggerInterface;
+
+// From https://github.com/indieweb/indieauth-client-php/blob/main/src/IndieAuth/Client.php, thanks aaronpk.
+function generateRandomString($numBytes) {
+	if (function_exists('random_bytes')) {
+		$bytes = random_bytes($numBytes);
+	} elseif (function_exists('openssl_random_pseudo_bytes')){
+		$bytes = openssl_random_pseudo_bytes($numBytes);
+	} else {
+		$bytes = '';
+		for($i=0, $bytes=''; $i < $numBytes; $i++) {
+			$bytes .= chr(mt_rand(0, 255));
+		}
+	}
+	return bin2hex($bytes);
+}
+
+function isIndieAuthAuthorizationCodeRedeemingRequest(ServerRequestInterface $request) {
+	return strtolower($request->getMethod()) == 'post'
+		&& array_key_exists('grant_type', $request->getParsedBody())
+		&& $request->getParsedBody()['grant_type'] == 'authorization_code';
+}
+
+function isIndieAuthAuthorizationRequest(ServerRequestInterface $request, $permittedMethods=['get']) {
+	return in_array(strtolower($request->getMethod()), array_map('strtolower', $permittedMethods))
+		&& array_key_exists('response_type', $request->getQueryParams())
+		&& $request->getQueryParams()['response_type'] == 'code';
+}
+
+function isAuthorizationApprovalRequest(ServerRequestInterface $request) {
+	return strtolower($request->getMethod()) == 'post'
+		&& array_key_exists('taproot_indieauth_action', $request->getParsedBody())
+		&& $request->getParsedBody()['taproot_indieauth_action'] == 'approve';
+}
+
+function buildQueryString(array $parameters) {
+	$qs = [];
+	foreach ($parameters as $k => $v) {
+		$qs[] = urlencode($k) . '=' . urlencode($v);
+	}
+	return join('&', $qs);
+}
+
+/**
+ * Append Query Parameters
+ * 
+ * Converts `$queryParams` into a query string, then checks `$uri` for an
+ * existing query string. Then appends the newly generated query string
+ * with either ? or & as appropriate.
+ */
+function appendQueryParams(string $uri, array $queryParams) {
+	$queryString = buildQueryString($queryParams);
+	$separator = parse_url($uri, \PHP_URL_QUERY) ? '&' : '?';
+	return "{$uri}{$separator}{$queryString}";
+}
+
+/**
+ * Try setLogger
+ * 
+ * If `$target` implements `LoggerAwareInterface`, set it’s logger
+ * to `$logger`. Returns `$target`.
+ */
+function trySetLogger($target, LoggerInterface $logger) {
+	if ($target instanceof LoggerAwareInterface) {
+		$target->setLogger($logger);
+	}
+	return $target;
+}