diff --git a/src/clients.js b/src/clients.js
index f1f0aa181..3be3641a1 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -42,6 +42,7 @@ function ClientsError(reason, errorOrMessage) {
 }
 util.inherits(ClientsError, Error);
 ClientsError.INVALID_SCOPE = 'Invalid scope';
+ClientsError.INVALID_CLIENT = 'Invalid client';
 
 function validateScope(scope) {
     assert.strictEqual(typeof scope, 'string');
diff --git a/src/routes/test/simpleauth-test.js b/src/routes/test/simpleauth-test.js
index 6460cf70a..38da65910 100644
--- a/src/routes/test/simpleauth-test.js
+++ b/src/routes/test/simpleauth-test.js
@@ -89,6 +89,15 @@ describe('SimpleAuth API', function () {
         scope: 'user,profile'
     };
 
+    var CLIENT_4 = {
+        id: 'someclientid4',
+        appId: APP_2.id,
+        type: clientdb.TYPE_OAUTH,
+        clientSecret: 'someclientsecret4',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
     before(function (done) {
         async.series([
             server.start.bind(server),
@@ -118,6 +127,7 @@ describe('SimpleAuth API', function () {
             clientdb.add.bind(null, CLIENT_1.id, CLIENT_1.appId, CLIENT_1.type, CLIENT_1.clientSecret, CLIENT_1.redirectURI, CLIENT_1.scope),
             clientdb.add.bind(null, CLIENT_2.id, CLIENT_2.appId, CLIENT_2.type, CLIENT_2.clientSecret, CLIENT_2.redirectURI, CLIENT_2.scope),
             clientdb.add.bind(null, CLIENT_3.id, CLIENT_3.appId, CLIENT_3.type, CLIENT_3.clientSecret, CLIENT_3.redirectURI, CLIENT_3.scope),
+            clientdb.add.bind(null, CLIENT_4.id, CLIENT_4.appId, CLIENT_4.type, CLIENT_4.clientSecret, CLIENT_4.redirectURI, CLIENT_4.scope),
             appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy),
             appdb.add.bind(null, APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, APP_1.portBindings, APP_1.accessRestriction, APP_1.oauthProxy),
             appdb.add.bind(null, APP_2.id, APP_2.appStoreId, APP_2.manifest, APP_2.location, APP_2.portBindings, APP_2.accessRestriction, APP_2.oauthProxy)
@@ -331,6 +341,22 @@ describe('SimpleAuth API', function () {
                 });
             });
         });
+
+        it('fails for wrong client credentials', function (done) {
+            var body = {
+                clientId: CLIENT_4.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
     });
 
     describe('logout', function () {
diff --git a/src/routes/test/start_addons.sh b/src/routes/test/start_addons.sh
index cf6ac88b3..8916cb90a 100755
--- a/src/routes/test/start_addons.sh
+++ b/src/routes/test/start_addons.sh
@@ -25,7 +25,7 @@ start_postgresql() {
     docker rm -f postgresql 2>/dev/null 1>&2 || true
 
     docker run -dtP --name=postgresql -v "${postgresqldatadir}:/var/lib/postgresql" \
-         --read-only -v /tmp -v /run \
+        --read-only -v /tmp -v /run \
         -v /tmp/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh "${POSTGRESQL_IMAGE}" >/dev/null
 }
 
diff --git a/src/simpleauth.js b/src/simpleauth.js
index c5474554a..878bea123 100644
--- a/src/simpleauth.js
+++ b/src/simpleauth.js
@@ -8,7 +8,9 @@ exports = module.exports = {
 var apps = require('./apps.js'),
     AppsError = apps.AppsError,
     assert = require('assert'),
+    clientdb = require('./clientdb.js'),
     clients = require('./clients.js'),
+    ClientsError = clients.ClientsError,
     config = require('./config.js'),
     DatabaseError = require('./databaseerror.js'),
     debug = require('debug')('box:src/simpleauth'),
@@ -34,6 +36,9 @@ function loginLogic(clientId, username, password, callback) {
     clients.get(clientId, function (error, clientObject) {
         if (error) return callback(error);
 
+        // only allow simple auth clients
+        if (clientObject.type !== clientdb.TYPE_SIMPLE_AUTH) return callback(new ClientsError(ClientsError.INVALID_CLIENT));
+
         user.verify(username, password, function (error, userObject) {
             if (error) return callback(error);
 
@@ -78,6 +83,7 @@ function login(req, res, next) {
 
     loginLogic(req.body.clientId, req.body.username, req.body.password, function (error, result) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Unknown client'));
+        if (error && error.reason === ClientsError.INVALID_CLIENT) return next(new HttpError(401, 'Unkown client'));
         if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(401, 'Unkown app'));
         if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(401, 'Forbidden'));