diff --git a/src/routes/test/api-test.js b/src/routes/test/api-test.js
index 1476885c5..577f3ea37 100644
--- a/src/routes/test/api-test.js
+++ b/src/routes/test/api-test.js
@@ -7,33 +7,99 @@
 'use strict';
 
 const common = require('./common.js'),
+    delay = require('delay'),
     expect = require('expect.js'),
-    superagent = require('superagent');
+    superagent = require('superagent'),
+    tokens = require('../../tokens.js');
 
 describe('REST API', function () {
-    const { setup, cleanup, serverUrl, owner } = common;
+    const { setup, cleanup, serverUrl, owner, user } = common;
 
     before(setup);
     after(cleanup);
 
-    it('does not crash with invalid JSON', async function () {
-        const response = await superagent.post(`${serverUrl}/api/v1/users`)
-            .query({ access_token: owner.token })
-            .set('content-type', 'application/json')
-            .send('some invalid non-strict json')
-            .ok(() => true);
+    describe('express handlers', function () {
+        it('does not crash with invalid JSON', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/users`)
+                .query({ access_token: owner.token })
+                .set('content-type', 'application/json')
+                .send('some invalid non-strict json')
+                .ok(() => true);
 
-        expect(response.statusCode).to.equal(400);
-        expect(response.body.message).to.be('Failed to parse body');
+            expect(response.statusCode).to.equal(400);
+            expect(response.body.message).to.be('Failed to parse body');
+        });
+
+        it('does not crash with invalid string', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/users`)
+                .query({ access_token: owner.token })
+                .set('content-type', 'application/x-www-form-urlencoded')
+                .send('some string')
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(400);
+        });
     });
 
-    it('does not crash with invalid string', async function () {
-        const response = await superagent.post(`${serverUrl}/api/v1/users`)
-            .query({ access_token: owner.token })
-            .set('content-type', 'application/x-www-form-urlencoded')
-            .send('some string')
-            .ok(() => true);
+    describe('authentication', function () {
+        it('cannot get userInfo only with basic auth', async function () {
+            const response = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .auth(owner.username, owner.password)
+                .ok(() => true);
 
-        expect(response.statusCode).to.equal(400);
+            expect(response.statusCode).to.equal(401);
+        });
+
+        it('cannot get userInfo with invalid token (token length)', async function () {
+            const response = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .query({ access_token: 'x' + owner.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(401);
+        });
+
+
+        it('can get userInfo with token in auth header', async function () {
+            const response = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .set('Authorization', 'Bearer ' + owner.token);
+
+            expect(response.statusCode).to.equal(200);
+            expect(response.body.username).to.equal(user.username.toLowerCase());
+            expect(response.body.email).to.equal(user.email.toLowerCase());
+        });
+
+        it('cannot get userInfo with invalid token in auth header', async function () {
+            const response = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .set('Authorization', 'Bearer ' + 'x' + owner.token)
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(401);
+        });
+
+        it('cannot get userInfo with expired token', async function () {
+            const token2 = {
+                name: 'token2',
+                identifier: owner.id,
+                clientId: 'clientid-2',
+                expires: Date.now() + 2000, // expires in 3 seconds
+                lastUsedTime: null
+            };
+
+            let result = await tokens.add(token2);
+            token2.id = result.id;
+            token2.accessToken = result.accessToken;
+
+            const response = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .set('Authorization', 'Bearer ' + token2.accessToken);
+            expect(response.statusCode).to.be(200);
+
+            await delay(3000); // wait for token to expire
+
+            const response2 = await superagent.get(`${serverUrl}/api/v1/users/${user.id}`)
+                .set('Authorization', 'Bearer ' + token2.accessToken)
+                .ok(() => true);
+            expect(response2.statusCode).to.be(401);
+
+        });
     });
 });
diff --git a/src/routes/test/provision-test.js b/src/routes/test/provision-test.js
index bd1220014..106d18a42 100644
--- a/src/routes/test/provision-test.js
+++ b/src/routes/test/provision-test.js
@@ -17,7 +17,6 @@ const async = require('async'),
 const DOMAIN = 'example-server-test.com';
 const USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
 const SERVER_URL = 'http://localhost:' + constants.PORT;
-let token = null;
 
 function waitForSetup(done) {
     async.retry({ times: 5, interval: 4000 }, function (retryCallback) {