diff --git a/pkg/server/token.go b/pkg/server/token.go
index 7b1f21b11..24b32f283 100644
--- a/pkg/server/token.go
+++ b/pkg/server/token.go
@@ -11,18 +11,10 @@ import (
 
 // POST /api/user/tokens
 func PostToken(c *gin.Context) {
-	settings := ToSettings(c)
-	store := ToDatastore(c)
 	sess := ToSession(c)
+	store := ToDatastore(c)
 	user := ToUser(c)
 
-	// if a session secret is not defined there is no way to
-	// generate jwt user tokens, so we must throw an error
-	if settings.Session == nil || len(settings.Session.Secret) == 0 {
-		c.String(500, "User tokens are not configured")
-		return
-	}
-
 	in := &common.Token{}
 	if !c.BindWith(in, binding.JSON) {
 		return
@@ -39,13 +31,16 @@ func PostToken(c *gin.Context) {
 
 	err := store.AddToken(token)
 	if err != nil {
-		c.Fail(400, err)
+		c.Fail(500, err)
+		return
 	}
 
 	jwt, err := sess.GenerateToken(token)
 	if err != nil {
 		c.Fail(400, err)
+		return
 	}
+
 	c.JSON(200, struct {
 		*common.Token
 		Hash string `json:"hash"`
@@ -61,10 +56,12 @@ func DelToken(c *gin.Context) {
 	token, err := store.TokenLabel(user, label)
 	if err != nil {
 		c.Fail(404, err)
+		return
 	}
 	err = store.DelToken(token)
 	if err != nil {
 		c.Fail(400, err)
+		return
 	}
 
 	c.Writer.WriteHeader(200)
diff --git a/pkg/server/token_test.go b/pkg/server/token_test.go
new file mode 100644
index 000000000..854920506
--- /dev/null
+++ b/pkg/server/token_test.go
@@ -0,0 +1,78 @@
+package server
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/drone/drone/pkg/server/recorder"
+	"github.com/drone/drone/pkg/server/session"
+	"github.com/drone/drone/pkg/settings"
+	"github.com/drone/drone/pkg/store/mock"
+	"github.com/drone/drone/pkg/types"
+	. "github.com/franela/goblin"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/mock"
+)
+
+var tokenTests = []struct {
+	inLabel  string
+	inBody   string
+	storeErr error
+	outCode  int
+	outKind  string
+}{
+	{"", `{}`, sql.ErrNoRows, 500, ""},
+	{"app1", `{"label": "app1"}`, nil, 200, types.TokenUser},
+	{"app2", `{"label": "app2"}`, nil, 200, types.TokenUser},
+}
+
+func TestToken(t *testing.T) {
+	store := new(mocks.Store)
+
+	g := Goblin(t)
+	g.Describe("Token", func() {
+		g.It("should create tokens", func() {
+			for _, test := range tokenTests {
+				rw := recorder.New()
+				ctx := gin.Context{Engine: gin.Default(), Writer: rw}
+				body := bytes.NewBufferString(test.inBody)
+				ctx.Request, _ = http.NewRequest("POST", "/api/user/tokens", body)
+
+				ctx.Set("datastore", store)
+				ctx.Set("user", &types.User{Login: "Freya"})
+
+				config := settings.Settings{Session: &settings.Session{Secret: "Otto"}}
+				ctx.Set("settings", &config)
+				ctx.Set("session", session.New(config.Session))
+
+				// prepare the mock
+				store.On("AddToken", mock.AnythingOfType("*types.Token")).Return(test.storeErr).Once()
+				PostToken(&ctx)
+
+				g.Assert(rw.Code).Equal(test.outCode)
+				if test.outCode != 200 {
+					continue
+				}
+
+				var respjson map[string]interface{}
+				json.Unmarshal(rw.Body.Bytes(), &respjson)
+				g.Assert(respjson["kind"]).Equal(types.TokenUser)
+				g.Assert(respjson["label"]).Equal(test.inLabel)
+
+				// this is probably going too far... maybe just validate hash is not empty?
+				jwt.Parse(respjson["hash"].(string), func(token *jwt.Token) (interface{}, error) {
+					_, ok := token.Method.(*jwt.SigningMethodHMAC)
+					g.Assert(ok).IsTrue()
+					g.Assert(token.Claims["label"]).Equal(test.inLabel)
+					return nil, nil
+				})
+			}
+		})
+
+		g.It("should delete tokens")
+	})
+}