diff --git a/authorization_test.go b/authorization_test.go
index e46cf516da8fa8a74297653001d8737c3206136a..865546ac90159bf84074a5eef53b2be26aa923ae 100644
--- a/authorization_test.go
+++ b/authorization_test.go
@@ -23,7 +23,7 @@ func okHandler(w http.ResponseWriter, _ *http.Request, _ *api.Response) {
 
 func runPreAuthorizeHandler(t *testing.T, ts *httptest.Server, suffix string, url *regexp.Regexp, apiResponse interface{}, returnCode, expectedCode int) *httptest.ResponseRecorder {
 	if ts == nil {
-		ts = testAuthServer(url, returnCode, apiResponse)
+		ts = testAuthServer(url, nil, returnCode, apiResponse)
 		defer ts.Close()
 	}
 
diff --git a/channel_test.go b/channel_test.go
index 2da68b7d0a0533380980cd7a5e19473476c11fd4..ebe3712cb0146dde4bd1b73572e5662fb25f5460 100644
--- a/channel_test.go
+++ b/channel_test.go
@@ -157,7 +157,7 @@ func wireupChannel(channelPath string, modifier func(*api.Response), subprotocol
 	if modifier != nil {
 		modifier(authResponse)
 	}
-	upstream := testAuthServer(nil, 200, authResponse)
+	upstream := testAuthServer(nil, nil, 200, authResponse)
 	workhorse := startWorkhorseServer(upstream.URL)
 
 	return serverConns, websocketURL(workhorse.URL, channelPath), func() {
diff --git a/gitaly_integration_test.go b/gitaly_integration_test.go
index 54faa0297765b842542735961042fe4fd9220bea..fde0a07e1e7450c6ece3ad2073d1c3203cfdfeef 100644
--- a/gitaly_integration_test.go
+++ b/gitaly_integration_test.go
@@ -88,7 +88,7 @@ func TestAllowedClone(t *testing.T) {
 	require.NoError(t, ensureGitalyRepository(t, apiResponse))
 
 	// Prepare test server and backend
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -112,7 +112,7 @@ func TestAllowedShallowClone(t *testing.T) {
 	require.NoError(t, ensureGitalyRepository(t, apiResponse))
 
 	// Prepare test server and backend
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -136,7 +136,7 @@ func TestAllowedPush(t *testing.T) {
 	require.NoError(t, ensureGitalyRepository(t, apiResponse))
 
 	// Prepare the test server and backend
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
diff --git a/gitaly_test.go b/gitaly_test.go
index ad42f739f3dd02da23d4fce6813563daa858a045..91f663d096c34abb8d924393ab065294917fa719 100644
--- a/gitaly_test.go
+++ b/gitaly_test.go
@@ -43,7 +43,7 @@ func TestFailedCloneNoGitaly(t *testing.T) {
 	}
 
 	// Prepare test server and backend
-	ts := testAuthServer(nil, 200, authBody)
+	ts := testAuthServer(nil, nil, 200, authBody)
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -78,7 +78,7 @@ func TestGetInfoRefsProxiedToGitalySuccessfully(t *testing.T) {
 		t.Run(fmt.Sprintf("ShowAllRefs=%v,gitRpc=%v", tc.showAllRefs, tc.gitRpc), func(t *testing.T) {
 			apiResponse.ShowAllRefs = tc.showAllRefs
 
-			ts := testAuthServer(nil, 200, apiResponse)
+			ts := testAuthServer(nil, nil, 200, apiResponse)
 			defer ts.Close()
 
 			ws := startWorkhorseServer(ts.URL)
@@ -118,7 +118,7 @@ func TestGetInfoRefsProxiedToGitalyInterruptedStream(t *testing.T) {
 	gitalyAddress := "unix:" + socketPath
 	apiResponse.GitalyServer.Address = gitalyAddress
 
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 
 	ws := startWorkhorseServer(ts.URL)
@@ -153,7 +153,7 @@ func TestPostReceivePackProxiedToGitalySuccessfully(t *testing.T) {
 
 	apiResponse.GitalyServer.Address = "unix:" + socketPath
 	apiResponse.GitConfigOptions = []string{"git-config-hello=world"}
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 
 	ws := startWorkhorseServer(ts.URL)
@@ -196,7 +196,7 @@ func TestPostReceivePackProxiedToGitalyInterrupted(t *testing.T) {
 	defer gitalyServer.Stop()
 
 	apiResponse.GitalyServer.Address = "unix:" + socketPath
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 
 	ws := startWorkhorseServer(ts.URL)
@@ -246,7 +246,7 @@ func TestPostUploadPackProxiedToGitalySuccessfully(t *testing.T) {
 			defer gitalyServer.Stop()
 
 			apiResponse.GitalyServer.Address = "unix:" + socketPath
-			ts := testAuthServer(nil, 200, apiResponse)
+			ts := testAuthServer(nil, nil, 200, apiResponse)
 			defer ts.Close()
 
 			ws := startWorkhorseServer(ts.URL)
@@ -295,7 +295,7 @@ func TestPostUploadPackProxiedToGitalyInterrupted(t *testing.T) {
 	defer gitalyServer.Stop()
 
 	apiResponse.GitalyServer.Address = "unix:" + socketPath
-	ts := testAuthServer(nil, 200, apiResponse)
+	ts := testAuthServer(nil, nil, 200, apiResponse)
 	defer ts.Close()
 
 	ws := startWorkhorseServer(ts.URL)
diff --git a/main_test.go b/main_test.go
index c1a7e5b7af23a877b10636f618f72f97b52eeac2..9e7f032010230c16b8e2b3f840ca48618e4192e3 100644
--- a/main_test.go
+++ b/main_test.go
@@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -59,7 +60,7 @@ func TestDeniedClone(t *testing.T) {
 	require.NoError(t, os.RemoveAll(scratchDir))
 
 	// Prepare test server and backend
-	ts := testAuthServer(nil, 403, "Access denied")
+	ts := testAuthServer(nil, nil, 403, "Access denied")
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -73,7 +74,7 @@ func TestDeniedClone(t *testing.T) {
 
 func TestDeniedPush(t *testing.T) {
 	// Prepare the test server and backend
-	ts := testAuthServer(nil, 403, "Access denied")
+	ts := testAuthServer(nil, nil, 403, "Access denied")
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -491,10 +492,21 @@ func newBranch() string {
 	return fmt.Sprintf("branch-%d", time.Now().UnixNano())
 }
 
-func testAuthServer(url *regexp.Regexp, code int, body interface{}) *httptest.Server {
+func testAuthServer(url *regexp.Regexp, params url.Values, code int, body interface{}) *httptest.Server {
 	return testhelper.TestServerWithHandler(url, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", api.ResponseContentType)
 
+		if params != nil {
+			currentParams := r.URL.Query()
+			for key := range params {
+				if currentParams.Get(key) != params.Get(key) {
+					log.Println("UPSTREAM", r.Method, r.URL, "DENY", "invalid auth server params")
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
+			}
+		}
+
 		// Write pure string
 		if data, ok := body.(string); ok {
 			log.Println("UPSTREAM", r.Method, r.URL, code)