diff --git a/browserid/lib/fake_verification.js b/browserid/lib/fake_verification.js
new file mode 100644
index 0000000000000000000000000000000000000000..8fcafc904c408918c0c058d74a530a0c31ebfe21
--- /dev/null
+++ b/browserid/lib/fake_verification.js
@@ -0,0 +1,78 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla BrowserID.
+ *
+ * The Initial Developer of the Original Code is Mozilla.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *  Lloyd Hilaiel <lloyd@hilaiel.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* This little module will, when included, hook the email verification system
+ * and instead of sending emails will make verification tokens available
+ * via the WSAPI.  This is *highly* insecure and should only be used when
+ * testing (performance or otherwise).
+ */
+
+const
+email = require('./email.js'),
+configuration = require('../../libs/configuration.js'),
+url = require('url');
+
+// a paranoid check of the configuration.  This module should only
+// be included when in a testing environment
+var c = configuration.get('env');
+if (!/^test_/.test(c)) {
+  console.log("FATAL ERROR: you're using fake verification in a configuration that you shouldn't");
+  console.log("stop including fake_verification.js.  it's not safe here.");
+  process.exit(1);
+} else {
+  console.log("HEAR YE: Fake verfication enabled, aceess via /wsapi/fake_verification?email=foo@bar.com");
+}
+
+// we store outstanding tokens in memory, folks.  
+var tokens = { };
+
+// set up an interceptor
+email.setInterceptor(function(email, site, secret) {
+  tokens[email] = secret;
+});
+
+exports.addVerificationWSAPI = function(app) {
+  app.get('/wsapi/fake_verification', function(req, res) {
+    var email = url.parse(req.url, true).query['email'];
+    if (tokens.hasOwnProperty(email)) {
+      res.write(tokens[email]);
+      delete tokens[email];
+    } else {
+      res.writeHead(400, {"Content-Type": "text/plain"});
+    }
+    res.end();
+  });
+};
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 2a4cf09283a27db6e0c3a78d8a83c994290b1415..d9bb8f2da4136a506258c3f07c476f9534134e52 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -321,6 +321,13 @@ function setup(app) {
       }
     });
   });
+
+  // if the BROWSERID_FAKE_VERIFICATION env var is defined, we'll include
+  // fake_verification.js.  This is used during testing only and should
+  // never be included in a production deployment
+  if (process.env['BROWSERID_FAKE_VERIFICATION']) {
+    require('./fake_verification.js').addVerificationWSAPI(app);
+  }
 }
 
 exports.setup = setup;
diff --git a/performance/lib/test.js b/performance/lib/test.js
index e88531b1194e7a8ac93db129e23e6f1f446232c4..71424c6d64ad5c85ddf6d2d821a5921e316f1f3d 100644
--- a/performance/lib/test.js
+++ b/performance/lib/test.js
@@ -15,5 +15,10 @@ wcli.post(cfg, '/wsapi/stage_user', ctx, {
   pubkey: 'fakepubkey',
   site:'fakesite.com'
 }, function (r) {
-  console.log(r.body);
+  // now get the verification secret
+  wcli.get(cfg, '/wsapi/fake_verification', ctx, {
+    email: "first@fakeemail.com"
+  }, function (r) {
+    console.log(r);
+  });
 });
diff --git a/performance/lib/wsapi_client.js b/performance/lib/wsapi_client.js
index 4772632c21043ab67aba294db7e75d7313086acb..8500aa7babc2eea5b44be189688b371b69ac8241 100644
--- a/performance/lib/wsapi_client.js
+++ b/performance/lib/wsapi_client.js
@@ -69,7 +69,7 @@ function extractCookies(ctx, res) {
   }
 }
 
-exports.get = function(cfg, path, context, cb) {
+exports.get = function(cfg, path, context, getArgs, cb) {
   // parse the server URL (cfg.browserid)
   var uObj;
   var meth;
@@ -84,6 +84,9 @@ exports.get = function(cfg, path, context, cb) {
   var headers = { };
   injectCookies(context, headers);
 
+  if (typeof getArgs === 'object')
+    path += "?" + querystring.stringify(getArgs);
+
   meth.get({
     host: uObj.hostname,
     port: uObj.port,
@@ -104,7 +107,7 @@ exports.get = function(cfg, path, context, cb) {
 function withCSRF(cfg, context, cb) {
   if (context.csrf) cb(context.csrf);
   else {
-    exports.get(cfg, '/wsapi/csrf', context, function(r) {
+    exports.get(cfg, '/wsapi/csrf', context, undefined, function(r) {
       context.csrf = r.body;
       cb(context.csrf);
     });