diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js
new file mode 100755
index 0000000000000000000000000000000000000000..502241d75918d49fd2a696486e599309d0e55cf3
--- /dev/null
+++ b/tests/add-email-with-assertion-test.js
@@ -0,0 +1,209 @@
+#!/usr/bin/env node
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla BrowserID.
+ *
+ * The Initial Developer of the Original Code is Mozilla.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+require('./lib/test_env.js');
+
+const assert =
+require('assert'),
+vows = require('vows'),
+start_stop = require('./lib/start-stop.js'),
+wsapi = require('./lib/wsapi.js'),
+db = require('../lib/db.js'),
+config = require('../lib/configuration.js'),
+jwk = require('jwcrypto/jwk.js'),
+jwt = require('jwcrypto/jwt.js'),
+vep = require('jwcrypto/vep.js'),
+jwcert = require('jwcrypto/jwcert.js'),
+http = require('http'),
+querystring = require('querystring'),
+path = require("path");
+
+var suite = vows.describe('auth-with-assertion');
+
+// disable vows (often flakey?) async error behavior
+suite.options.error = false;
+
+start_stop.addStartupBatches(suite);
+
+const TEST_DOMAIN = 'example.domain',
+      TEST_EMAIL = 'testuser@' + TEST_DOMAIN,
+      TEST_ORIGIN = 'http://127.0.0.1:10002',
+      TEST_FIRST_ACCT = 'testuser@fake.domain';
+
+// This test will excercise the ability to add an email to an
+// account using an assertion from a primary
+
+// now we need to generate a keypair and a certificate
+// signed by our in tree authority
+var g_keypair, g_cert;
+
+suite.addBatch({
+  "generating a keypair": {
+    topic: function() {
+      return jwk.KeyPair.generate("DS", 256)
+    },
+    "succeeds": function(r, err) {
+      assert.isObject(r);
+      assert.isObject(r.publicKey);
+      assert.isObject(r.secretKey);
+      g_keypair = r;
+    }
+  }
+});
+
+// for this trick we'll need the "secret" key of our built in
+// primary
+var g_privKey = jwk.SecretKey.fromSimpleObject(
+  JSON.parse(require('fs').readFileSync(
+    path.join(__dirname, '..', 'example', 'primary', 'sample.privatekey'))));
+
+
+suite.addBatch({
+  "generting a certificate": {
+    topic: function() {
+      var domain = process.env['SHIMMED_DOMAIN'];
+
+      var expiration = new Date();
+      expiration.setTime(new Date().valueOf() + 60 * 60 * 1000);
+      g_cert = new jwcert.JWCert(TEST_DOMAIN, expiration, new Date(),
+                                 g_keypair.publicKey, {email: TEST_EMAIL}).sign(g_privKey);
+      return g_cert;
+    },
+    "works swimmingly": function(cert, err) {
+      assert.isString(cert);
+      assert.lengthOf(cert.split('.'), 3);
+    }
+  }
+});
+
+// now let's generate an assertion using the cert
+suite.addBatch({
+  "generating an assertion": {
+    topic: function() {
+      var expirationDate = new Date(new Date().getTime() + (2 * 60 * 1000));
+      var tok = new jwt.JWT(null, expirationDate, TEST_ORIGIN);
+      return vep.bundleCertsAndAssertion([g_cert], tok.sign(g_keypair.secretKey));
+    },
+    "succeeds": function(r, err) {
+      assert.isString(r);
+      g_assertion = r;
+    }
+  }
+});
+
+suite.addBatch({
+  "adding this email via assertion": {
+    topic: function(assertion)  {
+      wsapi.post('/wsapi/add_email_with_assertion', {
+        assertion: g_assertion
+      }).call(this);
+    },
+    "fails if not authenticated": function(r, err) {
+      assert.strictEqual(r.code, 400);
+    }
+  }
+});
+
+// create a new account via the api with
+suite.addBatch({
+  "stage an account": {
+    topic: wsapi.post('/wsapi/stage_user', {
+      email: TEST_FIRST_ACCT,
+      site:'fakesite.com'
+    }),
+    "works": function(r, err) {
+      assert.strictEqual(r.code, 200);
+    },
+    "and a token": {
+      topic: function() {
+        start_stop.waitForToken(this.callback);
+      },
+      "is obtained": function (t) {
+        assert.strictEqual(typeof t, 'string');
+      },
+      "can be used": {
+        topic: function(token) {
+          wsapi.post('/wsapi/complete_user_creation', { token: token, pass: 'fakepass' }).call(this);
+        },
+        "to verify email ownership": function(r, err) {
+          assert.equal(r.code, 200);
+          assert.strictEqual(JSON.parse(r.body).success, true);
+          token = undefined;
+        }
+      }
+    }
+  }
+});
+
+suite.addBatch({
+  "adding this email via assertion": {
+    topic: function(assertion)  {
+      wsapi.post('/wsapi/add_email_with_assertion', {
+        assertion: g_assertion
+      }).call(this);
+    },
+    "works once we are authenticated": function(r, err) {
+      var resp = JSON.parse(r.body);
+      assert.isObject(resp);
+      assert.isTrue(resp.success);
+    }
+  }
+});
+
+suite.addBatch({
+  "list emails": {
+    topic: wsapi.get('/wsapi/list_emails', {}),
+    "succeeds with HTTP 200" : function(r, err) {
+      assert.strictEqual(r.code, 200);
+    },
+    "returns an object with what we'd expect": function(r, err) {
+      var respObj = JSON.parse(r.body);
+      var emails = Object.keys(respObj);
+      assert.strictEqual(emails.length, 2)
+      assert.ok(emails.indexOf(TEST_EMAIL) != -1);
+      assert.ok(emails.indexOf(TEST_FIRST_ACCT) != -1);
+      assert.equal(respObj[TEST_EMAIL].type, "primary");
+      assert.equal(respObj[TEST_FIRST_ACCT].type, "secondary");
+    }
+  }
+});
+
+start_stop.addShutdownBatches(suite);
+
+// run or export the suite.
+if (process.argv[1] === __filename) suite.run();
+else suite.export(module);