diff --git a/internal/api/photo_unstack_test.go b/internal/api/photo_unstack_test.go
index 7203b2e05..8841c1f3b 100644
--- a/internal/api/photo_unstack_test.go
+++ b/internal/api/photo_unstack_test.go
@@ -25,4 +25,12 @@ func TestPhotoUnstack(t *testing.T) {
 		assert.Equal(t, http.StatusNotFound, r.Code)
 		// t.Logf("RESP: %s", r.Body.String())
 	})
+
+	t.Run("not existing file", func(t *testing.T) {
+		app, router, _ := NewApiTest()
+		PhotoUnstack(router)
+		r := PerformRequest(app, "POST", "/api/v1/photos/pt9jtdre2lvl0yh7/files/xxx/unstack")
+		assert.Equal(t, http.StatusNotFound, r.Code)
+		// t.Logf("RESP: %s", r.Body.String())
+	})
 }
diff --git a/internal/api/session_test.go b/internal/api/session_test.go
index f222f4657..e04e62fa9 100644
--- a/internal/api/session_test.go
+++ b/internal/api/session_test.go
@@ -22,6 +22,18 @@ func TestCreateSession(t *testing.T) {
 		r := PerformRequestWithBody(app, "POST", "/api/v1/session", `{"username": 123, "password": "xxx"}`)
 		assert.Equal(t, http.StatusBadRequest, r.Code)
 	})
+	t.Run("invalid token", func(t *testing.T) {
+		app, router, _ := NewApiTest()
+		CreateSession(router)
+		r := PerformRequestWithBody(app, "POST", "/api/v1/session", `{"username": "admin", "password": "photoprism", "token": "xxx"}`)
+		assert.Equal(t, http.StatusBadRequest, r.Code)
+	})
+	t.Run("valid token", func(t *testing.T) {
+		app, router, _ := NewApiTest()
+		CreateSession(router)
+		r := PerformRequestWithBody(app, "POST", "/api/v1/session", `{"username": "admin", "password": "photoprism", "token": "1jxf3jfn2k"}`)
+		assert.Equal(t, http.StatusOK, r.Code)
+	})
 	t.Run("invalid password", func(t *testing.T) {
 		app, router, _ := NewApiTest()
 		CreateSession(router)