diff --git a/pkg/session/session_test.go b/pkg/session/session_test.go
index 9105869..9964541 100644
--- a/pkg/session/session_test.go
+++ b/pkg/session/session_test.go
@@ -66,3 +66,23 @@ func TestSessionTokenEncoding(t *testing.T) {
 		require.Equal(t, tok, tok2)
 	})
 }
+
+func TestToken_VerifySignature(t *testing.T) {
+	t.Run("nil", func(t *testing.T) {
+		var tok *session.Token
+
+		require.False(t, tok.VerifySignature())
+	})
+
+	t.Run("unsigned", func(t *testing.T) {
+		tok := sessiontest.Generate()
+
+		require.False(t, tok.VerifySignature())
+	})
+
+	t.Run("signed", func(t *testing.T) {
+		tok := sessiontest.GenerateSigned()
+
+		require.True(t, tok.VerifySignature())
+	})
+}
diff --git a/pkg/session/test/token.go b/pkg/session/test/token.go
index 3924984..8d51720 100644
--- a/pkg/session/test/token.go
+++ b/pkg/session/test/token.go
@@ -11,6 +11,8 @@ import (
 )
 
 // Generate returns random session.Token.
+//
+// Resulting token is unsigned.
 func Generate() *session.Token {
 	tok := session.NewToken()
 
@@ -33,3 +35,17 @@ func Generate() *session.Token {
 
 	return tok
 }
+
+// GenerateSigned returns signed random session.Token.
+//
+// Panics if token could not be signed (actually unexpected).
+func GenerateSigned() *session.Token {
+	tok := Generate()
+
+	err := tok.Sign(test.DecodeKey(0))
+	if err != nil {
+		panic(err)
+	}
+
+	return tok
+}