diff --git a/services/proxy/pkg/middleware/app_auth_test.go b/services/proxy/pkg/middleware/app_auth_test.go
new file mode 100644
index 0000000000..f2e4d8d6aa
--- /dev/null
+++ b/services/proxy/pkg/middleware/app_auth_test.go
@@ -0,0 +1,68 @@
+package middleware
+
+import (
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"google.golang.org/grpc"
+	"net/http"
+	"net/http/httptest"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+)
+
+var _ = Describe("Authenticating requests", Label("AppAuthAuthenticator"), func() {
+	var authenticator Authenticator
+	BeforeEach(func() {
+		pool.RemoveSelector("GatewaySelector" + "com.owncloud.api.gateway")
+		authenticator = AppAuthAuthenticator{
+			Logger: log.NewLogger(),
+			RevaGatewaySelector: pool.GetSelector[gateway.GatewayAPIClient](
+				"GatewaySelector",
+				"com.owncloud.api.gateway",
+				func(cc *grpc.ClientConn) gateway.GatewayAPIClient {
+					return mockGatewayClient{
+						AuthenticateFunc: func(authType, clientID, clientSecret string) (string, rpcv1beta1.Code) {
+							if authType != "appauth" {
+								return "", rpcv1beta1.Code_CODE_NOT_FOUND
+							}
+
+							if clientID == "test-user" && clientSecret == "AppPassword" {
+								return "reva-token", rpcv1beta1.Code_CODE_OK
+							}
+
+							return "", rpcv1beta1.Code_CODE_NOT_FOUND
+						},
+					}
+				},
+			),
+		}
+	})
+
+	When("the request contains correct data", func() {
+		It("should successfully authenticate", func() {
+			req := httptest.NewRequest(http.MethodGet, "http://example.com/example/path", http.NoBody)
+			req.SetBasicAuth("test-user", "AppPassword")
+
+			req2, valid := authenticator.Authenticate(req)
+
+			Expect(valid).To(Equal(true))
+			Expect(req2).ToNot(BeNil())
+			Expect(req2.Header.Get("x-access-token")).To(Equal("reva-token"))
+		})
+	})
+
+	When("the request contains incorrect data", func() {
+		It("should not successfully authenticate", func() {
+			req := httptest.NewRequest(http.MethodGet, "http://example.com/example/path", http.NoBody)
+			req.SetBasicAuth("test-user", "WrongAppPassword")
+
+			req2, valid := authenticator.Authenticate(req)
+
+			Expect(valid).To(Equal(false))
+			Expect(req2).To(BeNil())
+		})
+	})
+})
diff --git a/services/proxy/pkg/middleware/public_share_auth_test.go b/services/proxy/pkg/middleware/public_share_auth_test.go
index 4c07ffe061..9f748c4ed1 100644
--- a/services/proxy/pkg/middleware/public_share_auth_test.go
+++ b/services/proxy/pkg/middleware/public_share_auth_test.go
@@ -18,6 +18,7 @@ import (
 var _ = Describe("Authenticating requests", Label("PublicShareAuthenticator"), func() {
 	var authenticator Authenticator
 	BeforeEach(func() {
+		pool.RemoveSelector("GatewaySelector" + "com.owncloud.api.gateway")
 		authenticator = PublicShareAuthenticator{
 			Logger: log.NewLogger(),
 			RevaGatewaySelector: pool.GetSelector[gateway.GatewayAPIClient](