diff --git a/tests/http-api.spec.ts b/tests/http-api.spec.ts
index ecb4302..e8a35d4 100644
--- a/tests/http-api.spec.ts
+++ b/tests/http-api.spec.ts
@@ -418,6 +418,45 @@ describe('http api', function () {
       expect(response.body.id).to.equal(requestId);
       expect(response.body.result.reply.status.code).to.equal(401);
     });
+
+    it('rejects TOS acceptance with incorrect hash', async function () {
+      const hash = createHash('sha256');
+      hash.update('i do not agree');
+
+      const p = await createProfile();
+
+      const acceptResponse = await fetch('http://localhost:3000/register/tos', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          did: p.did,
+          tosHash: hash.digest('hex'),
+        }),
+      });
+      expect(acceptResponse.status).to.equal(400);
+      await tenantGate.authorizeTenantPOW(p.did);
+
+      const recordsQuery = await RecordsQuery.create({
+        filter: { schema: 'woosa' },
+        signer: p.signer,
+      });
+
+      const requestId = uuidv4();
+      const dwnRequest = createJsonRpcRequest(requestId, 'dwn.processMessage', {
+        message: recordsQuery.toJSON(),
+        target: p.did,
+      });
+
+      const rpcResponse = await request(httpApi.api)
+        .post('/')
+        .set('dwn-request', JSON.stringify(dwnRequest))
+        .send();
+
+      console.log(rpcResponse.body.result.reply.status);
+      expect(rpcResponse.statusCode).to.equal(200);
+      expect(rpcResponse.body.id).to.equal(requestId);
+      expect(rpcResponse.body.result.reply.status.code).to.equal(401);
+    });
   });
 
   describe('/ (rpc)', function () {