diff --git a/test/integration/loginrequest_test.go b/test/integration/loginrequest_test.go
index e3b7f86b..132da669 100644
--- a/test/integration/loginrequest_test.go
+++ b/test/integration/loginrequest_test.go
@@ -8,6 +8,7 @@ package integration
 import (
 	"context"
 	"encoding/json"
+	"net/http"
 	"os"
 	"testing"
 	"time"
@@ -49,14 +50,34 @@ func TestSuccessfulLoginRequest(t *testing.T) {
 
 	require.Empty(t, response.Spec)
 	require.NotNil(t, response.Status.Credential)
-	require.NotEmpty(t, response.Status.Credential.Token)
-	require.Empty(t, response.Status.Credential.ClientCertificateData)
-	require.Empty(t, response.Status.Credential.ClientKeyData)
+	require.Empty(t, response.Status.Credential.Token)
+	require.NotEmpty(t, response.Status.Credential.ClientCertificateData)
+	require.NotEmpty(t, response.Status.Credential.ClientKeyData)
 	require.Nil(t, response.Status.Credential.ExpirationTimestamp)
 
 	require.NotNil(t, response.Status.User)
 	require.NotEmpty(t, response.Status.User.Name)
 	require.Contains(t, response.Status.User.Groups, "tmc:member")
+
+	clientWithCert := library.NewClientsetWithConfig(
+		t,
+		library.NewClientConfigWithCertAndKey(
+			t,
+			response.Status.Credential.ClientCertificateData,
+			response.Status.Credential.ClientKeyData,
+		),
+	)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	_, err = clientWithCert.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
+
+	// Response status should be 403 Forbidden because we assume this actor does
+	// not have any permissions on this cluster.
+	require.Error(t, err)
+	statusError, isStatus := err.(*errors.StatusError)
+	require.True(t, isStatus)
+	require.Equal(t, http.StatusForbidden, statusError.Status().Code)
 }
 
 func TestFailedLoginRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTheUser(t *testing.T) {
@@ -74,7 +95,7 @@ func TestFailedLoginRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTh
 }
 
 func TestLoginRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) {
-	_, err := makeRequest(t, v1alpha1.LoginRequestSpec{
+	response, err := makeRequest(t, v1alpha1.LoginRequestSpec{
 		Type:  v1alpha1.TokenLoginCredentialType,
 		Token: nil,
 	})
@@ -88,6 +109,9 @@ func TestLoginRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) {
 	require.Equal(t, metav1.CauseType("FieldValueRequired"), cause.Type)
 	require.Equal(t, "Required value: token must be supplied", cause.Message)
 	require.Equal(t, "spec.token.value", cause.Field)
+
+	require.Empty(t, response.Spec)
+	require.Nil(t, response.Status.Credential)
 }
 
 func TestGetDiscovery(t *testing.T) {
diff --git a/test/library/client.go b/test/library/client.go
index 1df00147..308fbc5a 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -6,12 +6,14 @@ SPDX-License-Identifier: Apache-2.0
 package library
 
 import (
+	"encoding/base64"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
 	placeholdernameclientset "github.com/suzerain-io/placeholder-name-client-go/pkg/generated/clientset/versioned"
 )
@@ -19,18 +21,40 @@ import (
 func NewClientConfig(t *testing.T) *rest.Config {
 	t.Helper()
 
+	return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{})
+}
+
+func NewClientConfigWithCertAndKey(t *testing.T, cert, key string) *rest.Config {
+	t.Helper()
+
+	return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{
+		AuthInfo: clientcmdapi.AuthInfo{
+			ClientCertificateData: []byte(base64.StdEncoding.EncodeToString([]byte(cert))),
+			ClientKeyData:         []byte(base64.StdEncoding.EncodeToString([]byte(key))),
+		},
+	})
+}
+
+func newClientConfigWithOverrides(t *testing.T, overrides *clientcmd.ConfigOverrides) *rest.Config {
+	t.Helper()
+
 	loader := clientcmd.NewDefaultClientConfigLoadingRules()
-	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, &clientcmd.ConfigOverrides{})
+	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, overrides)
 	config, err := clientConfig.ClientConfig()
 	require.NoError(t, err)
-
 	return config
 }
 
 func NewClientset(t *testing.T) kubernetes.Interface {
 	t.Helper()
 
-	return kubernetes.NewForConfigOrDie(NewClientConfig(t))
+	return NewClientsetWithConfig(t, NewClientConfig(t))
+}
+
+func NewClientsetWithConfig(t *testing.T, config *rest.Config) kubernetes.Interface {
+	t.Helper()
+
+	return kubernetes.NewForConfigOrDie(config)
 }
 
 func NewPlaceholderNameClientset(t *testing.T) placeholdernameclientset.Interface {