diff --git a/client/client_test.go b/client/client_test.go
index 850d958b4..b3d36cb50 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -24,6 +24,7 @@ import (
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/mitchellh/hashstructure"
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/blake2b"
 
 	ctestutil "github.com/hashicorp/nomad/client/testutil"
 )
@@ -962,3 +963,48 @@ func TestClient_BlockedAllocations(t *testing.T) {
 		<-ar.WaitCh()
 	}
 }
+
+func TestClient_ValidateMigrateToken_ValidToken(t *testing.T) {
+	t.Parallel()
+	assert := assert.New(t)
+
+	c := testClient(t, func(c *config.Config) {
+		c.ACLEnabled = true
+	})
+	defer c.Shutdown()
+
+	alloc := mock.Alloc()
+	h, err := blake2b.New512([]byte(c.secretNodeID()))
+	assert.Nil(err)
+
+	h.Write([]byte(alloc.ID))
+	validToken := string(h.Sum(nil))
+
+	assert.Equal(c.ValidateMigrateToken(alloc.ID, validToken), true)
+}
+
+func TestClient_ValidateMigrateToken_InvalidToken(t *testing.T) {
+	t.Parallel()
+	assert := assert.New(t)
+
+	c := testClient(t, func(c *config.Config) {
+		c.ACLEnabled = true
+	})
+	defer c.Shutdown()
+
+	assert.Equal(c.ValidateMigrateToken("", ""), false)
+
+	alloc := mock.Alloc()
+	assert.Equal(c.ValidateMigrateToken(alloc.ID, alloc.ID), false)
+	assert.Equal(c.ValidateMigrateToken(alloc.ID, ""), false)
+}
+
+func TestClient_ValidateMigrateToken_ACLDisabled(t *testing.T) {
+	t.Parallel()
+	assert := assert.New(t)
+
+	c := testClient(t, func(c *config.Config) {})
+	defer c.Shutdown()
+
+	assert.Equal(c.ValidateMigrateToken("", ""), true)
+}
diff --git a/command/agent/alloc_endpoint_test.go b/command/agent/alloc_endpoint_test.go
index ab552e1ac..c8556b1c9 100644
--- a/command/agent/alloc_endpoint_test.go
+++ b/command/agent/alloc_endpoint_test.go
@@ -316,6 +316,24 @@ func TestHTTP_AllocSnapshot(t *testing.T) {
 	})
 }
 
+func TestHTTP_AllocSnapshot_WithMigrateToken(t *testing.T) {
+	t.Parallel()
+	assert := assert.New(t)
+	httpACLTest(t, nil, func(s *TestAgent) {
+		// TODO add an allocation, assert it is returned
+
+		// Request without a token succeeds
+		req, err := http.NewRequest("GET", "/v1/client/allocation/123/snapshot", nil)
+		assert.Nil(err)
+
+		// Make the unauthorized request
+		respW := httptest.NewRecorder()
+		_, err = s.Server.ClientAllocRequest(respW, req)
+		assert.NotNil(err)
+		assert.Contains(err.Error(), "invalid migrate token")
+	})
+}
+
 func TestHTTP_AllocGC(t *testing.T) {
 	t.Parallel()
 	httpTest(t, nil, func(s *TestAgent) {