diff --git a/stock_vertical_lift/controllers/main.py b/stock_vertical_lift/controllers/main.py
index 9a11fb152..2b883457a 100644
--- a/stock_vertical_lift/controllers/main.py
+++ b/stock_vertical_lift/controllers/main.py
@@ -1,6 +1,8 @@
 import logging
 import os
 
+from werkzeug.exceptions import Unauthorized
+
 from odoo import http
 from odoo.http import request
 
@@ -10,13 +12,12 @@ _logger = logging.getLogger(__name__)
 class VerticalLiftController(http.Controller):
     @http.route(["/vertical-lift"], type="http", auth="public", csrf=False)
     def vertical_lift(self, answer, secret):
-        if secret == os.environ.get("VERTICAL_LIFT_SECRET", ""):
+        if secret == self._get_env_secret():
             rec = request.env["vertical.lift.command"].sudo().record_answer(answer)
             return str(rec.id)
         else:
-            _logger.error(
-                "secret mismatch: %r != %r",
-                secret,
-                os.environ.get("VERTICAL_LIFT_SECRET", ""),
-            )
-            raise http.AuthenticationError()
+            _logger.error("secret mismatch: %r", secret)
+            return Unauthorized()
+
+    def _get_env_secret(self):
+        return os.environ.get("VERTICAL_LIFT_SECRET", "")
diff --git a/stock_vertical_lift/tests/__init__.py b/stock_vertical_lift/tests/__init__.py
index d60c8112e..387122277 100644
--- a/stock_vertical_lift/tests/__init__.py
+++ b/stock_vertical_lift/tests/__init__.py
@@ -3,3 +3,4 @@ from . import test_location
 from . import test_inventory
 from . import test_pick
 from . import test_put
+from . import test_controller
diff --git a/stock_vertical_lift/tests/test_controller.py b/stock_vertical_lift/tests/test_controller.py
new file mode 100644
index 000000000..9e44e2b3b
--- /dev/null
+++ b/stock_vertical_lift/tests/test_controller.py
@@ -0,0 +1,46 @@
+# Copyright 2022 Camptocamp SA
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import os
+import unittest
+
+import mock
+
+from odoo.tests.common import HttpSavepointCase
+from odoo.tools import mute_logger
+
+CTRL_PATH = "odoo.addons.stock_vertical_lift.controllers.main.VerticalLiftController"
+
+
+@unittest.skipIf(os.getenv("SKIP_HTTP_CASE"), "HttpCase skipped")
+class TestController(HttpSavepointCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.shuttle = cls.env.ref(
+            "stock_vertical_lift.stock_vertical_lift_demo_shuttle_1"
+        )
+
+    @mute_logger("werkzeug")
+    def test_fail(self):
+        data = {"answer": "got it!", "secret": "wrong"}
+        with self.assertLogs(level="ERROR") as log_catcher:
+            response = self.url_open("/vertical-lift", data=data)
+            self.assertEqual(response.status_code, 401)
+            logger = "odoo.addons.stock_vertical_lift.controllers.main:secret"
+            self.assertEqual(log_catcher.output[0], f"ERROR:{logger} mismatch: 'wrong'")
+
+    def test_record_answer(self):
+        self.shuttle.command_ids.create(
+            {
+                "shuttle_id": self.shuttle.id,
+                "command": "0|test|1",
+            }
+        )
+        with mock.patch(CTRL_PATH + "._get_env_secret") as mocked:
+            mocked.return_value = "SECRET"
+            data = {"answer": "0|test|2", "secret": "SECRET"}
+            response = self.url_open("/vertical-lift", data=data)
+            self.assertEqual(response.status_code, 200)
+            self.shuttle.command_ids.invalidate_cache()
+            self.assertEqual(self.shuttle.command_ids[0].answer, data["answer"])