diff --git a/services/commtest/src/identity/device.rs b/services/commtest/src/identity/device.rs
--- a/services/commtest/src/identity/device.rs
+++ b/services/commtest/src/identity/device.rs
@@ -11,6 +11,7 @@
   DeviceKeyUpload, DeviceType, Empty, IdentityKeyInfo,
   OpaqueLoginFinishRequest, OpaqueLoginStartRequest, Prekey,
   RegistrationFinishRequest, RegistrationStartRequest,
+  VerifyUserAccessTokenRequest,
 };
 
 pub const PLACEHOLDER_CODE_VERSION: u64 = 0;
@@ -24,6 +25,16 @@
   pub access_token: String,
 }
 
+impl From<&DeviceInfo> for VerifyUserAccessTokenRequest {
+  fn from(value: &DeviceInfo) -> Self {
+    Self {
+      user_id: value.user_id.to_string(),
+      device_id: value.device_id.to_string(),
+      access_token: value.access_token.to_string(),
+    }
+  }
+}
+
 /// Register a new user with a device.
 /// - Gives random username (returned by function).
 /// - Device type defaults to keyserver.
diff --git a/services/commtest/tests/identity_access_tokens_tests.rs b/services/commtest/tests/identity_access_tokens_tests.rs
--- a/services/commtest/tests/identity_access_tokens_tests.rs
+++ b/services/commtest/tests/identity_access_tokens_tests.rs
@@ -1,7 +1,11 @@
 use commtest::identity::device::{
   register_user_device, DEVICE_TYPE, PLACEHOLDER_CODE_VERSION,
 };
+use commtest::identity::SigningCapableAccount;
 use commtest::service_addr;
+use grpc_clients::identity::protos::unauth::{
+  Empty, ExistingDeviceLoginRequest,
+};
 use grpc_clients::identity::{
   get_unauthenticated_client, protos::unauth::VerifyUserAccessTokenRequest,
 };
@@ -19,12 +23,7 @@
   .await
   .expect("Couldn't connect to identity service");
 
-  let verify_request = VerifyUserAccessTokenRequest {
-    user_id: device_info.user_id,
-    device_id: device_info.device_id,
-    access_token: device_info.access_token,
-  };
-
+  let verify_request = VerifyUserAccessTokenRequest::from(&device_info);
   let response = identity_client
     .verify_user_access_token(verify_request)
     .await
@@ -32,3 +31,58 @@
 
   assert!(response.into_inner().token_valid);
 }
+
+#[tokio::test]
+async fn refresh_token_test() {
+  let identity_grpc_endpoint = service_addr::IDENTITY_GRPC.to_string();
+  let mut client = get_unauthenticated_client(
+    &identity_grpc_endpoint,
+    PLACEHOLDER_CODE_VERSION,
+    DEVICE_TYPE.to_string(),
+  )
+  .await
+  .expect("Couldn't connect to identity service");
+
+  let mut account = SigningCapableAccount::new();
+  let client_keys = account.public_keys();
+  let user = register_user_device(Some(&client_keys), None).await;
+
+  // refresh session
+  let nonce = client
+    .generate_nonce(Empty {})
+    .await
+    .expect("failed to generate nonce")
+    .into_inner()
+    .nonce;
+  let challenge_response = account.sign_nonce(nonce);
+  let new_credentials = client
+    .log_in_existing_device(ExistingDeviceLoginRequest {
+      user_id: user.user_id.clone(),
+      device_id: user.device_id.clone(),
+      challenge_response,
+    })
+    .await
+    .expect("LogInExistingDevice call failed")
+    .into_inner();
+
+  // old token should now be invalid
+  let old_token_result = client
+    .verify_user_access_token(VerifyUserAccessTokenRequest::from(&user))
+    .await
+    .expect("failed to verify token")
+    .into_inner();
+  assert!(!old_token_result.token_valid);
+
+  // new token should be valid
+  let new_token_result = client
+    .verify_user_access_token(VerifyUserAccessTokenRequest {
+      user_id: new_credentials.user_id,
+      access_token: new_credentials.access_token,
+      device_id: user.device_id,
+    })
+    .await
+    .expect("failed to verify token")
+    .into_inner();
+
+  assert!(new_token_result.token_valid);
+}