diff --git a/services/identity/src/http/handlers.rs b/services/identity/src/http/handlers.rs
new file mode 100644
index 000000000..93dcbadaa
--- /dev/null
+++ b/services/identity/src/http/handlers.rs
@@ -0,0 +1,50 @@
+use super::{
+  errors::{create_error_response, http400},
+  ErrorResponse, HttpRequest,
+};
+use comm_lib::auth::UserIdentity;
+use hyper::header::AUTHORIZATION;
+use hyper::StatusCode;
+use tracing::error;
+
+#[tracing::instrument(skip_all)]
+async fn verify_csat(
+  req: &HttpRequest,
+  db_client: &crate::DatabaseClient,
+) -> Result<(), ErrorResponse> {
+  let Some(auth_header) = req.headers().get(AUTHORIZATION) else {
+    return Err(create_error_response(
+      StatusCode::UNAUTHORIZED,
+      "missing Authorization header",
+    ));
+  };
+
+  let bearer_token = auth_header
+    .to_str()
+    .map_err(|_| http400("malformed Authorization header"))?
+    .strip_prefix("Bearer ")
+    .ok_or_else(|| http400("malformed Authorization header"))?;
+
+  let UserIdentity {
+    user_id,
+    device_id,
+    access_token,
+  } = bearer_token
+    .parse()
+    .map_err(|_| http400("malformed Authorization header"))?;
+
+  let result = db_client
+    .verify_access_token(user_id, device_id, access_token)
+    .await;
+  match result {
+    Ok(true) => Ok(()),
+    Ok(false) => Err(create_error_response(
+      StatusCode::FORBIDDEN,
+      "invalid credentials",
+    )),
+    Err(err) => {
+      error!("CSAT verification error: {err:?}");
+      Err(err.into())
+    }
+  }
+}
diff --git a/services/identity/src/http/mod.rs b/services/identity/src/http/mod.rs
index 62c6cc61d..a85440e0c 100644
--- a/services/identity/src/http/mod.rs
+++ b/services/identity/src/http/mod.rs
@@ -1,24 +1,25 @@
 use hyper::{Body, Request, Response};
 
 mod errors;
+mod handlers;
 
 type HttpRequest = Request<Body>;
 type HttpResponse = Response<Body>;
 
 type ErrorResponse = Result<HttpResponse, errors::BoxedError>;
 
 /// Main router for HTTP requests
 #[tracing::instrument(skip_all, name = "http_request", fields(request_id))]
 pub(super) async fn handle_http_request(
   req: HttpRequest,
   _db_client: crate::DatabaseClient,
 ) -> Result<HttpResponse, crate::websockets::errors::BoxedError> {
   tracing::Span::current()
     .record("request_id", uuid::Uuid::new_v4().to_string());
 
   let response = match req.uri().path() {
     "/health" => Response::new(Body::from("OK")),
     _ => errors::http404("Not found")?,
   };
   Ok(response)
 }