diff --git a/server/files.go b/server/files.go
index c08a697..6d16b01 100644
--- a/server/files.go
+++ b/server/files.go
@@ -33,7 +33,7 @@ type UploadOutput struct {
 	Body struct {
 		ID      string `json:"id"`
 		URL     string `json:"url"`
-		Expires int    `json:"expires"`
+		Expires int64  `json:"expires"`
 	}
 }
 
@@ -44,6 +44,10 @@ func isAuthenticated(authorization string) bool {
 		return false
 	}
 
+	if len(authorization) != len(BEARER_PREFIX)+len(CONFIG.Upload.AdminToken) {
+		return false
+	}
+
 	if authorization[:len(BEARER_PREFIX)] == BEARER_PREFIX {
 		header_token := authorization[len(BEARER_PREFIX):]
 
@@ -86,7 +90,7 @@ func Upload(ctx context.Context, input *UploadInput) (*UploadOutput, error) {
 	resp := &UploadOutput{}
 	resp.Body.ID = file_id.String()
 	resp.Body.URL = fmt.Sprintf("%s/%s", CONFIG.Upload.BaseURL, file_id.String())
-	resp.Body.Expires = int(expires.Unix())
+	resp.Body.Expires = expires.Unix()
 
 	return resp, nil
 }
diff --git a/server/producer_test.go b/server/producer_test.go
index ba2b597..0e357ce 100644
--- a/server/producer_test.go
+++ b/server/producer_test.go
@@ -32,7 +32,7 @@ func assertRespCode(t *testing.T, resp *httptest.ResponseRecorder, expected_code
 	return resp
 }
 
-func uploadData(t *testing.T, api humatest.TestAPI, data []byte, filename string) UploadOutput {
+func uploadData(t *testing.T, api humatest.TestAPI, data []byte, filename string, admin bool, expires int) UploadOutput {
 	buf := new(bytes.Buffer)
 	multipart_writer := multipart.NewWriter(buf)
 	fwriter, err := multipart_writer.CreateFormFile("file", filename)
@@ -47,11 +47,24 @@ func uploadData(t *testing.T, api humatest.TestAPI, data []byte, filename string
 
 	multipart_writer.Close()
 
-	headers := "Content-Type: multipart/form-data; boundary=" + multipart_writer.Boundary()
-	resp := assertRespCode(t,
-		api.Post("/", headers, buf),
-		200,
-	)
+	content_type_headers := "Content-Type: multipart/form-data; boundary=" + multipart_writer.Boundary()
+	var resp *httptest.ResponseRecorder
+	if admin {
+		resp = assertRespCode(t,
+			api.Post("/",
+				content_type_headers,
+				fmt.Sprintf("Authorization: Bearer %s", CONFIG.Upload.AdminToken),
+				fmt.Sprintf("Expires: %d", expires),
+				buf,
+			),
+			200,
+		)
+	} else {
+		resp = assertRespCode(t,
+			api.Post("/", content_type_headers, buf),
+			200,
+		)
+	}
 
 	data_upload := UploadOutput{}
 	dec := json.NewDecoder(resp.Body)
@@ -66,11 +79,70 @@ func TestUploadDownload(t *testing.T) {
 	test_data := []byte("hello world")
 	mime := mimetype.Detect(test_data)
 	filename := "test file"
-	upload_data := uploadData(t, api, test_data, filename)
+	upload_data := uploadData(t, api, test_data, filename, false, 0)
 
 	expected_expires := time.Now().Add(time.Duration(CONFIG.Upload.DefaultExpirationTime) * time.Second).Unix()
 
-	if expected_expires+1 < int64(upload_data.Body.Expires) || expected_expires-1 > int64(upload_data.Body.Expires) {
+	if expected_expires+1 < upload_data.Body.Expires || expected_expires-1 > upload_data.Body.Expires {
+		t.Fatalf("Expected expire value of %d (+-1), found %d", expected_expires, upload_data.Body.Expires)
+	}
+
+	path := fmt.Sprintf("/%s", upload_data.Body.ID)
+	resp := assertRespCode(t, api.Get(path), 200)
+
+	data := make([]byte, 1024)
+	n, err := resp.Body.Read(data)
+	if err != nil {
+		panic(err)
+	}
+
+	if n != len(test_data) {
+		t.Fatal("downloaded data has a different size")
+	}
+
+	if bytes.Compare(test_data, data[:n]) != 0 {
+		t.Fatal("downloaded data is different")
+	}
+
+	res := resp.Result()
+	content_disposition_header := res.Header["Content-Disposition"][0]
+	content_type := res.Header["Content-Type"][0]
+
+	if content_type == "" {
+		t.Fatal("Content-Type header is not set")
+	}
+
+	if content_type != mime.String() {
+		t.Fatalf("Content-Type header is not the detected file type: %s != %s", content_type, mime.String())
+	}
+
+	matched, _ := regexp.MatchString(
+		fmt.Sprintf("filename=\"%s\"", regexp.QuoteMeta(url.PathEscape(filename))),
+		content_disposition_header,
+	)
+
+	if !matched {
+		t.Fatalf(
+			"filename is not set in content disposition header: %s",
+			content_disposition_header,
+		)
+	}
+
+}
+
+func TestAdminUploadDownload(t *testing.T) {
+	api := getTestAPI(t)
+
+	CONFIG.Upload.AdminToken = "verysecuretoken"
+
+	test_data := []byte("hello world")
+	mime := mimetype.Detect(test_data)
+	filename := "test file"
+	upload_data := uploadData(t, api, test_data, filename, true, 0)
+
+	expected_expires := int64(0)
+
+	if expected_expires+1 < upload_data.Body.Expires || expected_expires-1 > upload_data.Body.Expires {
 		t.Fatalf("Expected expire value of %d (+-1), found %d", expected_expires, upload_data.Body.Expires)
 	}