diff --git a/src/app/api/config.test.ts b/src/app/api/config.test.ts
index 503d0b2a521e..298448fc8db6 100644
--- a/src/app/api/config.test.ts
+++ b/src/app/api/config.test.ts
@@ -1,5 +1,6 @@
 import { describe, expect, it, vi } from 'vitest';
 
+import { checkAuth } from './auth';
 import { getPreferredRegion } from './config';
 
 // Stub the global process object to safely mock environment variables
@@ -40,3 +41,38 @@ describe('getPreferredRegion', () => {
     expect(preferredRegion).toStrictEqual(['ida1', 'sfo1']);
   });
 });
+
+describe('ACCESS_CODE', () => {
+  let auth = false;
+
+  beforeEach(() => {
+    auth = false;
+    // Reset environment variables before each test case
+    vi.restoreAllMocks();
+  });
+
+  it('set multiple access codes', () => {
+    process.env.ACCESS_CODE = 'code1,code2,code3';
+    ({ auth } = checkAuth({ accessCode: 'code1' }));
+    expect(auth).toBe(true);
+    ({ auth } = checkAuth({ accessCode: 'code2' }));
+    expect(auth).toBe(true);
+    ({ auth } = checkAuth({ accessCode: 'code1,code2' }));
+    expect(auth).toBe(false);
+  });
+
+  it('set individual access code', () => {
+    process.env.ACCESS_CODE = 'code1';
+    ({ auth } = checkAuth({ accessCode: 'code1' }));
+    expect(auth).toBe(true);
+    ({ auth } = checkAuth({ accessCode: 'code2' }));
+    expect(auth).toBe(false);
+  });
+
+  it('no access code', () => {
+    ({ auth } = checkAuth({ accessCode: 'code1' }));
+    expect(auth).toBe(true);
+    ({ auth } = checkAuth({}));
+    expect(auth).toBe(true);
+  });
+});