diff --git a/Cargo.lock b/Cargo.lock
index 800b145..df0f871 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -923,6 +923,7 @@ name = "server"
 version = "0.1.0"
 dependencies = [
  "base64",
+ "claims",
  "clap",
  "common",
  "miette",
diff --git a/server/Cargo.toml b/server/Cargo.toml
index fd4e851..8d0e5c6 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -16,6 +16,7 @@ tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
 uuid.workspace = true
+claims.workspace = true
 
 [lints]
 workspace = true
diff --git a/server/src/main.rs b/server/src/main.rs
index 675b84e..e4c18b1 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -183,3 +183,63 @@ async fn main() -> miette::Result<()> {
 
     Ok(run_server(args, tls_config).await?)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use claims::assert_ok;
+    use common::cert::CaCertificate;
+
+    #[test]
+    fn default_args() {
+        let args = Args::parse_from(["server"]);
+        assert_eq!(args.mode, KeyExchangeMode::X25519);
+        assert_eq!(args.listen.to_string(), "127.0.0.1:4433");
+    }
+
+    #[test]
+    fn custom_args() {
+        let args = Args::parse_from([
+            "server",
+            "--mode",
+            "x25519mlkem768",
+            "--listen",
+            "0.0.0.0:8080",
+        ]);
+        assert_eq!(args.mode, KeyExchangeMode::X25519Mlkem768);
+        assert_eq!(args.listen.to_string(), "0.0.0.0:8080");
+    }
+
+    #[test]
+    fn tls_config_x25519() {
+        let ca = assert_ok!(CaCertificate::generate(), "generate CA");
+        let server_cert = assert_ok!(ca.sign_server_cert("localhost"), "sign cert");
+        let config = assert_ok!(
+            build_tls_config(KeyExchangeMode::X25519, &server_cert),
+            "build config"
+        );
+        assert!(Arc::strong_count(&config) >= 1);
+    }
+
+    #[test]
+    fn tls_config_mlkem() {
+        let ca = assert_ok!(CaCertificate::generate(), "generate CA");
+        let server_cert = assert_ok!(ca.sign_server_cert("localhost"), "sign cert");
+        let config = assert_ok!(
+            build_tls_config(KeyExchangeMode::X25519Mlkem768, &server_cert),
+            "build config"
+        );
+        assert!(Arc::strong_count(&config) >= 1);
+    }
+
+    #[test]
+    fn tls_config_certificates() {
+        let ca = assert_ok!(CaCertificate::generate(), "generate CA");
+        let server_cert = assert_ok!(ca.sign_server_cert("localhost"), "sign cert");
+        let config = assert_ok!(
+            build_tls_config(KeyExchangeMode::X25519, &server_cert),
+            "build config"
+        );
+        assert!(Arc::strong_count(&config) >= 1);
+    }
+}