diff --git a/app/controllers/api/v1/registrant/confirms_controller.rb b/app/controllers/api/v1/registrant/confirms_controller.rb
index d03e7ab93..057400c8e 100644
--- a/app/controllers/api/v1/registrant/confirms_controller.rb
+++ b/app/controllers/api/v1/registrant/confirms_controller.rb
@@ -10,11 +10,16 @@ module Api
         before_action :verify_decision, only: %i[update]
 
         def index
-          render json: {
+          res = {
             domain_name: @domain.name,
             current_registrant: serialized_registrant(@domain.registrant),
-            new_registrant: serialized_registrant(@domain.pending_registrant),
           }
+
+          unless delete_action?
+            res[:new_registrant] = serialized_registrant(@domain.pending_registrant)
+          end
+
+          render json: res, status: :ok
         end
 
         def update
@@ -28,7 +33,7 @@ module Api
 
           render json: { domain_name: @domain.name,
                          current_registrant: serialized_registrant(current_registrant),
-                         status: params[:decision] }
+                         status: params[:decision] }, status: :ok
         end
 
         private
@@ -38,23 +43,27 @@ module Api
         end
 
         def current_registrant
-          approved? ? @domain.registrant : @domain.pending_registrant
+          confirmed? && !delete_action? ? @domain.pending_registrant : @domain.registrant
         end
 
-        def approved?
-          params[:decision] == 'confirmed'
+        def confirmed?
+          verify_params[:decision] == 'confirmed'
         end
 
         def change_action(verification)
-          return verification.domain_registrant_change_confirm!(initiator) if approved?
-
-          verification.domain_registrant_change_reject!(initiator)
+          if confirmed?
+            verification.domain_registrant_change_confirm!(initiator)
+          else
+            verification.domain_registrant_change_reject!(initiator)
+          end
         end
 
         def delete_action(verification)
-          return verification.domain_registrant_delete_confirm!(initiator) if approved?
-
-          verification.domain_registrant_delete_reject!(initiator)
+          if confirmed?
+            verification.domain_registrant_delete_confirm!(initiator)
+          else
+            verification.domain_registrant_delete_reject!(initiator)
+          end
         end
 
         def serialized_registrant(registrant)
@@ -67,9 +76,9 @@ module Api
 
         def verify_params
           params do |p|
-            p.require(:template)
             p.require(:name)
             p.require(:token)
+            p.permit(:decision)
           end
         end
 
@@ -82,7 +91,7 @@ module Api
         def verify_decision
           return if %w[confirmed rejected].include?(params[:decision])
 
-          head :bad_request
+          head :not_found
         end
 
         def set_domain
@@ -100,7 +109,7 @@ module Api
                      @domain.registrant_delete_confirmable?(verify_params[:token])
                    end
 
-          return unless action
+          return if action
 
           render json: { error: 'Application expired or not found' }, status: :unauthorized
         end
diff --git a/test/integration/api/registrant/registrant_api_verifications_test.rb b/test/integration/api/registrant/registrant_api_verifications_test.rb
new file mode 100644
index 000000000..b2333e560
--- /dev/null
+++ b/test/integration/api/registrant/registrant_api_verifications_test.rb
@@ -0,0 +1,259 @@
+require 'test_helper'
+require 'auth_token/auth_token_creator'
+
+class RegistrantApiVerificationsTest < ApplicationIntegrationTest
+  def setup
+    super
+
+    @domain = domains(:hospital)
+    @registrant = @domain.registrant
+    @new_registrant = contacts(:jack)
+
+    @token = 'verysecrettoken'
+
+    @domain.update(statuses: [DomainStatus::PENDING_UPDATE],
+      registrant_verification_asked_at: Time.zone.now - 1.day,
+      registrant_verification_token: @token)
+
+  end
+
+  def test_fetches_registrant_change_request
+    pending_json = { new_registrant_id: @new_registrant.id }
+    @domain.update(pending_json: pending_json)
+    @domain.reload
+
+    assert @domain.registrant_update_confirmable?(@token)
+
+    get "/api/v1/registrant/confirms/#{@domain.name_puny}/change/#{@token}"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: "hospital.test",
+      current_registrant: {
+        name: @registrant.name,
+        ident: @registrant.ident,
+        country: @registrant.ident_country_code
+      },
+      new_registrant: {
+        name: @new_registrant.name,
+        ident: @new_registrant.ident,
+        country: @new_registrant.ident_country_code
+      }
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_approves_registrant_change_request
+    pending_json = { new_registrant_id: @new_registrant.id }
+    @domain.update(pending_json: pending_json)
+    @domain.reload
+
+    assert @domain.registrant_update_confirmable?(@token)
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/change/#{@token}/confirmed"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: @domain.name,
+      current_registrant: {
+        name: @new_registrant.name,
+        ident: @new_registrant.ident,
+        country: @new_registrant.ident_country_code
+      },
+      status: 'confirmed'
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_rejects_registrant_change_request
+    pending_json = { new_registrant_id: @new_registrant.id }
+    @domain.update(pending_json: pending_json)
+    @domain.reload
+
+    assert @domain.registrant_update_confirmable?(@token)
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/change/#{@token}/rejected"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: @domain.name,
+      current_registrant: {
+        name: @registrant.name,
+        ident: @registrant.ident,
+        country: @registrant.ident_country_code
+      },
+      status: 'rejected'
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_registrant_change_requires_valid_attributes
+    pending_json = { new_registrant_id: @new_registrant.id }
+    @domain.update(pending_json: pending_json)
+    @domain.reload
+
+    get "/api/v1/registrant/confirms/#{@domain.name_puny}/change/123"
+    assert_equal 401, response.status
+
+    get "/api/v1/registrant/confirms/aohldfjg.ee/change/123"
+    assert_equal 404, response.status
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/change/#{@token}/invalidaction"
+    assert_equal 404, response.status
+  end
+
+  def test_fetches_domain_delete_request
+    @domain.update(statuses: [DomainStatus::PENDING_DELETE_CONFIRMATION])
+    @domain.reload
+
+    assert @domain.registrant_delete_confirmable?(@token)
+
+    get "/api/v1/registrant/confirms/#{@domain.name_puny}/delete/#{@token}"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: "hospital.test",
+      current_registrant: {
+        name: @registrant.name,
+        ident: @registrant.ident,
+        country: @registrant.ident_country_code
+      }
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_approves_domain_delete_request
+    @domain.update(statuses: [DomainStatus::PENDING_DELETE_CONFIRMATION])
+    @domain.reload
+
+    assert @domain.registrant_delete_confirmable?(@token)
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/delete/#{@token}/confirmed"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: @domain.name,
+      current_registrant: {
+        name: @registrant.name,
+        ident: @registrant.ident,
+        country: @registrant.ident_country_code
+      },
+      status: 'confirmed'
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_rejects_domain_delete_request
+    @domain.update(statuses: [DomainStatus::PENDING_DELETE_CONFIRMATION])
+    @domain.reload
+
+    assert @domain.registrant_delete_confirmable?(@token)
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/delete/#{@token}/rejected"
+    assert_equal(200, response.status)
+
+    res = JSON.parse(response.body, symbolize_names: true)
+    expected_body = {
+      domain_name: @domain.name,
+      current_registrant: {
+        name: @registrant.name,
+        ident: @registrant.ident,
+        country: @registrant.ident_country_code
+      },
+      status: 'rejected'
+    }
+
+    assert_equal expected_body, res
+  end
+
+  def test_domain_delete_requires_valid_attributes
+    @domain.update(statuses: [DomainStatus::PENDING_DELETE_CONFIRMATION, DomainStatus::PENDING_DELETE])
+    @domain.reload
+
+    get "/api/v1/registrant/confirms/#{@domain.name_puny}/delete/123"
+    assert_equal 401, response.status
+
+    get "/api/v1/registrant/confirms/aohldfjg.ee/delete/123"
+    assert_equal 404, response.status
+
+    post "/api/v1/registrant/confirms/#{@domain.name_puny}/delete/#{@token}/invalidaction"
+    assert_equal 404, response.status
+  end
+  #def test_get_non_existent_domain_details_by_uuid
+  #  get '/api/v1/registrant/domains/random-uuid', headers: @auth_headers
+  #  assert_equal(404, response.status)
+
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+  #  assert_equal({ errors: [base: ['Domain not found']] }, response_json)
+  #end
+
+  #def test_root_returns_domain_list
+  #  get '/api/v1/registrant/domains', headers: @auth_headers
+  #  assert_equal(200, response.status)
+
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+  #  array_of_domain_names = response_json.map { |x| x[:name] }
+  #  assert(array_of_domain_names.include?('hospital.test'))
+
+  #  array_of_domain_registrars = response_json.map { |x| x[:registrar] }
+  #  assert(array_of_domain_registrars.include?({name: 'Good Names', website: nil}))
+  #end
+
+  #def test_root_accepts_limit_and_offset_parameters
+  #  get '/api/v1/registrant/domains', params: { 'limit' => 2, 'offset' => 0 },
+  #      headers: @auth_headers
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+
+  #  assert_equal(200, response.status)
+  #  assert_equal(2, response_json.count)
+
+  #  get '/api/v1/registrant/domains', headers: @auth_headers
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+
+  #  assert_equal(4, response_json.count)
+  #end
+
+  #def test_root_does_not_accept_limit_higher_than_200
+  #  get '/api/v1/registrant/domains', params: { 'limit' => 400, 'offset' => 0 },
+  #      headers: @auth_headers
+
+  #  assert_equal(400, response.status)
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+  #  assert_equal({ errors: [{ limit: ['parameter is out of range'] }] }, response_json)
+  #end
+
+  #def test_root_does_not_accept_offset_lower_than_0
+  #  get '/api/v1/registrant/domains', params: { 'limit' => 200, 'offset' => "-10" },
+  #      headers: @auth_headers
+
+  #  assert_equal(400, response.status)
+  #  response_json = JSON.parse(response.body, symbolize_names: true)
+  #  assert_equal({ errors: [{ offset: ['parameter is out of range'] }] }, response_json)
+  #end
+
+  #def test_root_returns_401_without_authorization
+  #  get '/api/v1/registrant/domains'
+  #  assert_equal(401, response.status)
+  #  json_body = JSON.parse(response.body, symbolize_names: true)
+
+  #  assert_equal({ errors: [base: ['Not authorized']] }, json_body)
+  #end
+
+  #def test_details_returns_401_without_authorization
+  #  get '/api/v1/registrant/domains/5edda1a5-3548-41ee-8b65-6d60daf85a37'
+  #  assert_equal(401, response.status)
+  #  json_body = JSON.parse(response.body, symbolize_names: true)
+
+  #  assert_equal({ errors: [base: ['Not authorized']] }, json_body)
+  #end
+end