diff --git a/test/integration/epp/domain/info/base_test.rb b/test/integration/epp/domain/info/base_test.rb
index d94fe8dfd..a112ed840 100644
--- a/test/integration/epp/domain/info/base_test.rb
+++ b/test/integration/epp/domain/info/base_test.rb
@@ -6,8 +6,7 @@ class EppDomainInfoBaseTest < ApplicationIntegrationTest
     domains(:shop).update_columns(statuses: [DomainStatus::OK],
                                   created_at: Time.zone.parse('2010-07-05'),
                                   updated_at: Time.zone.parse('2010-07-06'),
-                                  valid_to: Time.zone.parse('2010-07-07'),
-                                  transfer_code: 'transfer-001')
+                                  valid_to: Time.zone.parse('2010-07-07'))
 
     request_xml = <<-XML
       <?xml version="1.0" encoding="UTF-8" standalone="no"?>
@@ -33,6 +32,78 @@ class EppDomainInfoBaseTest < ApplicationIntegrationTest
     assert_equal '2010-07-05T00:00:00+03:00', response_xml.at_xpath('//domain:crDate', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
     assert_equal '2010-07-06T00:00:00+03:00', response_xml.at_xpath('//domain:upDate', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
     assert_equal '2010-07-07T00:00:00+03:00', response_xml.at_xpath('//domain:exDate', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
-    assert_equal 'transfer-001', response_xml.at_xpath('//domain:authInfo/domain:pw', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
+  end
+
+  def test_reveals_transfer_code_when_domain_is_owned_by_current_user
+    assert_equal '65078d5', domains(:shop).transfer_code
+
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <info>
+            <domain:info xmlns:domain="https://epp.tld.ee/schema/domain-eis-1.0.xsd">
+              <domain:name>shop.test</domain:name>
+            </domain:info>
+          </info>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => 'session=api_bestnames'
+
+    response_xml = Nokogiri::XML(response.body)
+    assert_equal '65078d5', response_xml.at_xpath('//domain:authInfo/domain:pw', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
+  end
+
+  # Transfer code is the only info we conceal from other registrars, hence a bit oddly-looking
+  # test name
+  def test_reveals_transfer_code_when_domain_is_not_owned_by_current_user_and_transfer_code_is_provided
+    assert_equal '65078d5', domains(:shop).transfer_code
+
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <info>
+            <domain:info xmlns:domain="https://epp.tld.ee/schema/domain-eis-1.0.xsd">
+              <domain:name>shop.test</domain:name>
+              <domain:authInfo>
+                <domain:pw>65078d5</domain:pw>
+              </domain:authInfo>
+            </domain:info>
+          </info>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => 'session=api_goodnames'
+
+    response_xml = Nokogiri::XML(response.body)
+    assert_equal '65078d5', response_xml.at_xpath('//domain:authInfo/domain:pw', 'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd').text
+  end
+
+  def test_conceals_transfer_code_when_domain_is_not_owned_by_current_user
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <info>
+            <domain:info xmlns:domain="https://epp.tld.ee/schema/domain-eis-1.0.xsd">
+              <domain:name>shop.test</domain:name>
+              <domain:authInfo>
+                <domain:pw></domain:pw>
+              </domain:authInfo>
+            </domain:info>
+          </info>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => 'session=api_goodnames'
+
+    response_xml = Nokogiri::XML(response.body)
+    assert_nil response_xml.at_xpath('//domain:authInfo/domain:pw',
+                                     'domain' => 'https://epp.tld.ee/schema/domain-eis-1.0.xsd')
   end
 end