diff --git a/app/controllers/repp/v1/contacts_controller.rb b/app/controllers/repp/v1/contacts_controller.rb
index 6321f2a40..0b52505b0 100644
--- a/app/controllers/repp/v1/contacts_controller.rb
+++ b/app/controllers/repp/v1/contacts_controller.rb
@@ -81,7 +81,7 @@ module Repp
 
       def find_contact
         code = params[:id]
-        @contact = Epp::Contact.find_by!(code: code)
+        @contact = Epp::Contact.find_by!(code: code, registrar: current_user.registrar)
       end
 
       def contact_params_with_address
diff --git a/test/integration/repp/v1/contacts_test.rb b/test/integration/repp/v1/contacts/list_test.rb
similarity index 90%
rename from test/integration/repp/v1/contacts_test.rb
rename to test/integration/repp/v1/contacts/list_test.rb
index 353cb3758..31c4baaf9 100644
--- a/test/integration/repp/v1/contacts_test.rb
+++ b/test/integration/repp/v1/contacts/list_test.rb
@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class ReppV1ContactsTest < ActionDispatch::IntegrationTest
+class ReppV1ContactsListTest < ActionDispatch::IntegrationTest
   def setup
     @user = users(:api_bestnames)
     token = Base64.encode64("#{@user.username}:#{@user.plain_text_password}")
@@ -34,7 +34,7 @@ class ReppV1ContactsTest < ActionDispatch::IntegrationTest
     assert json[:contacts][0].is_a? Hash
   end
 
-  def test_respects_limit_in_registrar_contact_list
+  def test_respects_limit
     get repp_v1_contacts_path(details: true, limit: 2), headers: @auth_headers
     json = JSON.parse(response.body, symbolize_names: true)
 
@@ -43,7 +43,7 @@ class ReppV1ContactsTest < ActionDispatch::IntegrationTest
     assert_equal 2, json[:contacts].length
   end
 
-  def test_respects_offset_in_registrar_contact_list
+  def test_respects_offset
     offset = 1
     get repp_v1_contacts_path(details: true, offset: offset), headers: @auth_headers
     json = JSON.parse(response.body, symbolize_names: true)
diff --git a/test/integration/repp/v1/contacts/show_test.rb b/test/integration/repp/v1/contacts/show_test.rb
new file mode 100644
index 000000000..3fd782cca
--- /dev/null
+++ b/test/integration/repp/v1/contacts/show_test.rb
@@ -0,0 +1,45 @@
+require 'test_helper'
+
+class ReppV1ContactsShowTest < ActionDispatch::IntegrationTest
+  def setup
+    @user = users(:api_bestnames)
+    token = Base64.encode64("#{@user.username}:#{@user.plain_text_password}")
+    token = "Basic #{token}"
+
+    @auth_headers = { 'Authorization' => token }
+  end
+
+  def test_returns_error_when_not_found
+    get repp_v1_contact_path(id: 'definitelynotexistant'), headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :not_found
+    assert_equal 2303, json[:code]
+    assert_equal 'Object does not exist', json[:message]
+  end
+
+  def test_shows_existing_contact
+    contact = @user.registrar.contacts.first
+
+    get repp_v1_contact_path(id: contact.code), headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :ok
+    assert_equal 1000, json[:code]
+    assert_equal 'Command completed successfully', json[:message]
+
+    assert_equal contact.code, json[:data][:code]
+  end
+
+  def test_can_not_access_out_of_scope_contacts
+    # Contact of registrar goodnames, we're using bestnames API credentials
+    contact = contacts(:jack)
+
+    get repp_v1_contact_path(id: contact.code), headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :not_found
+    assert_equal 2303, json[:code]
+    assert_equal 'Object does not exist', json[:message]
+  end
+end