diff --git a/app/helpers/epp/contacts_helper.rb b/app/helpers/epp/contacts_helper.rb
index 034814092..89a255dbb 100644
--- a/app/helpers/epp/contacts_helper.rb
+++ b/app/helpers/epp/contacts_helper.rb
@@ -1,18 +1,15 @@
 module Epp::ContactsHelper
   def create_contact
     @contact = Contact.new( contact_and_address_attributes )
-    stamp @contact
-    if @contact.save
-      render '/epp/contacts/create'
-    else
-      handle_errors(@contact)
-    end
+    render '/epp/contacts/create' and return if stamp(@contact) && @contact.save
+
+    handle_errors(@contact)
   end
 
   def update_contact
     code = params_hash['epp']['command']['update']['update'][:id]
     @contact = Contact.where(code: code).first
-    if stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
+    if has_rights? && stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
       render 'epp/contacts/update'
     else
       epp_errors << { code: '2303', msg: t('errors.messages.epp_obj_does_not_exist'), value: { obj: 'id', val: code } } if @contact == []
@@ -22,6 +19,7 @@ module Epp::ContactsHelper
 
   def delete_contact
     #no deleting, implement PaperTrail or something similar. 
+    #TODO check for relation before 'destroying'
     @contact = find_contact
     handle_errors(@contact) and return unless @contact
     @contact.destroy
@@ -47,12 +45,10 @@ module Epp::ContactsHelper
   def validate_contact_create_request
     @ph = params_hash['epp']['command']['create']['create']
     xml_attrs_present?(@ph, [['id'], 
-                             ['postalInfo'], 
+                             ['authInfo', 'pw'],
                              ['postalInfo', 'name'], 
-                             ['postalInfo', 'addr'],
                              ['postalInfo', 'addr', 'city'], 
-                             ['postalInfo', 'addr', 'cc'], 
-                             ['authInfo']])
+                             ['postalInfo', 'addr', 'cc']])
   end
   
   ## UPDATE
@@ -89,6 +85,14 @@ module Epp::ContactsHelper
     contact
   end
 
+  def has_rights?
+    authInfo = @ph.try(:[], :authInfo).try(:[], :pw) || @ph.try(:[], :chg).try(:[], :authInfo).try(:[], :pw) || []
+    id = @ph[:id]
+    return true if (id && authInfo && find_contact.auth_info == authInfo)
+
+    epp_errors << { code: '2201', msg: t('errors.messages.epp_authorization_error'), value: { obj: 'pw', val: authInfo } }
+    return false
+  end
 
   def contact_and_address_attributes( type=:create )
     case type
@@ -105,13 +109,6 @@ module Epp::ContactsHelper
     contact_hash
   end
 
-  def has_rights
-    if @contact.created_by.registrar == current_epp_user.registrar
-      return true
-    end
-    return false
-  end
-
   def ident_type
     result = params[:frame].slice(/(?<=\<ns2:ident type=)(.*)(?=<)/)
 
diff --git a/db/migrate/20140815114000_add_auth_info_to_contact.rb b/db/migrate/20140815114000_add_auth_info_to_contact.rb
new file mode 100644
index 000000000..efe504068
--- /dev/null
+++ b/db/migrate/20140815114000_add_auth_info_to_contact.rb
@@ -0,0 +1,5 @@
+class AddAuthInfoToContact < ActiveRecord::Migration
+  def change
+    add_column :contacts, :auth_info, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index ee21f0ba8..71db15ed3 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20140815110028) do
+ActiveRecord::Schema.define(version: 20140815114000) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -43,6 +43,7 @@ ActiveRecord::Schema.define(version: 20140815110028) do
     t.string   "org_name"
     t.integer  "created_by_id"
     t.integer  "updated_by_id"
+    t.string   "auth_info"
   end
 
   create_table "countries", force: true do |t|
diff --git a/spec/epp/contact_spec.rb b/spec/epp/contact_spec.rb
index bc28db8de..5b73ef54b 100644
--- a/spec/epp/contact_spec.rb
+++ b/spec/epp/contact_spec.rb
@@ -7,6 +7,7 @@ describe 'EPP Contact', epp: true do
     before(:each) { Fabricate(:epp_user) }
 
     context 'create command' do
+
       it "fails if request is invalid" do
         response = epp_request(contact_create_xml( { authInfo: [false], addr: { cc: false, city: false } }  ), :xml)
 
@@ -14,9 +15,9 @@ describe 'EPP Contact', epp: true do
         expect(response[:results][1][:result_code]).to eq('2003')
         expect(response[:results][2][:result_code]).to eq('2003')
 
-        expect(response[:results][0][:msg]).to eq('Required parameter missing: city')
-        expect(response[:results][1][:msg]).to eq('Required parameter missing: cc')
-        expect(response[:results][2][:msg]).to eq('Required parameter missing: authInfo')
+        expect(response[:results][0][:msg]).to eq('Required parameter missing: pw')
+        expect(response[:results][1][:msg]).to eq('Required parameter missing: city')
+        expect(response[:results][2][:msg]).to eq('Required parameter missing: cc')
         expect(response[:results].count).to eq 3
       end
 
@@ -37,7 +38,6 @@ describe 'EPP Contact', epp: true do
         expect(Contact.first.address.street).to eq('123 Example Dr.')
         expect(Contact.first.address.street2).to eq('Suite 100')
         expect(Contact.first.address.street3).to eq nil
-
       end
 
       it 'returns result data upon success' do
@@ -77,7 +77,16 @@ describe 'EPP Contact', epp: true do
         expect(response[:results][0][:msg]).to eq('Required parameter missing: id')
         expect(response[:results].count).to eq 1
       end
-  
+
+      it 'fails with wrong authentication info' do
+        Fabricate(:contact, code: 'sh8013', auth_info: 'secure_password')
+
+        response = epp_request('contacts/update.xml')
+
+        expect(response[:msg]).to eq('Authorization error')
+        expect(response[:result_code]).to eq('2201')
+      end
+
       it 'stamps updated_by succesfully' do
         Fabricate(:contact, code: 'sh8013')
   
@@ -89,7 +98,7 @@ describe 'EPP Contact', epp: true do
       end
   
       it 'is succesful' do
-        Fabricate(:contact, created_by_id: 1, email: 'not_updated@test.test', code: 'sh8013')
+        Fabricate(:contact, created_by_id: 1, email: 'not_updated@test.test', code: 'sh8013', auth_info: '2fooBAR')
         #response = epp_request(contact_update_xml( { chg: { email: 'fred@bloggers.ee', postalInfo: { name: 'Fred Bloggers' } } } ), :xml)
         response = epp_request('contacts/update.xml')
 
@@ -101,7 +110,7 @@ describe 'EPP Contact', epp: true do
       end
   
       it 'returns phone and email error' do 
-        Fabricate(:contact, created_by_id: 1, email: 'not_updated@test.test', code: 'sh8013')
+        Fabricate(:contact, created_by_id: 1, email: 'not_updated@test.test', code: 'sh8013', auth_info: '2fooBAR')
         #response = epp_request(contact_update_xml( { chg: { email: "qwe", phone: "123qweasd" } }), :xml)
         response = epp_request('contacts/update_with_errors.xml')
   
@@ -123,7 +132,7 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'deletes contact' do
-        Fabricate(:contact, code: "dwa1234")
+        Fabricate(:contact, code: "dwa1234", auth_info: '2fooBAR')
         response = epp_request('contacts/delete.xml')
         expect(response[:result_code]).to eq('1000')
         expect(response[:msg]).to eq('Command completed successfully')
diff --git a/spec/epp/requests/contacts/update_with_errors.xml b/spec/epp/requests/contacts/update_with_errors.xml
index e9a9ddb39..df22bf9ad 100644
--- a/spec/epp/requests/contacts/update_with_errors.xml
+++ b/spec/epp/requests/contacts/update_with_errors.xml
@@ -8,6 +8,9 @@
           <contact:chg>
             <contact:voice x="1234">123456798</contact:voice>
             <contact:email>faulty</contact:email>
+            <contact:authInfo>
+              <contact:pw>2fooBAR</contact:pw>
+            </contact:authInfo>
          </contact:chg>
        </contact:update>
       </update>
diff --git a/spec/fabricators/contact_fabricator.rb b/spec/fabricators/contact_fabricator.rb
index 775d7e510..989bd2620 100644
--- a/spec/fabricators/contact_fabricator.rb
+++ b/spec/fabricators/contact_fabricator.rb
@@ -5,5 +5,6 @@ Fabricator(:contact) do
   ident '37605030299'
   code { "sh#{Faker::Number.number(4)}" }
   ident_type 'op'
+  auth_info 'ccds4324pok'
   address
 end
diff --git a/spec/support/epp_contact_xml_builder.rb b/spec/support/epp_contact_xml_builder.rb
index a97f154ad..a5895e1cf 100644
--- a/spec/support/epp_contact_xml_builder.rb
+++ b/spec/support/epp_contact_xml_builder.rb
@@ -94,6 +94,8 @@ module EppContactXmlBuilder
     xml_params[:chg][:postalInfo] = postalInfo
     xml_params[:chg][:postalInfo][:addr] = addr
 
+    xml_params[:chg][:authInfo] = xml_params[:chg][:authInfo] || { pw: 'ccds4324pok' }
+
 
     xml.instruct!(:xml, standalone: 'no')
      xml.epp('xmlns' => 'urn:ietf:params:xml:ns:epp-1.0') do
@@ -122,6 +124,11 @@ module EppContactXmlBuilder
                     end
                   end
                 end
+                unless xml_params[:chg][:authInfo] == [false]
+                  xml.tag!('contact:authInfo') do
+                    xml.tag!('contact:pw', xml_params[:chg][:authInfo][:pw] ) unless xml_params[:chg][:authInfo][:pw] == false
+                  end
+                end
               end
             end
           end