diff --git a/policies/Makefile b/policies/Makefile
index 34f228a2c..a93ccd26a 100644
--- a/policies/Makefile
+++ b/policies/Makefile
@@ -3,3 +3,7 @@ policy.wasm: client_registration.rego login.rego register.rego
 	tar xzf bundle.tar.gz /policy.wasm
 	rm -f bundle.tar.gz
 	touch $@
+
+.PHONY: test
+test:
+	opa test -v .
diff --git a/policies/client_registration_test.rego b/policies/client_registration_test.rego
new file mode 100644
index 000000000..2bdb4ea42
--- /dev/null
+++ b/policies/client_registration_test.rego
@@ -0,0 +1,27 @@
+package client_registration
+
+test_valid {
+  allow with input.client_metadata as {
+    "client_uri": "https://example.com",
+    "tos_uri": "https://example.com/tos",
+    "policy_uri": "https://example.com/policy",
+    "redirect_uris": ["https://example.com/callback"],
+  }
+}
+
+test_missing_client_uri {
+  not allow with input.client_metadata as {
+    "tos_uri": "https://example.com/tos",
+    "policy_uri": "https://example.com/policy",
+    "redirect_uris": ["https://example.com/callback"],
+  }
+}
+
+test_insecure_client_uri {
+  not allow with input.client_metadata as {
+    "client_uri": "http://example.com",
+    "tos_uri": "https://example.com/tos",
+    "policy_uri": "https://example.com/policy",
+    "redirect_uris": ["https://example.com/callback"],
+  }
+}