diff --git a/tests/unit/app/test_app_firefly_account_routes.py b/tests/unit/app/test_app_firefly_account_routes.py
index f03abbe..d9ce9ab 100644
--- a/tests/unit/app/test_app_firefly_account_routes.py
+++ b/tests/unit/app/test_app_firefly_account_routes.py
@@ -137,3 +137,60 @@ def test_firefly_reset_handles_find_user_error(monkeypatch) -> None:
         headers={"Authorization": "Bearer token"},
     )
     assert resp.status_code == 200
+
+
+def test_firefly_reset_uses_default_mailu_email(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=["dev"], claims={})
+    client = _client(monkeypatch, ctx)
+    captured = {}
+
+    monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
+    monkeypatch.setattr(app_module.keycloak_admin, "find_user", lambda username: {})
+    monkeypatch.setattr(app_module.keycloak_admin, "set_user_attribute", lambda *args, **kwargs: None)
+
+    def fake_sync_user(email, password, wait=True):
+        captured["email"] = email
+        return {"status": "ok"}
+
+    monkeypatch.setattr(app_module.firefly, "sync_user", fake_sync_user)
+
+    resp = client.post(
+        "/api/account/firefly/reset",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code == 200
+    assert captured["email"] == f"alice@{app_module.settings.mailu_domain}"
+
+
+def test_firefly_rotation_check(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=["dev"], claims={})
+    client = _client(monkeypatch, ctx)
+
+    monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
+    monkeypatch.setattr(app_module.firefly, "check_rotation_for_user", lambda username: {"status": "ok", "username": username})
+
+    resp = client.post(
+        "/api/account/firefly/rotation/check",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code == 200
+    assert resp.json() == {"status": "ok", "username": "alice"}
+
+
+def test_firefly_rotation_check_error(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=["dev"], claims={})
+    client = _client(monkeypatch, ctx)
+
+    monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
+    monkeypatch.setattr(
+        app_module.firefly,
+        "check_rotation_for_user",
+        lambda username: {"status": "error", "detail": "expired"},
+    )
+
+    resp = client.post(
+        "/api/account/firefly/rotation/check",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code == 502
+    assert resp.json()["detail"] == "expired"
diff --git a/tests/unit/app/test_app_mailu_account_routes.py b/tests/unit/app/test_app_mailu_account_routes.py
index 188cfed..df5d469 100644
--- a/tests/unit/app/test_app_mailu_account_routes.py
+++ b/tests/unit/app/test_app_mailu_account_routes.py
@@ -55,6 +55,7 @@ def test_rotate_mailu_password_sync_error(monkeypatch) -> None:
 
     monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
     monkeypatch.setattr(app_module.keycloak_admin, "set_user_attribute", lambda *args, **kwargs: None)
+    monkeypatch.setattr(app_module.mailu, "ready", lambda: True)
     monkeypatch.setattr(app_module.mailu, "sync", lambda *args, **kwargs: (_ for _ in ()).throw(RuntimeError("fail")))
     monkeypatch.setattr(app_module.nextcloud, "sync_mail", lambda *args, **kwargs: (_ for _ in ()).throw(RuntimeError("fail")))
 
diff --git a/tests/unit/app/test_app_wger_account_routes.py b/tests/unit/app/test_app_wger_account_routes.py
index 4b93a33..56c9a62 100644
--- a/tests/unit/app/test_app_wger_account_routes.py
+++ b/tests/unit/app/test_app_wger_account_routes.py
@@ -137,3 +137,37 @@ def test_wger_reset_handles_find_user_error(monkeypatch) -> None:
         headers={"Authorization": "Bearer token"},
     )
     assert resp.status_code == 200
+
+
+def test_wger_rotation_check(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=["dev"], claims={})
+    client = _client(monkeypatch, ctx)
+
+    monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
+    monkeypatch.setattr(app_module.wger, "check_rotation_for_user", lambda username: {"status": "ok", "username": username})
+
+    resp = client.post(
+        "/api/account/wger/rotation/check",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code == 200
+    assert resp.json() == {"status": "ok", "username": "alice"}
+
+
+def test_wger_rotation_check_error(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=["dev"], claims={})
+    client = _client(monkeypatch, ctx)
+
+    monkeypatch.setattr(app_module.keycloak_admin, "ready", lambda: True)
+    monkeypatch.setattr(
+        app_module.wger,
+        "check_rotation_for_user",
+        lambda username: {"status": "error", "detail": "stale"},
+    )
+
+    resp = client.post(
+        "/api/account/wger/rotation/check",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code == 502
+    assert resp.json()["detail"] == "stale"