diff --git a/test/helpers/wait-for-event.js b/test/helpers/wait-for-event.js
new file mode 100644
index 00000000..3405f3c5
--- /dev/null
+++ b/test/helpers/wait-for-event.js
@@ -0,0 +1,17 @@
+// Copyright IBM Corp. 2013,2016. All Rights Reserved.
+// Node module: loopback
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+'use strict';
+
+const Promise = require('bluebird');
+
+function waitForEvent(emitter, event) {
+  return new Promise((resolve, reject) => {
+    emitter.on(event, resolve);
+  });
+}
+
+module.exports = waitForEvent;
+
diff --git a/test/user.test.js b/test/user.test.js
index 0592b2d3..65008dc2 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -11,7 +11,8 @@ var loopback = require('../');
 var async = require('async');
 var url = require('url');
 var extend = require('util')._extend;
-var Promise = require('bluebird');
+const Promise = require('bluebird');
+const waitForEvent = require('./helpers/wait-for-event');
 
 var User, AccessToken;
 
@@ -2165,6 +2166,44 @@ describe('User', function() {
           });
       });
 
+      it('creates token that allows patching User with new password', () => {
+        return triggerPasswordReset(options.email)
+          .then(info => {
+            // Make a REST request to change the password
+            return request(app)
+              .patch(`/test-users/${info.user.id}`)
+              .set('Authorization', info.accessToken.id)
+              .send({password: 'new-pass'})
+              .expect(200);
+          })
+          .then(() => {
+            // Call login to verify the password was changed
+            const credentials = {email: options.email, password: 'new-pass'};
+            return User.login(credentials);
+          });
+      });
+
+      it('creates token that allows calling other endpoints too', () => {
+        // Setup a test method that can be executed by $owner only
+        User.prototype.testMethod = function(cb) { cb(null, 'ok'); };
+        User.remoteMethod('prototype.testMethod', {
+          returns: {arg: 'status', type: 'string'},
+          http: {verb: 'get', path: '/test'},
+        });
+        User.settings.acls.push({
+          principalType: 'ROLE',
+          principalId: '$owner',
+          permission: 'ALLOW',
+          property: 'testMethod',
+        });
+
+        return triggerPasswordReset(options.email)
+          .then(info => request(app)
+            .get(`/test-users/${info.user.id}/test`)
+            .set('Authorization', info.accessToken.id)
+            .expect(200));
+      });
+
       describe('User.resetPassword(options, cb) requiring realm', function() {
         var realmUser;
 
@@ -2788,4 +2827,12 @@ describe('User', function() {
       expect(User2.settings.ttl).to.equal(10);
     });
   });
+
+  function triggerPasswordReset(email) {
+    return Promise.all([
+      User.resetPassword({email: email}),
+      waitForEvent(User, 'resetPasswordRequest'),
+    ])
+    .spread((reset, info) => info);
+  }
 });