diff --git a/build.gradle b/build.gradle
index b5a4584..3d3cf19 100644
--- a/build.gradle
+++ b/build.gradle
@@ -41,6 +41,7 @@ dependencies {
 	implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 	implementation("org.springframework.boot:spring-boot-starter-validation")
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testImplementation 'io.projectreactor:reactor-test'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 }
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java b/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
deleted file mode 100644
index d05fbc0..0000000
--- a/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
+++ /dev/null
@@ -1,37 +0,0 @@
-package it.gov.pagopa.rtp.activator;
-
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RestController;
-import reactor.core.publisher.Mono;
-
-import java.security.Principal;
-
-// Controller to play with role and authorization
-// TODO: remove me
-@RestController
-public class PlaygroundController {
-
-    @PreAuthorize("hasRole('mil-auth-admin')")
-    @GetMapping("/test")
-    public Mono<ResponseEntity<String>> trySomething(
-            Principal principal
-    ) {
-        return Mono.just(
-                ResponseEntity.ok("Ciao " + principal.getName())
-        );
-    }
-
-    @PreAuthorize("hasRole('mil-auth-admin')")
-    @GetMapping("/test2")
-    public Mono<ResponseEntity<String>> trySomething2(
-            Authentication authentication
-    ) {
-        return Mono.just(
-                ResponseEntity.ok("Ciao " + authentication.getName() + " " + authentication.getAuthorities())
-        );
-    }
-
-}
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java b/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
new file mode 100644
index 0000000..e0d1ab6
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
@@ -0,0 +1,50 @@
+package it.gov.pagopa.rtp.activator;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+
+import java.util.Date;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+public final class JwtTestUtils {
+
+    public static String generateToken(String subject, String... roles) throws JOSEException {
+        return generateToken(subject, new Date(new Date().getTime() + 60 * 60 * 1000), roles); // 1 hour
+    }
+
+    public static String generateExpiredToken(String subject, String... roles) throws JOSEException {
+        return generateToken(subject, new Date(new Date().getTime() - 60 * 60 * 1000), roles); // 1 hour ago
+    }
+
+    private static String generateToken(String subject, Date expirationTime, String... roles) throws JOSEException {
+        // Create HMAC signer
+        JWSSigner signer = new MACSigner(
+                IntStream.range(0, 256).mapToObj(Integer::toString).collect(Collectors.joining())
+        );
+
+        // Prepare JWT with claims set
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject(subject)
+                .claim("groups", roles)
+                .issuer("pagopa.it")
+                .expirationTime(expirationTime) // 1 hour expiration
+                .build();
+
+        SignedJWT signedJWT = new SignedJWT(
+                new JWSHeader(JWSAlgorithm.HS256),
+                claimsSet);
+
+        // Apply the HMAC signature
+        signedJWT.sign(signer);
+
+        // Serialize to compact form
+        return signedJWT.serialize();
+    }
+
+}
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
new file mode 100644
index 0000000..4429bfe
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
@@ -0,0 +1,21 @@
+package it.gov.pagopa.rtp.activator.configuration;
+
+import com.nimbusds.jose.JOSEException;
+import it.gov.pagopa.rtp.activator.JwtTestUtils;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+
+class NoSignatureJwtDecoderTest {
+
+
+    @Test
+    void givenSignedTokenMustDecodeWithoutVerifySignature() throws JOSEException {
+        final var decoder = new NoSignatureJwtDecoder();
+        final var token = JwtTestUtils.generateToken("me", "none");
+        assertThat(decoder.decode(token), Matchers.notNullValue());
+    }
+
+}
+
diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties
new file mode 100644
index 0000000..1060f52
--- /dev/null
+++ b/src/test/resources/application.properties
@@ -0,0 +1 @@
+logging.level.org.springframework.security=DEBUG
\ No newline at end of file