diff --git a/tests/strategy_switch_worker_validation.mjs b/tests/strategy_switch_worker_validation.mjs
index 303f0a9..f0b2efb 100644
--- a/tests/strategy_switch_worker_validation.mjs
+++ b/tests/strategy_switch_worker_validation.mjs
@@ -3,7 +3,7 @@ import { readFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { dirname, resolve } from "node:path";
 
-import { __test } from "../web/strategy-switch-console/worker.js";
+import worker, { __test } from "../web/strategy-switch-console/worker.js";
 
 const root = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const indexHtml = readFileSync(resolve(root, "web/strategy-switch-console/index.html"), "utf8");
@@ -51,6 +51,17 @@ const crossOriginError = captureError(
 assert.match(crossOriginError.message, /cross-origin request rejected/);
 assert.equal(crossOriginError.status, 403);
 
+const unauthorizedSyncResponse = await worker.fetch(
+  new Request("https://switch.example/api/internal/sync-account-default", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: "{}",
+  }),
+  { STRATEGY_SWITCH_SYNC_TOKEN: "test-sync-token" },
+);
+assert.equal(unauthorizedSyncResponse.status, 401);
+assert.match((await unauthorizedSyncResponse.json()).error, /internal sync token is invalid/);
+
 assert.equal(
   await __test.withTimeout(new Promise((resolve) => setTimeout(() => resolve("late"), 25)), 1, "fallback"),
   "fallback",
diff --git a/web/strategy-switch-console/worker.js b/web/strategy-switch-console/worker.js
index e3fed2f..bd3a738 100644
--- a/web/strategy-switch-console/worker.js
+++ b/web/strategy-switch-console/worker.js
@@ -49,21 +49,23 @@ export default {
   async fetch(request, env) {
     const url = new URL(request.url);
     try {
-      if (url.pathname === "/login") return startLogin(request, env);
-      if (url.pathname === "/callback") return finishLogin(request, env);
-      if (url.pathname === "/admin") return adminPage(request, env);
+      if (url.pathname === "/login") return await startLogin(request, env);
+      if (url.pathname === "/callback") return await finishLogin(request, env);
+      if (url.pathname === "/admin") return await adminPage(request, env);
       if (url.pathname === "/api/session") return json(await sessionPayload(request, env));
       if (url.pathname === "/api/strategy-profiles") return json(await strategyProfilesPayload(env));
       if (url.pathname === "/api/config") return json(await configPayload(request, env));
-      if (url.pathname === "/api/admin/config" && request.method === "GET") return adminConfigResponse(request, env);
+      if (url.pathname === "/api/admin/config" && request.method === "GET") {
+        return await adminConfigResponse(request, env);
+      }
       if (url.pathname === "/api/admin/config" && request.method === "POST") {
-        return saveAdminConfig(request, env);
+        return await saveAdminConfig(request, env);
       }
       if (url.pathname === "/api/internal/sync-account-default" && request.method === "POST") {
-        return syncAccountDefaultResponse(request, env);
+        return await syncAccountDefaultResponse(request, env);
       }
       if (url.pathname === "/api/logout" && request.method === "POST") return logout(request);
-      if (url.pathname === "/api/switch" && request.method === "POST") return dispatchSwitch(request, env);
+      if (url.pathname === "/api/switch" && request.method === "POST") return await dispatchSwitch(request, env);
       return html(PAGE_HTML);
     } catch (error) {
       return json({ ok: false, error: error.message || "unexpected error" }, error.status || 500);