diff --git a/ENVTEMPLATE.sh b/ENVTEMPLATE.sh
index c3b8607..884c539 100644
--- a/ENVTEMPLATE.sh
+++ b/ENVTEMPLATE.sh
@@ -6,6 +6,8 @@ export WEBHDFS_USER=username
 export WEBHDFS_URL=http://example.com:5000
 export IGV_HTTPFS_URL=http://example.com:9876
 export ALLOW_VCF_OVERWRITES=False
+export BCRYPT_LOG_ROUNDS=12
+export SECRET_KEY  # Set to something real + random for deployment
 
 # True for automatic reloading & debugging JS insertion.
 export USE_RELOADER=False
diff --git a/config.py b/config.py
index 39de55a..7394d0d 100644
--- a/config.py
+++ b/config.py
@@ -1,10 +1,13 @@
 import os
+import subprocess
+
 
 def handle_false(value):
     # ensure that false in config isn't interpreted as True
-    if value and value.lower() == 'false':
-        value = False
-    return value
+    if value and value.lower() == 'false' or not value:
+        return False
+    return True
+
 
 USE_RELOADER = handle_false(os.environ.get('USE_RELOADER', False))
 SQLALCHEMY_DATABASE_URI = os.environ['DATABASE_URI']
@@ -18,7 +21,6 @@ def handle_false(value):
 
 TYPEKIT_URL = os.environ.get('TYPEKIT_URL', None)
 
-import subprocess
 try:
     DEPLOYED_GIT_HASH = subprocess.check_output(['git', 'rev-parse', 'HEAD'])[:-1]
 except subprocess.CalledProcessError:
@@ -29,4 +31,14 @@ def handle_false(value):
 TRAVIS = os.environ.get('TRAVIS')
 ENSEMBL_RELEASE = os.environ.get('ENSEMBL_RELEASE', 75)
 
+SECRET_KEY = os.environ['SECRET_KEY']
+BCRYPT_LOG_ROUNDS = int(os.environ.get('BCRYPT_LOG_ROUNDS', 10))
+
+# Used to disable the @login_required decorator for e.g. seltest
+# cf. http://flask-login.readthedocs.org/en/latest/ "Protecting views"
+LOGIN_DISABLED = handle_false(os.environ.get('LOGIN_DISABLED', False))
+
+
 del os
+del subprocess
+del handle_false
diff --git a/cycledash/__init__.py b/cycledash/__init__.py
index 184d27b..585ace0 100644
--- a/cycledash/__init__.py
+++ b/cycledash/__init__.py
@@ -1,6 +1,6 @@
 from flask import Flask, jsonify, request
 from flask_sqlalchemy import SQLAlchemy
-from flask.ext import restful
+from flask.ext import restful, login, bcrypt
 import humanize
 import logging
 import sys
@@ -12,10 +12,20 @@ def initialize_application():
     _configure_application(app)
     _configure_logging(app)
     _configure_templates(app)
+    _configure_extensions(app)
 
     return app
 
 
+def _configure_extensions(app):
+    global db, api, login_manager, bcrypt
+    db = SQLAlchemy(app)
+    api = restful.Api(app, prefix='/api', catch_all_404s=True)
+    bcrypt = bcrypt.Bcrypt(app)
+    login_manager = login.LoginManager()
+    login_manager.init_app(app)
+
+
 def _configure_logging(app):
     stdout_handler = logging.StreamHandler(sys.stdout)
     stdout_handler.setLevel(logging.INFO)
@@ -39,8 +49,7 @@ def humanize_date(time):
 
 
 app = initialize_application()
-db = SQLAlchemy(app)
-api = restful.Api(app, prefix='/api', catch_all_404s=True)
 
 
 import cycledash.views
+import cycledash.auth
diff --git a/cycledash/api/__init__.py b/cycledash/api/__init__.py
new file mode 100644
index 0000000..699cca7
--- /dev/null
+++ b/cycledash/api/__init__.py
@@ -0,0 +1,36 @@
+from flask import request
+import flask.ext.restful
+from flask.ext.login import current_user
+
+from cycledash import login_manager
+from cycledash.auth import check_login
+
+
+class Resource(flask.ext.restful.Resource, object):
+    """Extends Resource by adding an authentication check for basic auth or
+    valid session cokie.
+    """
+    def __init__(self, *args, **kwargs):
+        self.auth = getattr(self, 'require_auth', False)
+        super(Resource, self).__init__(*args, **kwargs)
+
+    def dispatch_request(self, *args, **kwargs):
+        if self.auth:
+            authorized = False
+            if login_manager._login_disabled:
+                # This is used for tests.
+                authorized = True
+            elif current_user.is_authenticated():
+                authorized = True
+            elif request.authorization:
+                username = request.authorization.username
+                password = request.authorization.password
+                if check_login(username, password):
+                    authorized = True
+            if not authorized:
+                auth_msg = 'Correct username/password required.'
+                return flask.ext.restful.abort(401, message=auth_msg)
+        return super(Resource, self).dispatch_request(*args, **kwargs)
+
+
+import projects, bams, runs, genotypes, tasks, comments
diff --git a/cycledash/bams.py b/cycledash/api/bams.py
similarity index 94%
rename from cycledash/bams.py
rename to cycledash/api/bams.py
index 656a012..a6ecaac 100644
--- a/cycledash/bams.py
+++ b/cycledash/api/bams.py
@@ -1,6 +1,6 @@
 """Defines the API for BAMs."""
 from flask import request
-from flask.ext.restful import abort, Resource, fields
+from flask.ext.restful import abort, fields
 from sqlalchemy import select, desc
 import voluptuous
 
@@ -8,9 +8,11 @@
 from cycledash.validations import CreateBam, UpdateBam, expect_one_of
 from cycledash import db
 from cycledash.helpers import validate_with, abort_if_none_for, marshal_with
-import cycledash.projects
 import workers.indexer
 
+import projects
+from . import Resource
+
 
 bam_fields = {
     "id": fields.Integer,
@@ -25,6 +27,7 @@
 
 
 class BamList(Resource):
+    require_auth = True
     @marshal_with(bam_fields, envelope='bams')
     def get(self):
         """Get list of all BAMs."""
@@ -44,7 +47,7 @@ def post(self):
             errors = [str(err) for err in e.errors]
             abort(409, message='Validation error', errors=errors)
         try:
-            cycledash.projects.set_and_verify_project_id_on(request.validated_body)
+            projects.set_and_verify_project_id_on(request.validated_body)
         except voluptuous.Invalid as e:
             abort(404, message='Project not found.', error=str(e))
         with tables(db.engine, 'bams') as (con, bams):
@@ -56,6 +59,7 @@ def post(self):
 
 
 class Bam(Resource):
+    require_auth = True
     @marshal_with(bam_fields)
     def get(self, bam_id):
         """Get a BAM by its ID."""
diff --git a/cycledash/comments.py b/cycledash/api/comments.py
similarity index 97%
rename from cycledash/comments.py
rename to cycledash/api/comments.py
index e907a96..ed7f2e1 100644
--- a/cycledash/comments.py
+++ b/cycledash/api/comments.py
@@ -1,7 +1,7 @@
 """API for user comments."""
 from collections import defaultdict
 from flask import jsonify, request
-from flask.ext.restful import abort, Resource, fields
+from flask.ext.restful import abort, fields
 from sqlalchemy import select, func, desc
 
 from common.helpers import tables, to_epoch
@@ -11,6 +11,8 @@
                                marshal_with, camelcase_dict)
 from cycledash.validations import CreateComment, DeleteComment, UpdateComment
 
+from . import Resource
+
 
 comment_fields = {
     "id": fields.Integer,
@@ -28,6 +30,7 @@
 
 
 class CommentList(Resource):
+    require_auth = True
     @marshal_with(comment_fields, envelope='comments')
     def get(self, run_id):
         """Get a list of all comments."""
@@ -49,6 +52,7 @@ def post(self, run_id):
 
 
 class Comment(Resource):
+    require_auth = True
     @marshal_with(comment_fields)
     def get(self, run_id, comment_id):
         """Get comment with the given ID."""
@@ -93,6 +97,7 @@ def delete(self, run_id, comment_id):
 
 
 class CommentsForVcf(Resource):
+    require_auth = True
     def get(self, run_id):
         """Returns comments keys by their record ID."""
         # Ideally, this would be done on the client-side with the basic API
diff --git a/cycledash/genotypes.py b/cycledash/api/genotypes.py
similarity index 99%
rename from cycledash/genotypes.py
rename to cycledash/api/genotypes.py
index 6ebd6a9..8e0666b 100644
--- a/cycledash/genotypes.py
+++ b/cycledash/api/genotypes.py
@@ -2,10 +2,8 @@
 from collections import OrderedDict
 import copy
 import json
-
 from flask import request
 import flask.ext.restful as restful
-from flask.ext.restful import Resource
 from sqlalchemy import (select, func, types, cast, join, outerjoin, asc, desc,
                         and_, Integer, Float, String, distinct)
 from sqlalchemy.sql import text
@@ -17,8 +15,11 @@
 from cycledash import db
 from common.helpers import tables
 
+from . import Resource
+
 
 class Genotypes(Resource):
+    require_auth = True
     def get(self, run_id):
         return get(run_id, json.loads(request.args.get('q')))
 
diff --git a/cycledash/projects.py b/cycledash/api/projects.py
similarity index 95%
rename from cycledash/projects.py
rename to cycledash/api/projects.py
index 6e8a5da..4999640 100644
--- a/cycledash/projects.py
+++ b/cycledash/api/projects.py
@@ -1,17 +1,17 @@
 """Defines the API for Projects."""
 from flask import request, redirect, jsonify, url_for, render_template
-from flask.ext.restful import Resource, fields, abort
+from flask.ext.restful import fields, abort
 from sqlalchemy import exc, select, func, desc
 import voluptuous
 
 from common.helpers import tables, find
 from cycledash import db
-import cycledash.tasks
-import cycledash.bams
 from cycledash.helpers import (get_id_where, abort_if_none_for, validate_with,
                                marshal_with)
 from cycledash.validations import CreateProject, UpdateProject
 
+from . import bams as bamsapi, tasks as tasksapi, Resource
+
 
 project_fields = {
     'id': fields.Integer,
@@ -21,6 +21,7 @@
 
 
 class ProjectList(Resource):
+    require_auth = True
     @marshal_with(project_fields, envelope='projects')
     def get(self):
         """Get list of all projects."""
@@ -43,6 +44,7 @@ def post(self):
 
 
 class Project(Resource):
+    require_auth = True
     @marshal_with(project_fields)
     def get(self, project_id):
         """Get a project by its ID."""
@@ -101,7 +103,7 @@ def get_projects_tree():
         q = select(projects.c)
         projects = [dict(b) for b in con.execute(q).fetchall()]
 
-        cycledash.bams.attach_bams_to_vcfs(vcfs)
+        bamsapi.attach_bams_to_vcfs(vcfs)
 
         for vcf in vcfs:
             project_id = vcf.get('project_id')
@@ -124,7 +126,7 @@ def get_projects_tree():
 
 def _join_task_states(vcfs):
     """Add a task_states field to each VCF in a list of VCFs."""
-    ts = cycledash.tasks.all_non_success_tasks()
+    ts = tasksapi.all_non_success_tasks()
 
     for vcf in vcfs:
         vcf['task_states'] = ts.get(vcf['id'], [])
diff --git a/cycledash/runs.py b/cycledash/api/runs.py
similarity index 94%
rename from cycledash/runs.py
rename to cycledash/api/runs.py
index 92b2d83..97d282a 100644
--- a/cycledash/runs.py
+++ b/cycledash/api/runs.py
@@ -1,17 +1,17 @@
 from flask import request
-from flask.ext.restful import abort, Resource, fields
+from flask.ext.restful import abort, fields
 from sqlalchemy import select, desc, func
 import voluptuous
 
-from cycledash import db, genotypes
+from cycledash import db
 from cycledash.helpers import (get_id_where, get_where, abort_if_none_for,
                                validate_with, marshal_with)
-import cycledash.bams
-import cycledash.projects
 from cycledash.validations import CreateRun, UpdateRun, expect_one_of
 from common.helpers import tables
 import workers.runner
 
+from . import genotypes, bams, projects, Resource
+
 
 run_fields = {
     'id': fields.Integer,
@@ -35,6 +35,7 @@
 
 
 class RunList(Resource):
+    require_auth = True
     @marshal_with(run_fields, envelope='runs')
     def get(self):
         """Get list of all runs in order of recency."""
@@ -57,7 +58,7 @@ def post(self):
             errors = [str(err) for err in e.errors]
             abort(409, message='Validation error', errors=errors)
         try:
-            cycledash.projects.set_and_verify_project_id_on(run)
+            projects.set_and_verify_project_id_on(run)
         except voluptuous.Invalid as e:
             abort(404, message='Project not found.', errors=[str(e)])
         try:
@@ -74,13 +75,14 @@ def post(self):
 
 
 class Run(Resource):
+    require_auth = True
     @marshal_with(thick_run_fields)
     def get(self, run_id):
         """Return a vcf with a given ID."""
         with tables(db.engine, 'vcfs') as (con, runs):
             q = select(runs.c).where(runs.c.id == run_id)
             run = dict(_abort_if_none(q.execute().fetchone(), run_id))
-        cycledash.bams.attach_bams_to_vcfs([run])
+        bams.attach_bams_to_vcfs([run])
         return run
 
     @validate_with(UpdateRun)
diff --git a/cycledash/tasks.py b/cycledash/api/tasks.py
similarity index 95%
rename from cycledash/tasks.py
rename to cycledash/api/tasks.py
index b364eff..ff36128 100644
--- a/cycledash/tasks.py
+++ b/cycledash/api/tasks.py
@@ -1,7 +1,7 @@
 """Methods for working with Celery task states."""
 from collections import defaultdict
 from sqlalchemy import select
-from flask.ext.restful import abort, Resource, fields
+from flask.ext.restful import abort, fields
 
 from common.helpers import tables
 from cycledash.helpers import marshal_with
@@ -9,6 +9,8 @@
 from workers.shared import update_tasks_table, worker
 import workers.runner
 
+from . import Resource
+
 
 task_fields = {
     'state': fields.String,
@@ -18,6 +20,7 @@
 
 
 class TaskList(Resource):
+    require_auth = True
     @marshal_with(task_fields, envelope='tasks')
     def get(self, run_id):
         with tables(db.engine, 'task_states') as (con, tasks):
@@ -37,6 +40,7 @@ def delete(self, run_id):
 
 
 class TasksRestart(Resource):
+    require_auth = True
     def post(self, run_id):
         restart_failed_tasks_for(run_id)
         return {'message': 'Restarting failed tasks (run_id={})'.format(run_id)}
diff --git a/cycledash/auth.py b/cycledash/auth.py
new file mode 100644
index 0000000..27fc3e7
--- /dev/null
+++ b/cycledash/auth.py
@@ -0,0 +1,114 @@
+# Module to manage user authentication and identification
+from flask import request, redirect, render_template
+from flask.ext.login import login_user, logout_user
+from sqlalchemy import exc
+import voluptuous
+
+from cycledash import db, bcrypt, login_manager
+from cycledash.helpers import prepare_request_data, safely_redirect_to_next
+from common.helpers import tables
+from validations import RegisterUser, LoginUser
+
+
+login_manager.login_view = 'login'
+
+def load_user(user_id):
+    with tables(db.engine, 'users') as (con, users):
+        user = users.select(users.c.id == user_id).execute().fetchone()
+        if user:
+            return wrap_user(user)
+
+login_manager.user_loader(load_user)
+
+
+def login():
+    """Attempt to login a user from the current request.
+
+    Return the user if successful, else raise."""
+    try:
+        data = LoginUser(prepare_request_data(request))
+    except voluptuous.MultipleInvalid as err:
+        render_template('login.html', errors=str(err))
+    user = check_login(data['username'], data['password'])
+    if user:
+        login_user(user)
+        return safely_redirect_to_next('home')
+    return render_template('login.html', errors='No such user.')
+
+
+def check_login(username, password):
+    """Returns the user if exists and password is correct, else None."""
+    if not (username and password):
+        return None
+    user = None
+    with tables(db.engine, 'users') as (con, users):
+        user = users.select(users.c.username == username).execute().fetchone()
+    if user:
+        pw_hash = str(user['password'])
+        candidate = str(password)
+        if bcrypt.check_password_hash(pw_hash, candidate):
+            return wrap_user(user)
+    return None
+
+
+class User(dict):
+    def is_authenticated(self):
+        return True
+
+    def is_active(self):
+        return True
+
+    def is_anonymous(self):
+        return False
+
+    def get_id(self):
+        return unicode(self['id'])
+
+
+def wrap_user(user):
+    """Wraps user record returned from the database in a class providing methods
+    that flask-login expects.
+    """
+    return User(user)
+
+
+def logout():
+    """Logs the logged in user, if any, out."""
+    logout_user()
+    return redirect('about')
+
+
+def register():
+    """Register user from current request.
+
+    Returns the user if successful, else raise."""
+    errors = None
+    user = None
+    try:
+        data = RegisterUser(prepare_request_data(request))
+        if data.get('password1') != data.get('password2'):
+            errors = 'Passwords must match.'
+    except voluptuous.MultipleInvalid as err:
+        errors = str(err)
+    if not errors:
+        with tables(db.engine, 'users') as (con, users):
+            try:
+                password_hash = bcrypt.generate_password_hash(
+                    request.form['password1'])
+                user = users.insert({
+                    'username': request.form['username'],
+                    'password': password_hash,
+                    'email': request.form['email']
+                }).returning(*users.c).execute().fetchone()
+            except exc.IntegrityError as e:
+                errors = "Can\'t create user: " + str(e)
+        if user:
+            class d2(dict): pass
+            user = d2(user)
+            setattr(user, 'is_authenticated', True)
+            setattr(user, 'is_active', lambda: True)
+            setattr(user, 'is_anonymous', False)
+            setattr(user, 'get_id', lambda: unicode(user['id']))
+            login_user(user)
+            return redirect('/')
+    return render_template('register.html', errors=errors)
diff --git a/cycledash/helpers.py b/cycledash/helpers.py
index a1c8c99..4587128 100644
--- a/cycledash/helpers.py
+++ b/cycledash/helpers.py
@@ -3,11 +3,12 @@
 import json
 import os
 import re
+from urlparse import urlparse, urljoin
 
 from cycledash import db
 from common.helpers import tables, to_epoch
 
-from flask import jsonify, request
+from flask import jsonify, request, url_for, redirect
 import flask.ext.restful, flask.ext.restful.fields
 import voluptuous
 from werkzeug.utils import secure_filename
@@ -203,6 +204,26 @@ def wrapper(*args, **kwargs):
     return decorator
 
 
+def is_safe_url(target):
+    """Make sure a redirect target is to the same server
+
+    This is used to prevent open redirects.
+
+    cf. http://flask.pocoo.org/snippets/62/."""
+    ref_url = urlparse(request.host_url)
+    test_url = urlparse(urljoin(request.host_url, target))
+    return test_url.scheme in ('http', 'https') and \
+           ref_url.netloc == test_url.netloc
+
+
+def safely_redirect_to_next(fallback_endpoint, **values):
+    """Redirect to `next` endpoint if safe, else to `fallback_endpoint`."""
+    target = request.form.get('next')
+    if not target or not is_safe_url(target):
+        target = url_for(fallback_endpoint, **values)
+    return redirect(target)
+
+
 def abort_if_none_for(obj_name):
     def abort_if_none(obj, obj_id):
         """Abort request with a 404 if object is None."""
diff --git a/cycledash/static/scss/header.scss b/cycledash/static/scss/header.scss
index 5abb792..763fa21 100644
--- a/cycledash/static/scss/header.scss
+++ b/cycledash/static/scss/header.scss
@@ -34,4 +34,15 @@ nav.navigation .active a:hover {
 }
 nav.navigation .active {
   font-weight: bold;
-}
\ No newline at end of file
+}
+nav #user-login-logout {
+  float: right;
+}
+
+nav #user-login-logout {
+  float: right;
+  #logout {
+    border: none;
+    background: none;
+  }
+}
diff --git a/cycledash/static/scss/style.scss b/cycledash/static/scss/style.scss
index 4a0b892..53de563 100644
--- a/cycledash/static/scss/style.scss
+++ b/cycledash/static/scss/style.scss
@@ -99,10 +99,21 @@ label {
   font-size: 0.875em;
   color: $color-text-dim;
 }
+.form-errors {
+    padding: 0.6em;
+}
 .form-group.required .control-label:after {
   content:"*";
   color: $color-red;
 }
+form.centered-form {
+  width: 500px;
+  background: $color-bg-body-dark;
+  border: 1px solid $color-border-light;
+  border-radius: $radius;
+  margin: 2em auto;
+  padding: 1em 2em 2em 2em;
+}
 section#api-docs > section {
   @extend %card;
   margin-bottom: 2em;
diff --git a/cycledash/templates/about.html b/cycledash/templates/about.html
index 1a92993..cef774c 100644
--- a/cycledash/templates/about.html
+++ b/cycledash/templates/about.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block body %}
-{{ nav("about") }}
+{{ nav("about", current_user) }}
 <main>
   <section class="about-intro">
     <h1>Welcome to CycleDash <img class="cycle" src="static/img/cycle-dash.png" width=100></h1>
diff --git a/cycledash/templates/comments.html b/cycledash/templates/comments.html
index c25e175..5a8c4d4 100644
--- a/cycledash/templates/comments.html
+++ b/cycledash/templates/comments.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block body %}
-{{ nav("comments") }}
+{{ nav("comments", current_user) }}
 <main id="comments"></main>
 <script type="text/javascript" src="/static/js/dist/bundled.js"></script>
 <script>
diff --git a/cycledash/templates/examine.html b/cycledash/templates/examine.html
index 091eb69..6319f5c 100644
--- a/cycledash/templates/examine.html
+++ b/cycledash/templates/examine.html
@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block body %}
-{{ nav("examine") }}
+{{ nav("examine", current_user) }}
 <div id="examine"></div>
 
 <script type="text/javascript" src="/static/lib/pileup.js/pileup.js"></script>
diff --git a/cycledash/templates/layouts/layout.html b/cycledash/templates/layouts/layout.html
index 4bf7630..0d63327 100644
--- a/cycledash/templates/layouts/layout.html
+++ b/cycledash/templates/layouts/layout.html
@@ -2,7 +2,7 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
-    <title>{% block title %}CycleDash{% endblock %}</title>
+    <title>{% block title %}Cycledash{% endblock %}</title>
 
     <!-- Current CycleDash commit: {{ config["DEPLOYED_GIT_HASH"] }} -->
 
diff --git a/cycledash/templates/login.html b/cycledash/templates/login.html
new file mode 100644
index 0000000..ae2bc05
--- /dev/null
+++ b/cycledash/templates/login.html
@@ -0,0 +1,32 @@
+{% extends "layouts/layout.html" %}
+{%- from 'macros/nav.html' import nav -%}
+
+{% block head %}
+<link rel="stylesheet" href="static/css/style.css">
+{% endblock %}
+
+{% block body %}
+{{ nav("login", current_user) }}
+<main id="login">
+  <form class="centered-form" method="POST">
+    <h2>Login to Cycledash</h3>
+    {% if errors %}
+    <p class="bg-danger form-errors">{{errors}}</p>
+    {% endif %}
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Username</label>
+      <input class="form-control" "type="text"
+             placeholder="username" name="username">
+    </div>
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Password</label>
+      <input class="form-control" type="password"
+             placeholder="password" name="password">
+    </div>
+    <div className='form-group add-form-input-full'>
+      <button class="btn btn-info btn-block"type="submit">Login</button>
+    </div>
+    <a href="/register">Register here if you don't have an account</a>
+  </form>
+</main>
+{% endblock %}
diff --git a/cycledash/templates/macros/nav.html b/cycledash/templates/macros/nav.html
index 9e921c4..06c986c 100644
--- a/cycledash/templates/macros/nav.html
+++ b/cycledash/templates/macros/nav.html
@@ -1,8 +1,8 @@
-{% macro nav(active) -%}
+{% macro nav(active, current_user) -%}
 <nav class="navigation">
   <div class="container">
     <a class="header-logo" href="/">Home</a>
-    <ul>
+    <ul id="navigation-list">
       <li class="{{ 'active' if active == 'runs' else '' }}">
         <a href="/">Projects</a>
         {% if active == 'examine' %} &raquo;
@@ -15,6 +15,19 @@
         <a href="/about">About</a>
       </li>
     </ul>
+    <ul id="user-login-logout">
+      <li>
+        {% if current_user.is_authenticated() %}
+        <form action="/logout" method="POST">
+          <button id="logout">Logout {{ current_user['username'] }}</button>
+        </form>
+        {% else %}
+        <a href="/login">
+          <span class="{{ 'active' if active == 'login' else '' }}">Login</span>
+        </a>
+        {% endif %}
+      </li>
+    </ul>
   </div>
 </nav>
 {%- endmacro %}
diff --git a/cycledash/templates/register.html b/cycledash/templates/register.html
new file mode 100644
index 0000000..330f794
--- /dev/null
+++ b/cycledash/templates/register.html
@@ -0,0 +1,43 @@
+{% extends "layouts/layout.html" %}
+{%- from 'macros/nav.html' import nav -%}
+
+{% block head %}
+<link rel="stylesheet" href="static/css/style.css">
+{% endblock %}
+
+{% block body %}
+{{ nav("register", current_user) }}
+<main id="register">
+  <form class="centered-form" method="POST">
+    <h2>Register for Cycledash</h3>
+    {% if errors %}
+    <p class="bg-danger form-errors">{{errors}}</p>
+    {% endif %}
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Username</label>
+      <input class="form-control" "type="text"
+             placeholder="username" name="username">
+    </div>
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Email</label>
+      <input class="form-control" "type="text"
+             placeholder="email" name="email">
+    </div>
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Password</label>
+      <input class="form-control" type="password"
+             placeholder="password" name="password1">
+    </div>
+    <div class="form-group add-form-input-half">
+      <label class="control-label">Confirm password</label>
+      <input class="form-control" type="password"
+             placeholder="confirm password" name="password2">
+    </div>
+    <div className='form-group add-form-input-full'>
+      <button class="btn btn-info btn-block" type="submit">
+        Register
+      </button>
+    </div>
+  </form>
+</main>
+{% endblock %}
diff --git a/cycledash/templates/runs.html b/cycledash/templates/runs.html
index e886d4f..c4ed25d 100644
--- a/cycledash/templates/runs.html
+++ b/cycledash/templates/runs.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block body %}
-{{ nav("runs") }}
+{{ nav("runs", current_user) }}
 <main id="runs"></main>
 <script type="text/javascript" src="/static/js/dist/bundled.js"></script>
 <script>
diff --git a/cycledash/templates/tasks.html b/cycledash/templates/tasks.html
index 8baddaf..cea7b7a 100644
--- a/cycledash/templates/tasks.html
+++ b/cycledash/templates/tasks.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block body %}
-{{ nav("tasks") }}
+{{ nav("tasks", current_user) }}
 <main>
   <section>
     <h3>Task State</h3>
diff --git a/cycledash/validations.py b/cycledash/validations.py
index dbb2391..c0dc81d 100644
--- a/cycledash/validations.py
+++ b/cycledash/validations.py
@@ -20,9 +20,15 @@ def expect_one_of(dct, *args):
     error = Invalid(error_string)
     raise MultipleInvalid(errors=[error])
 
+
 def is_path(s):
     return s[0] == '/' or s.startswith('file://') or s.startswith('hdfs://')
 
+
+def is_email(s):
+    return '@' in s
+
+
 PathString = All(unicode,
                  Length(min=1),
                  Msg(truth(is_path),
@@ -142,3 +148,26 @@ def is_path(s):
     "comment_text": basestring,
     "author_name": basestring,
 })
+
+
+################
+# Registration #
+################
+
+RegisterUser = Schema({
+    Required('username'): basestring,
+    Required('email'): All(basestring,
+                           Msg(truth(is_email), 'Must be a valid email.')),
+    Required('password1'): All(basestring, Length(min=8)),
+    Required('password2'): All(basestring, Length(min=8))
+})
+
+
+#########
+# Login #
+#########
+
+LoginUser = Schema({
+    Required('username'): basestring,
+    Required('password'): basestring
+})
diff --git a/cycledash/views.py b/cycledash/views.py
index 0916a58..33a781b 100644
--- a/cycledash/views.py
+++ b/cycledash/views.py
@@ -2,22 +2,20 @@
 """Defines all views for CycleDash."""
 import json
 import tempfile
-
-from flask import request, render_template, jsonify, send_file
-from sqlalchemy import select, desc
+from flask import request, redirect, render_template, send_file
+from flask.ext.login import login_required
+from sqlalchemy import select, desc, exc
+import voluptuous
 
 from common.relational_vcf import genotypes_to_file
 from common.helpers import tables
-
-from cycledash import app, db, api
-from cycledash.helpers import error_response, get_secure_unique_filename, camelcase_dict
-import cycledash.genotypes
-import cycledash.comments
-import cycledash.runs
-import cycledash.tasks
-import cycledash.bams
-import cycledash.projects
+from cycledash import app, db, api, login_manager, bcrypt
+import cycledash.auth as auth
+from cycledash.helpers import (error_response, get_secure_unique_filename,
+                               camelcase_dict, prepare_request_data)
+import cycledash.api as API
 from workers.shared import worker
+from validations import RegisterUser, LoginUser
 
 
 ######################
@@ -25,39 +23,39 @@
 ######################
 
 # All paths prefixed with /api/ (cf. __init__.py)
-api.add_resource(cycledash.runs.RunList, '/runs',
+api.add_resource(API.runs.RunList, '/runs',
                  endpoint='api:runlist')
-api.add_resource(cycledash.runs.Run, '/runs/<int:run_id>',
+api.add_resource(API.runs.Run, '/runs/<int:run_id>',
                  endpoint='api:run')
 
-api.add_resource(cycledash.projects.ProjectList, '/projects',
+api.add_resource(API.projects.ProjectList, '/projects',
                  endpoint='api:projectlist')
-api.add_resource(cycledash.projects.Project, '/projects/<int:project_id>',
+api.add_resource(API.projects.Project, '/projects/<int:project_id>',
                  endpoint='api:project')
 
-api.add_resource(cycledash.bams.BamList, '/bams',
+api.add_resource(API.bams.BamList, '/bams',
                  endpoint='api:bamlist')
-api.add_resource(cycledash.bams.Bam, '/bams/<int:bam_id>',
+api.add_resource(API.bams.Bam, '/bams/<int:bam_id>',
                  endpoint='api:bam')
 
-api.add_resource(cycledash.tasks.TaskList,
+api.add_resource(API.tasks.TaskList,
                  '/runs/<int:run_id>/tasks',
                  endpoint='api:tasks')
-api.add_resource(cycledash.tasks.TasksRestart,
+api.add_resource(API.tasks.TasksRestart,
                  '/runs/<int:run_id>/tasks/restart',
                  endpoint='api:tasksrestart')
 
-api.add_resource(cycledash.comments.CommentList,
+api.add_resource(API.comments.CommentList,
                  '/runs/<int:run_id>/comments',
                  endpoint='api:commentlist')
-api.add_resource(cycledash.comments.Comment,
+api.add_resource(API.comments.Comment,
                  '/runs/<int:run_id>/comments/<int:comment_id>',
                  endpoint='api:comment')
-api.add_resource(cycledash.comments.CommentsForVcf,
+api.add_resource(API.comments.CommentsForVcf,
                  '/runs/<int:run_id>/comments/byrow',
                  endpoint='api:commentsforvcf')
 
-api.add_resource(cycledash.genotypes.Genotypes,
+api.add_resource(API.genotypes.Genotypes,
                  '/runs/<int:run_id>/genotypes',
                  endpoint='api:genotypes')
 
@@ -66,30 +64,58 @@
 # HTML Views #
 ##############
 
+@app.route('/login', methods=['GET', 'POST'])
+def login():
+    if request.method == 'GET':
+        return render_template('login.html')
+    else:
+        return auth.login()
+
+
+@app.route('/logout', methods=['POST'])
+def logout():
+    auth.logout()
+    return redirect('about')
+
+
+@app.route('/register', methods=['GET', 'POST'])
+def register_user():
+    if request.method == 'GET':
+        return render_template('register.html')
+    else:
+        return auth.register()
+
+
 @app.route('/')
+@login_required
 def home():
-    project_trees = cycledash.projects.get_projects_tree()
-    comments = cycledash.comments.get_last_comments(n=5)
+    project_trees = API.projects.get_projects_tree()
+    comments = API.comments.get_last_comments(n=5)
     return render_template('runs.html', last_comments=comments,
                            project_trees=project_trees)
 
+
 @app.route('/about')
 def about():
     return render_template('about.html')
 
+
 @app.route('/runs/<int:run_id>/tasks')
+@login_required
 def tasks(run_id):
     with tables(db.engine, 'task_states') as (con, tasks):
         tasks = select([tasks.c.task_id, tasks.c.type, tasks.c.state]).where(
             tasks.c.vcf_id == run_id)
-        tasks = [{'type': cycledash.tasks._simplify_type(typ),
+        tasks = [{'type': API.tasks._simplify_type(typ),
                   'state': state,
                   # pylint: disable=too-many-function-args
                   'traceback': worker.AsyncResult(task_id).traceback}
                  for task_id, typ, state in tasks.execute().fetchall()]
     return render_template('tasks.html', tasks=tasks, run_id=run_id)
 
+
 @app.route('/runs/<int:run_id>/examine')
+@login_required
 def examine(run_id):
     with tables(db.engine, 'vcfs', 'bams') as (con, runs, bams):
         q = select(runs.c).where(runs.c.id == run_id)
@@ -98,8 +124,8 @@ def examine(run_id):
             return error_response('Invalid run', 'Invalid run: %s' % run_id)
         else:
             run = dict(run)
-            run['spec'] = cycledash.genotypes.spec(run_id)
-            run['contigs'] = cycledash.genotypes.contigs(run_id)
+            run['spec'] = API.genotypes.spec(run_id)
+            run['contigs'] = API.genotypes.contigs(run_id)
             # Ideally we could use e.g. cycledash.bams.Bam.get(bam_id)
             for bam_type in ['normal', 'tumor']:
                 bam_id = run[bam_type + '_bam_id']
@@ -109,15 +135,17 @@ def examine(run_id):
                     del run[bam_type + '_bam_id']
     return render_template('examine.html',
                            vcf=run,
-                           vcfs=cycledash.runs.get_related_vcfs(run))
+                           vcfs=API.runs.get_related_vcfs(run))
+
 
 @app.route('/comments')
+@login_required
 def comments():
     with tables(db.engine, 'user_comments') as (con, comments):
         comments = comments.select().order_by(desc(comments.c.id))
         comments = [camelcase_dict(dict(c))
                     for c in comments.execute().fetchall()]
-        comments = cycledash.comments.epochify_comments(comments)
+        comments = API.comments.epochify_comments(comments)
     return render_template('comments.html', comments=comments)
 
 
@@ -128,9 +156,10 @@ def comments():
 VCF_FILENAME = 'cycledash-run-{}.vcf'
 
 @app.route('/runs/<int:run_id>/download')
+@login_required
 def download_vcf(run_id):
     query = json.loads(request.args.get('query'))
-    genotypes = cycledash.genotypes.genotypes_for_records(run_id, query)
+    genotypes = API.genotypes.genotypes_for_records(run_id, query)
     fd = tempfile.NamedTemporaryFile(mode='w+b')
     with tables(db, 'vcfs') as (con, vcfs):
         q = select(
@@ -144,6 +173,7 @@ def download_vcf(run_id):
 
 
 @app.route('/upload', methods=['POST'])
+@login_required
 def upload_vcf():
     """Write the uploaded file to a temporary directory and return its path."""
     f = request.files['file']
diff --git a/requirements.txt b/requirements.txt
index 21d9281..3290dab 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -29,3 +29,5 @@ varcode==0.3.11
 mock==1.0.1
 flask-restful==0.3.2
 seltest==0.2.8
+flask-login==0.2.11
+flask-bcrypt==0.6.2
diff --git a/schema.sql b/schema.sql
index 039b574..56249bf 100644
--- a/schema.sql
+++ b/schema.sql
@@ -1,3 +1,10 @@
+CREATE TABLE users (
+       id BIGSERIAL PRIMARY KEY,
+       username TEXT UNIQUE NOT NULL,
+       password TEXT NOT NULL,
+       email TEXT UNIQUE NOT NULL
+);
+
 CREATE TABLE projects (
        id BIGSERIAL PRIMARY KEY,
        name TEXT UNIQUE NOT NULL,
diff --git a/scripts/travis-run-pdiff-tests.sh b/scripts/travis-run-pdiff-tests.sh
index 07dd1fc..594c589 100755
--- a/scripts/travis-run-pdiff-tests.sh
+++ b/scripts/travis-run-pdiff-tests.sh
@@ -8,7 +8,7 @@ gulp prod
 SELTEST_CAPABILITIES=scripts/seltest-remote-capabilities.json
 SAUCE_URL='ondemand.saucelabs.com:80/wd/hub'
 
-python run.py > test-server-logs.txt 2>&1 &
+LOGIN_DISABLED=true python run.py > test-server-logs.txt 2>&1 &
 RUN_PID=$!
 trap "kill $RUN_PID" EXIT
 
diff --git a/scripts/update-screenshots.sh b/scripts/update-screenshots.sh
index 45210a6..1cfd5d6 100755
--- a/scripts/update-screenshots.sh
+++ b/scripts/update-screenshots.sh
@@ -54,7 +54,7 @@ echo -n "Creating test DB, logging to $DB_LOGS..."
 echo "done."
 
 echo -n "Starting test server, logging to $RUN_SERVER_LOGS..."
-python run.py > $RUN_SERVER_LOGS 2>&1 &
+LOGIN_DISABLED=true python run.py > $RUN_SERVER_LOGS 2>&1 &
 RUN_PID=$!
 echo "done."
 
diff --git a/tests/ENV.sh b/tests/ENV.sh
index 5deb5d9..ccbff7a 100755
--- a/tests/ENV.sh
+++ b/tests/ENV.sh
@@ -7,3 +7,5 @@ export IGV_HTTPFS_URL='http://example.com:123456'
 export ALLOW_LOCAL_VCFS=true
 export CELERY_BACKEND='db+sqlite:///celery-dpxdt.db'
 export CELERY_BROKER='amqp://localhost'
+export SECRET_KEY='TESTSECRETS'
+export BCRYPT_LOG_ROUNDS=1
diff --git a/tests/pdifftests/images/examine_bad-query.png b/tests/pdifftests/images/examine_bad-query.png
index bb5e42d..1cbd7bb 100644
Binary files a/tests/pdifftests/images/examine_bad-query.png and b/tests/pdifftests/images/examine_bad-query.png differ
diff --git a/tests/pdifftests/images/examine_base.png b/tests/pdifftests/images/examine_base.png
index cf11372..fd95c72 100644
Binary files a/tests/pdifftests/images/examine_base.png and b/tests/pdifftests/images/examine_base.png differ
diff --git a/tests/pdifftests/images/examine_comments-edit.png b/tests/pdifftests/images/examine_comments-edit.png
index 8391ed6..f7aeb63 100644
Binary files a/tests/pdifftests/images/examine_comments-edit.png and b/tests/pdifftests/images/examine_comments-edit.png differ
diff --git a/tests/pdifftests/images/examine_comments-view.png b/tests/pdifftests/images/examine_comments-view.png
index 2b74722..1103e93 100644
Binary files a/tests/pdifftests/images/examine_comments-view.png and b/tests/pdifftests/images/examine_comments-view.png differ
diff --git a/tests/pdifftests/images/examine_filter.png b/tests/pdifftests/images/examine_filter.png
index 420eb4b..1cb2716 100644
Binary files a/tests/pdifftests/images/examine_filter.png and b/tests/pdifftests/images/examine_filter.png differ
diff --git a/tests/pdifftests/images/examine_sorted.png b/tests/pdifftests/images/examine_sorted.png
index b902417..3174d56 100644
Binary files a/tests/pdifftests/images/examine_sorted.png and b/tests/pdifftests/images/examine_sorted.png differ
diff --git a/tests/pdifftests/images/examine_tooltip.png b/tests/pdifftests/images/examine_tooltip.png
index 080522c..452458e 100644
Binary files a/tests/pdifftests/images/examine_tooltip.png and b/tests/pdifftests/images/examine_tooltip.png differ
diff --git a/tests/pdifftests/images/examine_validation.png b/tests/pdifftests/images/examine_validation.png
index 428eba7..bd92153 100644
Binary files a/tests/pdifftests/images/examine_validation.png and b/tests/pdifftests/images/examine_validation.png differ
diff --git a/tests/pdifftests/images/runs_add-bam.png b/tests/pdifftests/images/runs_add-bam.png
index 4a4f00e..2aac0bf 100644
Binary files a/tests/pdifftests/images/runs_add-bam.png and b/tests/pdifftests/images/runs_add-bam.png differ
diff --git a/tests/pdifftests/images/runs_add-run.png b/tests/pdifftests/images/runs_add-run.png
index 4b145d0..493fdc8 100644
Binary files a/tests/pdifftests/images/runs_add-run.png and b/tests/pdifftests/images/runs_add-run.png differ
diff --git a/tests/pdifftests/images/runs_bams.png b/tests/pdifftests/images/runs_bams.png
index 5f3ef63..317c2ee 100644
Binary files a/tests/pdifftests/images/runs_bams.png and b/tests/pdifftests/images/runs_bams.png differ
diff --git a/tests/pdifftests/images/runs_info.png b/tests/pdifftests/images/runs_info.png
index ada7af0..cb19dbb 100644
Binary files a/tests/pdifftests/images/runs_info.png and b/tests/pdifftests/images/runs_info.png differ
diff --git a/tests/pdifftests/images/runs_page.png b/tests/pdifftests/images/runs_page.png
index 5f3ef63..317c2ee 100644
Binary files a/tests/pdifftests/images/runs_page.png and b/tests/pdifftests/images/runs_page.png differ
diff --git a/tests/pdifftests/images/tasks_page.png b/tests/pdifftests/images/tasks_page.png
index d4c5e8d..c2c7b0c 100644
Binary files a/tests/pdifftests/images/tasks_page.png and b/tests/pdifftests/images/tasks_page.png differ
diff --git a/tests/pdifftests/images/website_about-page.png b/tests/pdifftests/images/website_about-page.png
index 9fa23bf..2a45a77 100644
Binary files a/tests/pdifftests/images/website_about-page.png and b/tests/pdifftests/images/website_about-page.png differ
diff --git a/tests/pdifftests/images/website_comments.png b/tests/pdifftests/images/website_comments.png
index 4485b3f..ad2fe8f 100644
Binary files a/tests/pdifftests/images/website_comments.png and b/tests/pdifftests/images/website_comments.png differ
diff --git a/tests/pdifftests/images/website_login.png b/tests/pdifftests/images/website_login.png
new file mode 100644
index 0000000..674dc3f
Binary files /dev/null and b/tests/pdifftests/images/website_login.png differ
diff --git a/tests/pdifftests/images/website_register.png b/tests/pdifftests/images/website_register.png
new file mode 100644
index 0000000..d5315f0
Binary files /dev/null and b/tests/pdifftests/images/website_register.png differ
diff --git a/tests/pdifftests/test.py b/tests/pdifftests/test.py
index 95b97e7..39c8f4f 100644
--- a/tests/pdifftests/test.py
+++ b/tests/pdifftests/test.py
@@ -22,6 +22,17 @@ def comments(self, driver):
         """Initial view of the comments page."""
         pass
 
+    @url('/login')
+    def login(self, driver):
+        """View of the login page."""
+        pass
+
+    @url('/register')
+    def register(self, driver):
+        """View of the registration page."""
+        pass
+
+
 class Runs(Base):
     window_size = [1280, 800]
     base_url = BASE
@@ -58,6 +69,7 @@ def add_run(self, driver):
         add_run = driver.find_element_by_css_selector(add_run_btn_sel)
         add_run.click()
 
+
 class Tasks(Base):
     window_size = [1280, 800]
     base_url = BASE + '/runs/1/tasks'
@@ -66,6 +78,7 @@ def page(self, driver):
         """Tasks view for a particular run."""
         pass
 
+
 class Examine(Base):
     window_size = [1280, 800]
     base_url = BASE + '/runs/1/examine'
diff --git a/tests/python/helpers.py b/tests/python/helpers.py
index dbd700d..87d8532 100644
--- a/tests/python/helpers.py
+++ b/tests/python/helpers.py
@@ -1,11 +1,100 @@
 """Helpers for Python tests"""
+import base64
 import common.helpers
+import json
+import sqlalchemy
+import unittest
 
+from cycledash import bcrypt, app, db
+from common.helpers import tables
 
-def delete_tables(engine, *table_names):
-    """Delete all rows from tables in `table_names' in order."""
-    with common.helpers.tables(engine, *table_names) as tables:
-        connection = tables[0]
-        tables = tables[1:]
-        for table in tables:
-            table.delete().execute()
+
+def create_user(db, username, password, email):
+    with common.helpers.tables(db.engine, 'users') as (con, users):
+        password_hash = bcrypt.generate_password_hash(password)
+        user = users.insert({
+            'username': username,
+            'password': password_hash,
+            'email': email
+        }).returning(*users.c).execute().fetchone()
+    return user
+
+
+def insert_user(db, username=None, password=None):
+    username = username or 'testuser'
+    password = password or 'password'
+    email = '{}@example.com'.format(username)
+    create_user(db, username, password, email)
+    return {'username': username, 'password': password}
+
+
+def delete_tables(db, table_names):
+    """Delete all records from table_name."""
+    with tables(db.engine, *table_names) as tpl:
+        for tbl in tpl[1:]:
+            tbl.delete().execute()
+
+def delete_table(db, table_name):
+    delete_tables(db, [table_name])
+
+
+def delete_all_records(db):
+    """Deletes all records in all tables in the given `db`."""
+    with tables(db.engine) as (connection,):
+        metadata = sqlalchemy.MetaData(bind=connection)
+        metadata.reflect()
+        # We delete the tables in order of dependency, so that foreign-key
+        # relationships don't prevent a table from being deleted.
+        for tbl in reversed(metadata.sorted_tables):
+            tbl.delete().execute()
+
+
+class ResourceTest(object):
+    """Convenience class adding Authorized header to each request, encoding data as
+    JSON.
+
+    If no_auth is set to True on the class, the authorized user isn't created or
+    sent with the request.
+    """
+    app = app
+    db = db
+
+    @classmethod
+    def setUpClass(cls):
+        if not getattr(cls, 'no_auth', False):
+            cls.auth = insert_user(cls.db)
+        cls.app = cls.app.test_client()
+
+    @classmethod
+    def tearDownClass(cls):
+        delete_all_records(cls.db)
+
+    def _request(self, method, url, data=None, headers=None, **kwargs):
+        assert hasattr(self, 'app'), 'self.app must be set'
+        if headers is None:
+                headers = {}
+        if self.auth:
+            username = self.auth['username']
+            password = self.auth['password']
+            encoded = base64.encodestring(':'.join([username, password]))[:-1]
+            headers['Authorization'] = 'Basic {}'.format(encoded)
+        meth = getattr(self.app, method)
+        return meth(url,
+                    headers=headers,
+                    data=json.dumps(data) if data else None,
+                    **kwargs)
+
+    def post(self, url, data=None, headers=None, **kwargs):
+        return self._request('post', url, data, headers, **kwargs)
+
+    def get(self, url, data=None, headers=None, **kwargs):
+        return self._request('get', url, data, headers, **kwargs)
+
+    def put(self, url, data=None, headers=None, **kwargs):
+        return self._request('put', url, data, headers, **kwargs)
+
+    def delete(self, url, data=None, headers=None, **kwargs):
+        return self._request('delete', url, data, headers, **kwargs)
+
+    def header(self, url, data=None, headers=None, **kwargs):
+        return self._request('header', url, data, headers, **kwargs)
diff --git a/tests/python/test_authentication.py b/tests/python/test_authentication.py
new file mode 100644
index 0000000..c89158d
--- /dev/null
+++ b/tests/python/test_authentication.py
@@ -0,0 +1,65 @@
+"""Tests to make sure authentication is present + working."""
+
+
+from flask.ext.login import login_user
+import mock
+import nose
+import nose.tools as asserts
+
+from cycledash import app, db
+from common.helpers import tables, find
+import cycledash.views
+import cycledash.auth
+
+from test_projects_api import create_project_with_name
+from test_bams_api import create_bam_with_name
+from test_runs_api import create_run_with_uri
+from test_comments_api import create_comment_with_text
+import helpers
+
+
+client = app.test_client()
+
+
+def status_code_for_url(url, method='GET'):
+    s = getattr(client, method.lower())(url).status_code
+    # print method, url, s
+    return s
+
+
+class TestViews(object):
+    @classmethod
+    def setUpClass(cls):
+        cls.auth = helpers.insert_user(db)
+
+    @classmethod
+    def tearDownClass(cls):
+        helpers.delete_all_records(db)
+
+
+    def test_401s(self):
+        codes = set()
+        for resource in ['projects', 'bams', 'runs']:
+            base = '/api/{}'.format(resource)
+            codes.add(status_code_for_url(base))
+            codes.add(status_code_for_url(base+'/1'))
+            codes.add(status_code_for_url(base, method='POST'))
+            codes.add(status_code_for_url(base+'/1', method='PUT'))
+            codes.add(status_code_for_url(base+'/1', method='DELETE'))
+
+        base = '/api/runs/1'
+        codes.add(status_code_for_url(base+'/genotypes'))
+
+        comments_base = base+'/comments'
+        codes.add(status_code_for_url(comments_base))
+        codes.add(status_code_for_url(comments_base, method='POST'))
+        codes.add(status_code_for_url(comments_base+'/1'))
+        codes.add(status_code_for_url(comments_base+'/1', method='PUT'))
+        codes.add(status_code_for_url(comments_base+'/1', method='DELETE'))
+        codes.add(status_code_for_url(comments_base+'/byrow'))
+
+        tasks_base = base + '/tasks'
+        codes.add(status_code_for_url(tasks_base))
+        codes.add(status_code_for_url(tasks_base+'/restart', method='POST'))
+
+        asserts.eq_(codes, set([401]))
diff --git a/tests/python/test_bams_api.py b/tests/python/test_bams_api.py
index 179b4e6..741d1d1 100644
--- a/tests/python/test_bams_api.py
+++ b/tests/python/test_bams_api.py
@@ -2,10 +2,11 @@
 import nose
 import json
 
-from cycledash import app, db
+from cycledash import db
 from common.helpers import tables
 
 from test_projects_api import create_project_with_name
+import helpers
 
 
 def create_bam_with_name(project_id, name, uri='hdfs://testbam.bam'):
@@ -17,30 +18,29 @@ def create_bam_with_name(project_id, name, uri='hdfs://testbam.bam'):
         return dict(res.fetchone())
 
 
-class TestBamsAPI(object):
+class TestBamsAPI(helpers.ResourceTest):
     PROJECT_NAME = 'TEST PROJECT BAM'
     BAM_NAME = 'something bam name'
     PATH = 'hdfs://somebam.bam'
 
-    def setUp(self):
-        self.app = app.test_client()
-        self.project = create_project_with_name(self.PROJECT_NAME)
+    @classmethod
+    def setUpClass(cls):
+        cls.project = create_project_with_name(cls.PROJECT_NAME)
+        return super(TestBamsAPI, cls).setUpClass()
 
     def tearDown(self):
-        with tables(db.engine, 'projects', 'bams') as (con, projects, bams):
-            bams.delete(bams.c.name == self.BAM_NAME).execute()
-            projects.delete(projects.c.name == self.PROJECT_NAME).execute()
+        helpers.delete_table(db, 'bams')
 
     @mock.patch('workers.indexer.index.delay', lambda *args, **kwargs: True)
     def test_create_bam(self):
         NOTES = 'random notes'
         TISSUES = 'left ovary etc'
-        r = self.app.post('/api/bams',
-                          data=json.dumps({'name': self.BAM_NAME,
-                                           'notes': NOTES,
-                                           'tissues': TISSUES,
-                                           'uri': self.PATH,
-                                           'projectId': self.project['id']}))
+        r = self.post('/api/bams',
+                      data={'name': self.BAM_NAME,
+                            'notes': NOTES,
+                            'tissues': TISSUES,
+                            'uri': self.PATH,
+                            'projectId': self.project['id']})
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
         assert json.loads(r.data)['projectId'] == self.project['id']
@@ -51,10 +51,10 @@ def test_create_bam(self):
 
     @mock.patch('workers.indexer.index.delay', lambda *args, **kwargs: True)
     def test_create_bam_with_project_name(self):
-        r = self.app.post('/api/bams',
-                          data=json.dumps({'name': self.BAM_NAME,
-                                           'uri': self.PATH,
-                                           'projectName': self.project['name']}))
+        r = self.post('/api/bams',
+                      data={'name': self.BAM_NAME,
+                            'uri': self.PATH,
+                            'projectName': self.project['name']})
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
         assert json.loads(r.data)['projectId'] == self.project['id']
@@ -62,25 +62,25 @@ def test_create_bam_with_project_name(self):
         assert json.loads(r.data)['uri'] == self.PATH
 
     def test_create_bam_without_project(self):
-        r = self.app.post('/api/bams',
-                          data=json.dumps({'name': self.BAM_NAME,
-                                           'uri': self.PATH}))
+        r = self.post('/api/bams',
+                      data={'name': self.BAM_NAME,
+                            'uri': self.PATH})
         assert r.status_code == 409
         assert 'is required' in json.loads(r.data)['errors'][0]
         assert 'Validation error' in json.loads(r.data)['message']
 
     def test_create_bam_with_nonexistent_project(self):
-        r = self.app.post('/api/bams',
-                          data=json.dumps({'name': self.BAM_NAME,
-                                           'uri': self.PATH,
-                                           'projectId': 1000000000}))
+        r = self.post('/api/bams',
+                      data={'name': self.BAM_NAME,
+                            'uri': self.PATH,
+                            'projectId': 1000000000})
         assert r.status_code == 404
         assert 'not found' in json.loads(r.data)['message']
 
     def test_get_bam(self):
         bam = create_bam_with_name(self.project['id'], self.BAM_NAME)
 
-        r = self.app.get('/api/bams/{}'.format(bam['id']))
+        r = self.get('/api/bams/{}'.format(bam['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == bam['id']
         assert json.loads(r.data)['name'] == bam['name']
@@ -88,7 +88,7 @@ def test_get_bam(self):
 
     def test_get_bams(self):
         bam = create_bam_with_name(self.project['id'], self.BAM_NAME)
-        r = self.app.get('/api/bams')
+        r = self.get('/api/bams')
         bams = json.loads(r.data)['bams']
         assert r.status_code == 200
         assert isinstance(bams, list)
@@ -99,8 +99,8 @@ def test_update_bam(self):
         bam = create_bam_with_name(self.project['id'], self.BAM_NAME)
 
         NEW_NOTES = 'these are new BAM notes'
-        r = self.app.put('/api/bams/{}'.format(bam['id']),
-                         data=json.dumps({'notes': NEW_NOTES}))
+        r = self.put('/api/bams/{}'.format(bam['id']),
+                     data={'notes': NEW_NOTES})
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == bam['id']
         assert json.loads(r.data)['name'] == bam['name']
@@ -109,9 +109,9 @@ def test_update_bam(self):
 
     def test_delete_bam(self):
         bam = create_bam_with_name(self.project['id'], self.BAM_NAME)
-        r = self.app.delete('/api/bams/{}'.format(bam['id']))
+        r = self.delete('/api/bams/{}'.format(bam['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == bam['id']
         assert json.loads(r.data)['name'] == bam['name']
-        r = self.app.get('/api/bams/{}'.format(bam['id']))
+        r = self.get('/api/bams/{}'.format(bam['id']))
         assert r.status_code == 404
diff --git a/tests/python/test_comments_api.py b/tests/python/test_comments_api.py
index 86c1cec..10c2754 100644
--- a/tests/python/test_comments_api.py
+++ b/tests/python/test_comments_api.py
@@ -8,6 +8,7 @@
 
 from test_projects_api import create_project_with_name
 from test_runs_api import create_run_with_uri
+import helpers
 
 
 def create_comment_with_text(run_id, text):
@@ -24,28 +25,26 @@ def create_comment_with_text(run_id, text):
         return dict(res.fetchone())
 
 
-class TestCommentsAPI(object):
-    def setUp(self):
-        self.app = app.test_client()
-        self.project = create_project_with_name('project')
-        self.run = create_run_with_uri(self.project['id'], 'hdfs://somevcf.vcf')
+class TestCommentsAPI(helpers.ResourceTest):
+    @classmethod
+    def setUpClass(cls):
+        cls.project = create_project_with_name('project')
+        cls.run = create_run_with_uri(cls.project['id'], 'hdfs://somevcf.vcf')
+        return super(TestCommentsAPI, cls).setUpClass()
 
     def tearDown(self):
-        with tables(db.engine, 'vcfs', 'projects', 'user_comments') as (con, runs, projects, comments):
-            comments.delete().execute()
-            runs.delete().execute()
-            projects.delete().execute()
+        helpers.delete_table(db, 'user_comments')
 
     def test_create_comment(self):
         comment_text = 'The Testing Caller'
-        r = self.app.post('/api/runs/{}/comments'.format(self.run['id']),
-                          data=json.dumps({'sampleName': 'samp',
-                                           'contig': 'chr2',
-                                           'position': 123,
-                                           'reference': 'C',
-                                           'alternates': 'A,G',
-                                           'commentText': comment_text,
-                                           'authorName': 'Tester McGee'}))
+        r = self.post('/api/runs/{}/comments'.format(self.run['id']),
+                      data={'sampleName': 'samp',
+                            'contig': 'chr2',
+                            'position': 123,
+                            'reference': 'C',
+                            'alternates': 'A,G',
+                            'commentText': comment_text,
+                            'authorName': 'Tester McGee'})
         data = json.loads(r.data)
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
@@ -61,7 +60,7 @@ def test_create_comment(self):
     def test_get_comment(self):
         text = 'this is some comment text'
         comment = create_comment_with_text(self.run['id'], text)
-        r = self.app.get('/api/runs/{}/comments/{}'.format(
+        r = self.get('/api/runs/{}/comments/{}'.format(
             self.run['id'], comment['id']))
         data = json.loads(r.data)
         assert r.status_code == 200
@@ -71,7 +70,7 @@ def test_get_comment(self):
     def test_get_comments(self):
         comment1 = create_comment_with_text(self.run['id'], 'comment1')
         comment2 = create_comment_with_text(self.run['id'], 'comment2')
-        r = self.app.get('/api/runs/{}/comments'.format(self.run['id']))
+        r = self.get('/api/runs/{}/comments'.format(self.run['id']))
         comments = json.loads(r.data)['comments']
         assert r.status_code == 200
         assert isinstance(comments, list)
@@ -83,10 +82,10 @@ def test_update_comment(self):
         new_text = 'NEW TEXT!'
         new_author = 'NEW AUTHOR!'
         comment = create_comment_with_text(self.run['id'], 'some text')
-        r = self.app.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
-                         data=json.dumps({'commentText': new_text,
-                                          'authorName': new_author,
-                                          'last_modified': to_epoch(comment['last_modified'])}))
+        r = self.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
+                     data={'commentText': new_text,
+                           'authorName': new_author,
+                           'last_modified': to_epoch(comment['last_modified'])})
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == comment['id']
         assert json.loads(r.data)['commentText'] == new_text
@@ -94,38 +93,37 @@ def test_update_comment(self):
 
     def test_update_comment_without_timestamp(self):
         comment = create_comment_with_text(self.run['id'], 'some text')
-        r = self.app.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
-                         data=json.dumps({'commentText': 'blah'}))
+        r = self.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
+                         data={'commentText': 'blah'})
         assert r.status_code == 400
 
     def test_update_with_out_of_date_timestamp(self):
         comment = create_comment_with_text(self.run['id'], 'some text')
         now = datetime.datetime.now()
-        r = self.app.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
-                         data=json.dumps({'commentText': 'blah',
-                                          'lastModified': to_epoch(now)}))
+        r = self.put('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
+                         data={'commentText': 'blah',
+                               'lastModified': to_epoch(now)})
         assert r.status_code == 409
         assert 'out of date' in json.loads(r.data)['message']
 
     def test_delete_comment(self):
         comment = create_comment_with_text(self.run['id'], 'some text')
-        r = self.app.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
-                            data=json.dumps({'lastModified': to_epoch(comment['last_modified'])}))
+        r = self.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
+                            data={'lastModified': to_epoch(comment['last_modified'])})
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == comment['id']
-        r = self.app.get('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']))
+        r = self.get('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']))
         assert r.status_code == 404
 
     def test_delete_comment_without_timestamp(self):
         comment = create_comment_with_text(self.run['id'], 'some text')
-        r = self.app.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']))
-        print r.data, r.status_code
+        r = self.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']))
         assert r.status_code == 400
 
     def test_delete_with_out_of_date_timestamp(self):
         comment = create_comment_with_text(self.run['id'], 'some text')
         now = datetime.datetime.now()
-        r = self.app.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
-                         data=json.dumps({'lastModified': to_epoch(now)}))
+        r = self.delete('/api/runs/{}/comments/{}'.format(self.run['id'], comment['id']),
+                         data={'lastModified': to_epoch(now)})
         assert r.status_code == 409
         assert 'out of date' in json.loads(r.data)['message']
diff --git a/tests/python/test_genotype_extractor_worker.py b/tests/python/test_genotype_extractor_worker.py
index f99b934..b5658db 100644
--- a/tests/python/test_genotype_extractor_worker.py
+++ b/tests/python/test_genotype_extractor_worker.py
@@ -7,12 +7,12 @@
 
 from cycledash import app, db
 from common.helpers import tables, find
+from workers.genotype_extractor import _extract
 
 from test_projects_api import create_project_with_name
 from test_bams_api import create_bam_with_name
 from test_runs_api import create_run_with_uri
-
-from workers.genotype_extractor import _extract
+import helpers
 
 
 class TestGenotypeExtractorWorker(object):
@@ -26,6 +26,9 @@ def tearDown(self):
             runs.delete().execute()
             projects.delete().execute()
 
+    @classmethod
+    def tearDownClass(cls):
+        helpers.delete_all_records(db)
 
     def test_extraction(self):
         _extract(self.run['id'])
diff --git a/tests/python/test_genotypes_api.py b/tests/python/test_genotypes_api.py
index e7e360f..55f237e 100644
--- a/tests/python/test_genotypes_api.py
+++ b/tests/python/test_genotypes_api.py
@@ -4,13 +4,13 @@
 import json
 
 from cycledash import db
-from cycledash import genotypes
+from cycledash.api import genotypes
 from common.helpers import tables, pick
 from workers.genotype_extractor import _extract
 
 from test_projects_api import create_project_with_name
 from test_runs_api import create_run_with_uri
-from helpers import delete_tables
+import helpers
 
 
 class TestGenotypesAPI(object):
@@ -25,7 +25,7 @@ def setUpClass(cls):
 
     @classmethod
     def tearDownClass(cls):
-        delete_tables(db.engine, 'genotypes', 'vcfs', 'bams', 'projects')
+        helpers.delete_all_records(db)
 
     def test_number_of_genotypes_normal_sample_name(self):
         run_id = self.chr_run['id']
diff --git a/tests/python/test_genotypes_stats_api.py b/tests/python/test_genotypes_stats_api.py
index bc9e343..a93bc2b 100644
--- a/tests/python/test_genotypes_stats_api.py
+++ b/tests/python/test_genotypes_stats_api.py
@@ -5,13 +5,13 @@
 import json
 
 from cycledash import db
-from cycledash import genotypes
+from cycledash.api import genotypes
 from common.helpers import tables
 from workers.genotype_extractor import _extract
 
 from test_projects_api import create_project_with_name
 from test_runs_api import create_run_with_uri
-from helpers import delete_tables
+import helpers
 
 
 class TestGenotypesAPI(object):
@@ -26,7 +26,7 @@ def setUpClass(cls):
 
     @classmethod
     def tearDownClass(cls):
-        delete_tables(db.engine, 'genotypes', 'vcfs', 'bams', 'projects')
+        helpers.delete_all_records(db)
 
     def test_stats_with_entire_truth_vcf(self):
         query = {
diff --git a/tests/python/test_projects_api.py b/tests/python/test_projects_api.py
index 7f34227..aca5b03 100644
--- a/tests/python/test_projects_api.py
+++ b/tests/python/test_projects_api.py
@@ -1,10 +1,11 @@
 import nose
-
 import json
 
-from cycledash import app, db
+from cycledash import db
 from common.helpers import tables
 
+import helpers
+
 
 def create_project_with_name(name):
     with tables(db.engine, 'projects') as (con, projects):
@@ -12,22 +13,18 @@ def create_project_with_name(name):
         return dict(res.fetchone())
 
 
-class TestProjectAPI(object):
+class TestProjectAPI(helpers.ResourceTest):
     PROJECT_NAME = 'TEST PROJECT'
     NOTES = 'these are some project notes'
     NEW_NOTES = 'these are new project notes'
 
-    def setUp(self):
-        self.app = app.test_client()
-
     def tearDown(self):
-        with tables(db.engine, 'projects') as (con, projects):
-            res = projects.delete(projects.c.name == self.PROJECT_NAME).execute()
+        helpers.delete_table(db, 'projects')
 
     def test_create_project(self):
-        r = self.app.post('/api/projects',
-                          data=json.dumps({'name': self.PROJECT_NAME,
-                                           'notes': self.NOTES}))
+        r = self.post('/api/projects',
+                      data={'name': self.PROJECT_NAME,
+                            'notes': self.NOTES})
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
         assert json.loads(r.data)['name'] == self.PROJECT_NAME
@@ -35,20 +32,20 @@ def test_create_project(self):
 
     def test_create_duplicate_project_name(self):
         create_project_with_name(self.PROJECT_NAME)
-        r = self.app.post('/api/projects',
-                          data=json.dumps({'name': self.PROJECT_NAME}))
+        r = self.post('/api/projects',
+                      data={'name': self.PROJECT_NAME})
         assert r.status_code == 409
         assert 'duplicate key' in json.loads(r.data)['errors'][0]
 
     def test_create_project_without_name(self):
-        r = self.app.post('/api/projects',
-                          data=json.dumps({'notes': 'anything'}))
+        r = self.post('/api/projects',
+                      data={'notes': 'anything'})
         assert r.status_code == 400
         assert "required key not provided @ data['name']" == json.loads(r.data)['errors'][0]
 
     def test_get_project(self):
         project = create_project_with_name(self.PROJECT_NAME)
-        r = self.app.get('/api/projects/{}'.format(project['id']))
+        r = self.get('/api/projects/{}'.format(project['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == project['id']
         assert json.loads(r.data)['name'] == project['name']
@@ -57,8 +54,9 @@ def test_get_project(self):
 
     def test_get_projects(self):
         project = create_project_with_name(self.PROJECT_NAME)
-        r = self.app.get('/api/projects')
+        r = self.get('/api/projects')
         projects = json.loads(r.data)['projects']
+
         assert r.status_code == 200
         assert isinstance(projects, list)
         assert projects[0]['name'] == self.PROJECT_NAME
@@ -66,8 +64,8 @@ def test_get_projects(self):
 
     def test_update_project(self):
         project = create_project_with_name(self.PROJECT_NAME)
-        r = self.app.put('/api/projects/{}'.format(project['id']),
-                         data=json.dumps({'notes': self.NEW_NOTES}))
+        r = self.put('/api/projects/{}'.format(project['id']),
+                     data={'notes': self.NEW_NOTES})
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == project['id']
         assert json.loads(r.data)['name'] == self.PROJECT_NAME
@@ -76,9 +74,9 @@ def test_update_project(self):
 
     def test_delete_project(self):
         project = create_project_with_name(self.PROJECT_NAME)
-        r = self.app.delete('/api/projects/{}'.format(project['id']))
+        r = self.delete('/api/projects/{}'.format(project['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == project['id']
         assert json.loads(r.data)['name'] == self.PROJECT_NAME
-        r = self.app.get('/api/projects/{}'.format(project['id']))
+        r = self.get('/api/projects/{}'.format(project['id']))
         assert r.status_code == 404
diff --git a/tests/python/test_runs_api.py b/tests/python/test_runs_api.py
index 9739a4f..e35353f 100644
--- a/tests/python/test_runs_api.py
+++ b/tests/python/test_runs_api.py
@@ -7,6 +7,7 @@
 
 from test_projects_api import create_project_with_name
 from test_bams_api import create_bam_with_name
+import helpers
 
 
 def create_run_with_uri(project_id, uri):
@@ -17,35 +18,34 @@ def create_run_with_uri(project_id, uri):
         return dict(res.fetchone())
 
 
-class TestRunsAPI(object):
+class TestRunsAPI(helpers.ResourceTest):
     NOTES = '--with-awesome=9001'
-    PROJECT_NAME = 'TEST PROJECT BAM'
+    PROJECT_NAME = 'TEST PROJECT RUN'
     BAM_NAME = 'something bam name'
     BAM_PATH = 'hdfs://somebam.bam'
     RUN_PATH = 'hdfs://somevcf.vcf'
 
-    def setUp(self):
-        self.app = app.test_client()
-        self.project = create_project_with_name(self.PROJECT_NAME)
-        self.bam = create_bam_with_name(self.project['id'], self.PROJECT_NAME, uri=self.BAM_PATH)
+    @classmethod
+    def setUpClass(cls):
+        cls.project = create_project_with_name(cls.PROJECT_NAME)
+        cls.bam = create_bam_with_name(
+            cls.project['id'], cls.PROJECT_NAME, uri=cls.BAM_PATH)
+        return super(TestRunsAPI, cls).setUpClass()
 
     def tearDown(self):
-        with tables(db.engine, 'projects', 'bams', 'vcfs') as (con, projects, bams, runs):
-            runs.delete().execute()
-            bams.delete().execute()
-            projects.delete().execute()
+        helpers.delete_table(db, 'vcfs')
 
     @mock.patch('workers.runner', autospec=True)
     @mock.patch('workers.indexer', autospec=True)
     def test_create_run(self, *args):
         caller_name = 'The Testing Caller'
-        r = self.app.post('/api/runs',
-                          data=json.dumps({'callerName': caller_name,
-                                           'notes': self.NOTES,
-                                           'normalBamId': self.bam['id'],
-                                           'tumorBamId': self.bam['id'],
-                                           'uri': self.RUN_PATH,
-                                           'projectId': self.project['id']}))
+        r = self.post('/api/runs',
+                      data={'callerName': caller_name,
+                            'notes': self.NOTES,
+                            'normalBamId': self.bam['id'],
+                            'tumorBamId': self.bam['id'],
+                            'uri': self.RUN_PATH,
+                            'projectId': self.project['id']})
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
         assert json.loads(r.data)['projectId'] == self.project['id']
@@ -58,10 +58,10 @@ def test_create_run(self, *args):
     @mock.patch('workers.runner', autospec=True)
     @mock.patch('workers.indexer', autospec=True)
     def test_create_run_with_project_and_bam_names(self, *args):
-        r = self.app.post('/api/runs',
-                          data=json.dumps({'normalBamUri': self.BAM_PATH,
-                                           'uri': self.RUN_PATH,
-                                           'projectName': self.project['name']}))
+        r = self.post('/api/runs',
+                      data={'normalBamUri': self.BAM_PATH,
+                            'uri': self.RUN_PATH,
+                            'projectName': self.project['name']})
         assert r.status_code == 201
         assert isinstance(json.loads(r.data)['id'], int)
         assert json.loads(r.data)['projectId'] == self.project['id']
@@ -69,27 +69,27 @@ def test_create_run_with_project_and_bam_names(self, *args):
         assert json.loads(r.data)['uri'] == self.RUN_PATH
 
     def test_create_run_without_project(self):
-        r = self.app.post('/api/runs',
-                          data=json.dumps({'callerName': 'WHOA',
-                                           'uri': self.RUN_PATH}))
+        r = self.post('/api/runs',
+                      data={'callerName': 'WHOA',
+                            'uri': self.RUN_PATH})
         assert r.status_code == 409
         assert 'is required' in json.loads(r.data)['errors'][0]
         assert 'Validation error' in json.loads(r.data)['message']
 
     def test_create_run_with_nonexistent_project(self):
-        r = self.app.post('/api/runs',
-                          data=json.dumps({'uri': self.RUN_PATH,
-                                           'projectId': 1000000000}))
+        r = self.post('/api/runs',
+                      data={'uri': self.RUN_PATH,
+                            'projectId': 1000000000})
         assert r.status_code == 404
         assert 'not found' in json.loads(r.data)['message']
 
     # genotypes.spec is mocked as we aren't running the workers in this test,
     # and getting a run without valid vcf_header currently errors out. Issue
     # #592 is tracking this.
-    @mock.patch('cycledash.genotypes.spec', lambda *args, **kwargs: '')
+    @mock.patch('cycledash.api.genotypes.spec', lambda *args, **kwargs: '')
     def test_get_run(self, *args):
         run = create_run_with_uri(self.project['id'], self.RUN_PATH)
-        r = self.app.get('/api/runs/{}'.format(run['id']))
+        r = self.get('/api/runs/{}'.format(run['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == run['id']
         assert json.loads(r.data)['uri'] == run['uri']
@@ -97,7 +97,7 @@ def test_get_run(self, *args):
     def test_get_runs(self):
         run1 = create_run_with_uri(self.project['id'], self.RUN_PATH)
         run2 = create_run_with_uri(self.project['id'], 'hdfs://otherpath.vcf')
-        r = self.app.get('/api/runs')
+        r = self.get('/api/runs')
         runs = json.loads(r.data)['runs']
         assert r.status_code == 200
         assert isinstance(runs, list)
@@ -108,16 +108,16 @@ def test_get_runs(self):
     def test_update_run(self):
         new_caller_name = 'NEW NAME!'
         run = create_run_with_uri(self.project['id'], self.RUN_PATH)
-        r = self.app.put('/api/runs/{}'.format(run['id']),
-                         data=json.dumps({'callerName': new_caller_name}))
+        r = self.put('/api/runs/{}'.format(run['id']),
+                         data={'callerName': new_caller_name})
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == run['id']
         assert json.loads(r.data)['callerName'] == new_caller_name
 
     def test_delete_run(self):
         run = create_run_with_uri(self.project['id'], self.RUN_PATH)
-        r = self.app.delete('/api/runs/{}'.format(run['id']))
+        r = self.delete('/api/runs/{}'.format(run['id']))
         assert r.status_code == 200
         assert json.loads(r.data)['id'] == run['id']
-        r = self.app.get('/api/runs/{}'.format(run['id']))
+        r = self.get('/api/runs/{}'.format(run['id']))
         assert r.status_code == 404
diff --git a/tests/python/test_views.py b/tests/python/test_views.py
index 212d007..ac21d19 100644
--- a/tests/python/test_views.py
+++ b/tests/python/test_views.py
@@ -1,17 +1,19 @@
 """Test rendered views of Cycledash."""
+from flask.ext.login import login_user
 import mock
 import nose
 import nose.tools as asserts
 
 from cycledash import app, db
 from common.helpers import tables, find
-from helpers import delete_tables
 import cycledash.views
+import cycledash.auth
 
 from test_projects_api import create_project_with_name
 from test_bams_api import create_bam_with_name
 from test_runs_api import create_run_with_uri
 from test_comments_api import create_comment_with_text
+import helpers
 
 
 PROJECT_NAME = 'Testing'
@@ -23,28 +25,40 @@ class TestViews(object):
     def setUp(self):
         self.ctx = app.test_request_context()
         self.ctx.push()
-        self.project = create_project_with_name(PROJECT_NAME)
-        self.normal_bam = create_bam_with_name(self.project['id'], 'normal',
-                                               uri='/bam/path/normal.bam')
-        self.tumor_bam = create_bam_with_name(self.project['id'], 'tumor',
-                                              uri='/bam/path/tumor.bam')
+        login_user(cycledash.auth.wrap_user(self.user))
+
+    def tearDown(self):
+        self.ctx.pop()
+        mocked.reset_mock()
+
+    @classmethod
+    def setUpClass(cls):
+        cls.user = helpers.create_user(db, 'name', 'password', 'email')
+        cls.project = create_project_with_name(PROJECT_NAME)
+        cls.project1 = create_project_with_name(PROJECT_NAME + '2')
+        cls.normal_bam = create_bam_with_name(cls.project['id'], 'normal',
+                                              uri='/bam/path/normal.bam')
+        cls.tumor_bam = create_bam_with_name(cls.project['id'], 'tumor',
+                                             uri='/bam/path/tumor.bam')
         with tables(db.engine, 'vcfs') as (con, runs):
             res = runs.insert(
                 {'uri': 'file://path/to/something.vcf',
-                 'project_id': self.project['id'],
-                 'normal_bam_id': self.normal_bam['id'],
-                 'tumor_bam_id': self.tumor_bam['id'],
+                 'project_id': cls.project['id'],
+                 'normal_bam_id': cls.normal_bam['id'],
+                 'tumor_bam_id': cls.tumor_bam['id'],
                  'vcf_header': ''}
             ).returning(*runs.c).execute()
-            self.run = dict(res.fetchone())
+            cls.run = dict(res.fetchone())
+        cls.run2 = create_run_with_uri(cls.project['id'], 'hdfs://someuri.vcf')
+        cls.comment1 = create_comment_with_text(cls.run['id'], 'this is some text')
+        cls.comment2 = create_comment_with_text(cls.run['id'], 'more text')
 
-    def tearDown(self):
-        delete_tables(db.engine, 'user_comments', 'vcfs', 'bams', 'projects')
-        self.ctx.pop()
-        mocked.reset_mock()
+    @classmethod
+    def tearDownClass(cls):
+        helpers.delete_all_records(db)
 
     @mock.patch('cycledash.views.render_template', mocked)
-    @mock.patch('cycledash.genotypes')
+    @mock.patch('cycledash.api.genotypes')
     def test_examine(self, *mocks):
         cycledash.views.examine(self.run['id'])
         vcf = mocked.call_args[1]['vcf']
@@ -59,13 +73,6 @@ def test_examine(self, *mocks):
 
     @mock.patch('cycledash.views.render_template', mocked)
     def test_home(self, *mocks):
-        run = create_run_with_uri(self.project['id'], '/someotheruri.vcf')
-        project = create_project_with_name('otherproject')
-
-        comment1 = create_comment_with_text(self.run['id'], 'this is some text')
-        comment2 = create_comment_with_text(
-            run['id'], 'this is some text on the other run')
-
         cycledash.views.home()
         project_trees = mocked.call_args[1]['project_trees']
         last_comments = mocked.call_args[1]['last_comments']
@@ -79,26 +86,23 @@ def test_home(self, *mocks):
         asserts.ok_(vcfs)
         asserts.eq_(len(vcfs), 2)
         asserts.eq_(set([v['uri'] for v in vcfs]),
-                    set([self.run['uri'], run['uri']]))
+                    set([self.run['uri'], self.run2['uri']]))
 
         bams = project.get('bams')
         asserts.ok_(bams)
         asserts.eq_(len(bams), 2)
 
         asserts.eq_(len(last_comments), 2)
-        comment2_found = find(last_comments, lambda c: c['vcfId'] == run['id'])
-        asserts.eq_(comment2_found['commentText'], comment2['comment_text'])
+        comment2_found = find(last_comments, lambda c: c['vcfId'] == self.run['id'])
+        asserts.eq_(comment2_found['commentText'], self.comment2['comment_text'])
 
 
     @mock.patch('cycledash.views.render_template', mocked)
     def test_comments(self, *mocks):
-        comment1 = create_comment_with_text(self.run['id'], 'this is some text')
-        comment2 = create_comment_with_text(self.run['id'], 'more text')
-
         cycledash.views.comments()
 
         comments = mocked.call_args[1]['comments']
 
         asserts.eq_(len(comments), 2)
         asserts.eq_(set([c['commentText'] for c in comments]),
-                    set([comment1['comment_text'], comment2['comment_text']]))
+                    set([self.comment1['comment_text'], self.comment2['comment_text']]))