diff --git a/lib/star.js b/lib/star.js
index aa707e1..87c5b67 100644
--- a/lib/star.js
+++ b/lib/star.js
@@ -11,38 +11,42 @@ function star (uri, params, cb) {
 
   var auth = params.auth
   assert(auth && typeof auth === "object", "must pass auth to star")
-  if (auth.token) {
-    return cb(new Error("This operation is unsupported for token-based auth"))
-  }
-  else if (!(auth.username && auth.password)) {
-    return cb(new Error("Must be logged in to star/unstar packages"))
+  if (!(auth.token || (auth.password && auth.username && auth.email))) {
+    var er = new Error("Must be logged in to star/unstar packages")
+    er.code = "ENEEDAUTH"
+    return cb(er)
   }
 
   var client = this
   this.request(uri+"?write=true", { auth : auth }, function (er, fullData) {
     if (er) return cb(er)
 
-    fullData = {
-      _id   : fullData._id,
-      _rev  : fullData._rev,
-      users : fullData.users || {}
-    }
-
-    if (starred) {
-      client.log.info("starring", fullData._id)
-      fullData.users[auth.username] = true
-      client.log.verbose("starring", fullData)
-    } else {
-      delete fullData.users[auth.username]
-      client.log.info("unstarring", fullData._id)
-      client.log.verbose("unstarring", fullData)
-    }
-
-    var options = {
-      method : "PUT",
-      body : fullData,
-      auth : auth
-    }
-    return client.request(uri, options, cb)
+    client.whoami(uri, params, function (er, username) {
+      if (er) return cb(er)
+
+      var data = {
+        _id : fullData._id,
+        _rev : fullData._rev,
+        users : fullData.users || {}
+      }
+
+      if (starred) {
+        client.log.info("starring", data._id)
+        data.users[username] = true
+        client.log.verbose("starring", data)
+      }
+      else {
+        delete data.users[username]
+        client.log.info("unstarring", data._id)
+        client.log.verbose("unstarring", data)
+      }
+
+      var options = {
+        method : "PUT",
+        body : data,
+        auth : auth
+      }
+      return client.request(uri, options, cb)
+    })
   })
 }
diff --git a/lib/whoami.js b/lib/whoami.js
index 684ce7b..4c099eb 100644
--- a/lib/whoami.js
+++ b/lib/whoami.js
@@ -11,7 +11,9 @@ function whoami (uri, params, cb) {
   var auth = params.auth
   assert(auth && typeof auth === "object", "must pass auth to whoami")
 
-  this.request(url.resolve(uri, "whoami"), { auth : auth }, function (er, userdata) {
+  if (auth.username) return process.nextTick(cb.bind(this, null, auth.username))
+
+  this.request(url.resolve(uri, "-/whoami"), { auth : auth }, function (er, userdata) {
     if (er) return cb(er)
 
     cb(null, userdata.username)
diff --git a/package.json b/package.json
index 44e58b0..bd4557f 100644
--- a/package.json
+++ b/package.json
@@ -25,6 +25,7 @@
   },
   "devDependencies": {
     "negotiator": "^0.4.9",
+    "nock": "^0.56.0",
     "tap": ""
   },
   "optionalDependencies": {
diff --git a/test/star.js b/test/star.js
index 1a8576f..0d899ee 100644
--- a/test/star.js
+++ b/test/star.js
@@ -1,9 +1,9 @@
 var test = require("tap").test
-
 var server = require("./lib/server.js")
 var common = require("./lib/common.js")
 var client = common.freshClient()
 var cache = require("./fixtures/underscore/cache.json")
+var nock = require("nock")
 
 function nop () {}
 
@@ -19,7 +19,7 @@ var AUTH     = {
 }
 var PARAMS  = {
   starred : STARRED,
-  auth    : AUTH
+  auth : AUTH
 }
 
 test("star call contract", function (t) {
@@ -58,22 +58,6 @@ test("star call contract", function (t) {
     "params must include auth"
   )
 
-  t.test("token auth disallowed in star", function (t) {
-    var params = {
-      auth : {
-        token : "lol"
-      }
-    }
-    client.star(URI, params, function (err) {
-      t.equal(
-        err && err.message,
-        "This operation is unsupported for token-based auth",
-        "star doesn't support token-based auth"
-      )
-      t.end()
-    })
-  })
-
   t.end()
 })
 
@@ -96,7 +80,7 @@ test("star a package", function (t) {
     req.on("end", function () {
       var updated = JSON.parse(b)
 
-      var already  = [
+      var already = [
         "vesln", "mvolkmann", "lancehunt", "mikl", "linus", "vasc", "bat",
         "dmalam", "mbrevoort", "danielr", "rsimoes", "thlorenz"
       ]
@@ -110,7 +94,7 @@ test("star a package", function (t) {
       t.ok(updated.users[USERNAME], "user is in the starred list")
 
       res.statusCode = 201
-      res.json({starred:true})
+      res.json({ starred : true })
     })
   })
 
@@ -118,10 +102,80 @@ test("star a package", function (t) {
     starred : STARRED,
     auth : AUTH
   }
-  client.star("http://localhost:1337/underscore", params, function (error, data) {
-    t.ifError(error, "no errors")
+
+  client.star("http://localhost:1337/underscore", params, function (er, data) {
+    t.ifError(er, "no errors")
     t.ok(data.starred, "was starred")
 
     t.end()
   })
 })
+
+test("if password auth, only sets authorization on put", function (t) {
+  var starGet = nock("http://localhost:1010")
+    .get("/underscore?write=true")
+    .reply(200, {})
+
+  var starPut = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Basic " + new Buffer(AUTH.username+":"+
+                                              AUTH.password).toString("base64")
+      }
+    })
+    .put("/underscore")
+    .reply(200)
+
+  var params = {
+    starred : STARRED,
+    auth : AUTH
+  }
+
+  client.star("http://localhost:1010/underscore", params, function (er) {
+    t.ifError(er, "starred without issues")
+    starGet.done()
+    starPut.done()
+    t.end()
+  })
+})
+
+test("if token auth, sets bearer on get and put", function (t) {
+  var starGet = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .get("/underscore?write=true")
+    .reply(200, {})
+
+  var getUser = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .get("/-/whoami")
+    .reply(200, {
+      username : "bcoe"
+    })
+
+  var starPut = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .put("/underscore")
+    .reply(200)
+
+  var params = {
+    starred : STARRED,
+    auth : {
+      token : "foo"
+    }
+  }
+  client.star("http://localhost:1010/underscore", params, function (er) {
+    t.ifError(er, "starred without error")
+    starGet.done()
+    starPut.done()
+    getUser.done()
+    t.end()
+  })
+})
diff --git a/test/whoami.js b/test/whoami.js
index ccb173a..21b70e8 100644
--- a/test/whoami.js
+++ b/test/whoami.js
@@ -49,10 +49,13 @@ test("whoami call contract", function (t) {
 })
 
 test("whoami", function (t) {
-  server.expect("GET", "/whoami", function (req, res) {
+  server.expect("GET", "/-/whoami", function (req, res) {
     t.equal(req.method, "GET")
     // only available for token-based auth for now
-    t.equal(req.headers.authorization, "Bearer not-bad-meaning-bad-but-bad-meaning-wombat")
+    t.equal(
+      req.headers.authorization,
+      "Bearer not-bad-meaning-bad-but-bad-meaning-wombat"
+    )
 
     res.json({username : WHOIAM})
   })