diff --git a/run_tests.sh b/run_tests.sh
index b506438c3e68bd37a0022a6ec2043463d2adb7e8..3b27193098e4fbc253e8cdc11398767f8f2b3e24 100755
--- a/run_tests.sh
+++ b/run_tests.sh
@@ -6,8 +6,8 @@
 
 set -xue
 
-go install -v ./cmd/cashier ./cmd/cashierd
-go list ./... |grep -v vendor/ |xargs go test
+go install -race -v ./cmd/cashier ./cmd/cashierd
+go list ./... |grep -v vendor/ |xargs go test -race
 gofmt -d $(find * -type f -name '*.go' -not -path 'vendor/*')
 go list ./... |grep -v vendor/ |xargs go vet
 if ! type -f golint > /dev/null; then
diff --git a/server/handlers_test.go b/server/handlers_test.go
index a08d638d2db2166179e53070f6c2e90ec154c702..1670f2f7459a83d64f4891934ae364a34d3e63c2 100644
--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -26,23 +26,20 @@ import (
 	"github.com/stripe/krl"
 )
 
-func newContext(t *testing.T) *appContext {
-	f, err := ioutil.TempFile(os.TempDir(), "signing_key_")
-	if err != nil {
-		t.Error(err)
-	}
+var ctx *appContext
+
+func init() {
+	f, _ := ioutil.TempFile(os.TempDir(), "signing_key_")
 	defer os.Remove(f.Name())
 	f.Write(testdata.Priv)
 	f.Close()
-	if keysigner, err = signer.New(&config.SSH{
+	keysigner, _ = signer.New(&config.SSH{
 		SigningKey: f.Name(),
 		MaxAge:     "1h",
-	}); err != nil {
-		t.Error(err)
-	}
+	})
 	authprovider = testprovider.New()
 	certstore = store.NewMemoryStore()
-	return &appContext{
+	ctx = &appContext{
 		cookiestore: sessions.NewCookieStore([]byte("secret")),
 		authsession: &auth.Session{AuthURL: "https://www.example.com/auth"},
 	}
@@ -51,7 +48,7 @@ func newContext(t *testing.T) *appContext {
 func TestLoginHandler(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/auth/login", nil)
 	resp := httptest.NewRecorder()
-	loginHandler(newContext(t), resp, req)
+	loginHandler(ctx, resp, req)
 	if resp.Code != http.StatusFound && resp.Header().Get("Location") != "https://www.example.com/auth" {
 		t.Error("Unexpected response")
 	}
@@ -61,7 +58,6 @@ func TestCallbackHandler(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/auth/callback", nil)
 	req.Form = url.Values{"state": []string{"state"}, "code": []string{"abcdef"}}
 	resp := httptest.NewRecorder()
-	ctx := newContext(t)
 	ctx.setAuthStateCookie(resp, req, "state")
 	callbackHandler(ctx, resp, req)
 	if resp.Code != http.StatusFound && resp.Header().Get("Location") != "/" {
@@ -72,7 +68,6 @@ func TestCallbackHandler(t *testing.T) {
 func TestRootHandler(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/", nil)
 	resp := httptest.NewRecorder()
-	ctx := newContext(t)
 	tok := &oauth2.Token{
 		AccessToken: "XXX_TEST_TOKEN_STRING_XXX",
 		Expiry:      time.Now().Add(1 * time.Hour),
@@ -87,7 +82,6 @@ func TestRootHandler(t *testing.T) {
 func TestRootHandlerNoSession(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/", nil)
 	resp := httptest.NewRecorder()
-	ctx := newContext(t)
 	rootHandler(ctx, resp, req)
 	if resp.Code != http.StatusSeeOther {
 		t.Errorf("Unexpected status: %s, wanted %s", http.StatusText(resp.Code), http.StatusText(http.StatusSeeOther))
@@ -101,7 +95,6 @@ func TestSignRevoke(t *testing.T) {
 	})
 	req, _ := http.NewRequest("POST", "/sign", bytes.NewReader(s))
 	resp := httptest.NewRecorder()
-	ctx := newContext(t)
 	req.Header.Set("Authorization", "Bearer abcdef")
 	signHandler(ctx, resp, req)
 	if resp.Code != http.StatusOK {