diff --git a/src/_secureaccesstokenauthorizer/_storage_server.py b/src/_secureaccesstokenauthorizer/_storage_server.py
index ed44a7e32c0c6f3fdcd4d31bf606bec16ffc0bd8..fbae0c3f0b088139b56968df1dfc0888e9c07db2 100644
--- a/src/_secureaccesstokenauthorizer/_storage_server.py
+++ b/src/_secureaccesstokenauthorizer/_storage_server.py
@@ -21,6 +21,9 @@ implemented in ``_storage_client.py``.
 """
 
 import attr
+from attr.validators import (
+    provides,
+)
 
 from zope.interface import (
     implementer_only,
@@ -145,7 +148,7 @@ class RITokenAuthorizedStorageServer(RemoteInterface):
 # attributes on self and it's hard to avoid that.
 @attr.s(cmp=False)
 class SecureAccessTokenAuthorizerStorageServer(Referenceable):
-    _original = attr.ib()
+    _original = attr.ib(validator=provides(RIStorageServer))
 
     def _validate_tokens(self, tokens):
         pass
diff --git a/src/_secureaccesstokenauthorizer/tests/test_plugin.py b/src/_secureaccesstokenauthorizer/tests/test_plugin.py
index 00c6f65713cee477eeb3727beccaca2137317991..14d544bfb361b8e0adcb5ad93d65cf528f62e64c 100644
--- a/src/_secureaccesstokenauthorizer/tests/test_plugin.py
+++ b/src/_secureaccesstokenauthorizer/tests/test_plugin.py
@@ -16,6 +16,10 @@
 Tests for the Tahoe-LAFS plugin.
 """
 
+from zope.interface import (
+    implementer,
+)
+
 from testtools import (
     TestCase,
 )
@@ -44,6 +48,7 @@ from allmydata.interfaces import (
     IFoolscapStoragePlugin,
     IAnnounceableStorageServer,
     IStorageServer,
+    RIStorageServer,
 )
 
 from twisted.plugin import (
@@ -64,8 +69,14 @@ from .matchers import (
     Provides,
 )
 
+
+@implementer(RIStorageServer)
+class StubStorageServer(object):
+    pass
+
+
 def get_anonymous_storage_server():
-    return None
+    return StubStorageServer()
 
 
 def get_rref():