diff --git a/src/_zkapauthorizer/_plugin.py b/src/_zkapauthorizer/_plugin.py
index 8f9b629077e8610095c6938849ac3c457a40a624..98eb8da61c3718281cbdf020637d0b6c151ff09f 100644
--- a/src/_zkapauthorizer/_plugin.py
+++ b/src/_zkapauthorizer/_plugin.py
@@ -141,7 +141,7 @@ class ZKAPAuthorizer(object):
     def get_storage_server(self, configuration, get_anonymous_storage_server):
         kwargs = configuration.copy()
         root_url = kwargs.pop(u"ristretto-issuer-root-url")
-        pass_value = kwargs.pop(u"pass-value", BYTES_PER_PASS)
+        pass_value = int(kwargs.pop(u"pass-value", BYTES_PER_PASS))
         signing_key = SigningKey.decode_base64(
             FilePath(
                 kwargs.pop(u"ristretto-signing-key-path"),
diff --git a/src/_zkapauthorizer/tests/strategies.py b/src/_zkapauthorizer/tests/strategies.py
index 88b705e7490446f3d7046c372ffc0b6f567d278a..025260d8be245dd8c703ed30429a12c20cb6ba24 100644
--- a/src/_zkapauthorizer/tests/strategies.py
+++ b/src/_zkapauthorizer/tests/strategies.py
@@ -216,10 +216,19 @@ def server_configurations(signing_key_path):
     :param unicode signing_key_path: A value to insert for the
         **ristretto-signing-key-path** item.
     """
-    return just({
-        u"ristretto-issuer-root-url": u"https://issuer.example.invalid/",
-        u"ristretto-signing-key-path": signing_key_path.path,
-    })
+    return one_of(
+        fixed_dictionaries({
+            u"pass-value":
+            # The configuration is ini so everything is always a byte string!
+            integers(min_value=1).map(bytes),
+        }),
+        just({}),
+    ).map(
+        lambda config: config.update({
+            u"ristretto-issuer-root-url": u"https://issuer.example.invalid/",
+            u"ristretto-signing-key-path": signing_key_path.path,
+        }) or config,
+    )
 
 
 def client_ristrettoredeemer_configurations():