diff --git a/examples/envoy/proxy.yaml b/examples/envoy/proxy.yaml
index f6e6518b..09227940 100644
--- a/examples/envoy/proxy.yaml
+++ b/examples/envoy/proxy.yaml
@@ -176,3 +176,26 @@ static_resources:
                                     - generic_key:
                                         descriptor_value: "service_2"
                                         descriptor_key: "service"
+                        - match:
+                            prefix: /tokenquota
+                          route:
+                            cluster: mock
+                          typed_per_filter_config:
+                            envoy.filters.http.ratelimit:
+                              "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute
+                              vh_rate_limits: INCLUDE
+                              override_option: INCLUDE_POLICY
+                              rate_limits:
+                                - actions:
+                                    - generic_key:
+                                        descriptor_value: "service_2"
+                                        descriptor_key: "service"
+                                  hits_addend:
+                                    number: 0
+                                - actions:
+                                    - generic_key:
+                                        descriptor_value: "service_2"
+                                        descriptor_key: "service"
+                                  hits_addend:
+                                    number: 1
+                                  apply_on_stream_done: true
diff --git a/integration-test/scripts/token-quota.sh b/integration-test/scripts/token-quota.sh
new file mode 100755
index 00000000..48063557
--- /dev/null
+++ b/integration-test/scripts/token-quota.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+#
+# request to /tokenquota will produce the (service: service_1), (service: service_2) descriptor
+# with 0 addend on request path and (service: service_2) descriptor with addend 1 on response path.
+# service_2 has 2 req/min so 2 requests should be allowed
+#
+
+response=$(curl -f -s -H "request-no: 1" http://envoy-proxy:8888/tokenquota)
+response=$(curl -f -s -H "request-no: 2" http://envoy-proxy:8888/tokenquota)
+response=$(curl -f -s -H "request-no: 3" http://envoy-proxy:8888/tokenquota)
+
+if [ $? -ne 0 ]; then
+	echo "Quota limit should not trigger yet"
+	exit 1
+fi
+
+# Quota is debited from service_2 bucket on the response path so only the 4th request should be rejected
+response=$(curl -f -s -H "request-no: 4" http://envoy-proxy:8888/tokenquota)
+
+if [ $? -ne 0 ]; then
+	echo "Quota mode does not deny requests yet"
+	exit 1
+fi
+
+echo "Waiting 1 minute for quota buckets to be refreshed"
+sleep 60
+
+response=$(curl -i -s -H "request-no: 5" http://envoy-proxy:8888/tokenquota)
+if [ $? -ne 0 ]; then
+	echo "Quota bucket should be refreshed"
+	exit 1
+fi