diff --git a/module/CLI/test/Command/Api/ListKeysCommandTest.php b/module/CLI/test/Command/Api/ListKeysCommandTest.php
index ccf3b0ee..2912d110 100644
--- a/module/CLI/test/Command/Api/ListKeysCommandTest.php
+++ b/module/CLI/test/Command/Api/ListKeysCommandTest.php
@@ -8,6 +8,8 @@ use PHPUnit\Framework\TestCase;
 use Prophecy\PhpUnit\ProphecyTrait;
 use Prophecy\Prophecy\ObjectProphecy;
 use Shlinkio\Shlink\CLI\Command\Api\ListKeysCommand;
+use Shlinkio\Shlink\Core\Entity\Domain;
+use Shlinkio\Shlink\Rest\ApiKey\Model\RoleDefinition;
 use Shlinkio\Shlink\Rest\Entity\ApiKey;
 use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
 use Symfony\Component\Console\Application;
@@ -29,42 +31,87 @@ class ListKeysCommandTest extends TestCase
         $this->commandTester = new CommandTester($command);
     }
 
-    /** @test */
-    public function everythingIsListedIfEnabledOnlyIsNotProvided(): void
+    /**
+     * @test
+     * @dataProvider provideKeysAndOutputs
+     */
+    public function returnsExpectedOutput(array $keys, bool $enabledOnly, string $expected): void
     {
-        $this->apiKeyService->listKeys(false)->willReturn([
-            new ApiKey(),
-            new ApiKey(),
-            new ApiKey(),
-        ])->shouldBeCalledOnce();
+        $listKeys = $this->apiKeyService->listKeys($enabledOnly)->willReturn($keys);
 
-        $this->commandTester->execute([]);
+        $this->commandTester->execute(['--enabledOnly' => $enabledOnly]);
         $output = $this->commandTester->getDisplay();
 
-        self::assertStringContainsString('Key', $output);
-        self::assertStringContainsString('Is enabled', $output);
-        self::assertStringContainsString(' +++ ', $output);
-        self::assertStringNotContainsString(' --- ', $output);
-        self::assertStringContainsString('Expiration date', $output);
+        self::assertEquals($expected, $output);
+        $listKeys->shouldHaveBeenCalledOnce();
     }
 
-    /** @test */
-    public function onlyEnabledKeysAreListedIfEnabledOnlyIsProvided(): void
+    public function provideKeysAndOutputs(): iterable
     {
-        $this->apiKeyService->listKeys(true)->willReturn([
-            (new ApiKey())->disable(),
-            new ApiKey(),
-        ])->shouldBeCalledOnce();
+        yield 'all keys' => [
+            [ApiKey::withKey('foo'), ApiKey::withKey('bar'), ApiKey::withKey('baz')],
+            false,
+            <<<OUTPUT
+            +-----+------------+-----------------+-------+
+            | Key | Is enabled | Expiration date | Roles |
+            +-----+------------+-----------------+-------+
+            | foo | +++        | -               | -     |
+            | bar | +++        | -               | -     |
+            | baz | +++        | -               | -     |
+            +-----+------------+-----------------+-------+
 
-        $this->commandTester->execute([
-            '--enabledOnly' => true,
-        ]);
-        $output = $this->commandTester->getDisplay();
+            OUTPUT,
+        ];
+        yield 'enabled keys' => [
+            [ApiKey::withKey('foo')->disable(), ApiKey::withKey('bar')],
+            true,
+            <<<OUTPUT
+            +-----+-----------------+-------+
+            | Key | Expiration date | Roles |
+            +-----+-----------------+-------+
+            | foo | -               | -     |
+            | bar | -               | -     |
+            +-----+-----------------+-------+
 
-        self::assertStringContainsString('Key', $output);
-        self::assertStringNotContainsString('Is enabled', $output);
-        self::assertStringNotContainsString(' +++ ', $output);
-        self::assertStringNotContainsString(' --- ', $output);
-        self::assertStringContainsString('Expiration date', $output);
+            OUTPUT,
+        ];
+        yield 'with roles' => [
+            [
+                ApiKey::withKey('foo'),
+                $this->apiKeyWithRoles('bar', [RoleDefinition::forAuthoredShortUrls()]),
+                $this->apiKeyWithRoles('baz', [RoleDefinition::forDomain((new Domain('example.com'))->setId('1'))]),
+                ApiKey::withKey('foo2'),
+                $this->apiKeyWithRoles('baz2', [
+                    RoleDefinition::forAuthoredShortUrls(),
+                    RoleDefinition::forDomain((new Domain('example.com'))->setId('1')),
+                ]),
+                ApiKey::withKey('foo3'),
+            ],
+            true,
+            <<<OUTPUT
+            +------+-----------------+--------------------------+
+            | Key  | Expiration date | Roles                    |
+            +------+-----------------+--------------------------+
+            | foo  | -               | -                        |
+            | bar  | -               | Author only              |
+            | baz  | -               | Domain only: example.com |
+            | foo2 | -               | -                        |
+            | baz2 | -               | Author only              |
+            |      |                 | Domain only: example.com |
+            | foo3 | -               | -                        |
+            +------+-----------------+--------------------------+
+
+            OUTPUT,
+        ];
+    }
+
+    private function apiKeyWithRoles(string $key, array $roles): ApiKey
+    {
+        $apiKey = ApiKey::withKey($key);
+        foreach ($roles as $role) {
+            $apiKey->registerRole($role);
+        }
+
+        return $apiKey;
     }
 }
diff --git a/module/Rest/test/ApiKey/RoleTest.php b/module/Rest/test/ApiKey/RoleTest.php
index b2dead47..4cb9ba1b 100644
--- a/module/Rest/test/ApiKey/RoleTest.php
+++ b/module/Rest/test/ApiKey/RoleTest.php
@@ -56,17 +56,49 @@ class RoleTest extends TestCase
 
     /**
      * @test
-     * @dataProvider provideMetas
+     * @dataProvider provideMetasWithDomainId
      */
     public function getsExpectedDomainIdFromMeta(array $meta, string $expectedDomainId): void
     {
         self::assertEquals($expectedDomainId, Role::domainIdFromMeta($meta));
     }
 
-    public function provideMetas(): iterable
+    public function provideMetasWithDomainId(): iterable
     {
         yield 'empty meta' => [[], '-1'];
         yield 'meta without domain_id' => [['foo' => 'bar'], '-1'];
         yield 'meta with domain_id' => [['domain_id' => '123'], '123'];
     }
+
+    /**
+     * @test
+     * @dataProvider provideMetasWithAuthority
+     */
+    public function getsExpectedAuthorityFromMeta(array $meta, string $expectedAuthority): void
+    {
+        self::assertEquals($expectedAuthority, Role::domainAuthorityFromMeta($meta));
+    }
+
+    public function provideMetasWithAuthority(): iterable
+    {
+        yield 'empty meta' => [[], ''];
+        yield 'meta without authority' => [['foo' => 'bar'], ''];
+        yield 'meta with authority' => [['authority' => 'example.com'], 'example.com'];
+    }
+
+    /**
+     * @test
+     * @dataProvider provideRoleNames
+     */
+    public function getsExpectedRoleFriendlyName(string $roleName, string $expectedFriendlyName): void
+    {
+        self::assertEquals($expectedFriendlyName, Role::toFriendlyName($roleName));
+    }
+
+    public function provideRoleNames(): iterable
+    {
+        yield 'unknown' => ['unknown', ''];
+        yield Role::AUTHORED_SHORT_URLS => [Role::AUTHORED_SHORT_URLS, 'Author only'];
+        yield Role::DOMAIN_SPECIFIC => [Role::DOMAIN_SPECIFIC, 'Domain only'];
+    }
 }