diff --git a/application/src/tira_app/endpoints/v1/_anonymous.py b/application/src/tira_app/endpoints/v1/_anonymous.py
index 87203df3..d7b43c4c 100644
--- a/application/src/tira_app/endpoints/v1/_anonymous.py
+++ b/application/src/tira_app/endpoints/v1/_anonymous.py
@@ -13,6 +13,7 @@
 
 from ... import model as modeldb
 from ... import tira_model as model
+from ...checks import check_permissions, check_resources_exist
 
 
 @api_view(["GET"])
@@ -36,8 +37,10 @@ def read_anonymous_submission(request: Request, submission_uuid: str) -> Respons
         )
 
 
+@check_permissions
 @api_view(["POST"])
-def claim_submission(request: Request, submission_uuid: str) -> Response:
+@check_resources_exist("json")
+def claim_submission(request: Request, vm_id: str, submission_uuid: str) -> Response:
 
     try:
         upload = modeldb.AnonymousUploads.objects.get(uuid=submission_uuid)
@@ -66,7 +69,6 @@ def claim_submission(request: Request, submission_uuid: str) -> Response:
 
     task_id = upload.dataset.default_task.task_id
     dataset_id = upload.dataset.dataset_id
-    vm_id = body["vm_id"]
 
     if "upload_group" not in body:
         body["upload_group"] = model.add_upload(
@@ -94,6 +96,6 @@ def claim_submission(request: Request, submission_uuid: str) -> Response:
 
 
 endpoints = [
-    path("claim/<str:submission_uuid>", claim_submission),
+    path("claim/<str:vm_id>/<str:submission_uuid>", claim_submission),
     path("<str:submission_uuid>", read_anonymous_submission),
 ]
diff --git a/application/test/api_access_matrix.py b/application/test/api_access_matrix.py
index 86d0124d..d9a2ac33 100644
--- a/application/test/api_access_matrix.py
+++ b/application/test/api_access_matrix.py
@@ -2092,6 +2092,28 @@
             ADMIN: 500,
         },
     ),
+    route_to_test(
+        url_pattern="v1/anonymous/claim/<str:vm_id>/<str:submission_uuid>",
+        params={"vm_id": "does-not-exist", "submission_uuid": "does-not-exist"},
+        group_to_expected_status_code={
+            ADMIN: 500,
+            GUEST: 302,
+            PARTICIPANT: 302,
+            ORGANIZER: 302,
+            ORGANIZER_WRONG_TASK: 302,
+        },
+    ),
+    route_to_test(
+        url_pattern="v1/anonymous/claim/<str:vm_id>/<str:submission_uuid>",
+        params={"vm_id": "example_participant", "submission_uuid": "does-not-exist"},
+        group_to_expected_status_code={
+            ADMIN: 500,
+            GUEST: 302,
+            PARTICIPANT: 500,
+            ORGANIZER: 500,
+            ORGANIZER_WRONG_TASK: 302,
+        },
+    ),
     route_to_test(
         url_pattern="v1/datasets/",
         params={},