diff --git a/api.py b/api.py
index 1310353d..2bcbd535 100644
--- a/api.py
+++ b/api.py
@@ -1,10 +1,11 @@
 #!/usr/bin/env python3
 
-__copyright__ = 'Copyright (c) 2021-2023, Utrecht University'
+__copyright__ = 'Copyright (c) 2021-2024, Utrecht University'
 __license__   = 'GPLv3, see LICENSE'
 
 import base64
 import json
+import re
 import sys
 import zlib
 from timeit import default_timer as timer
@@ -13,7 +14,7 @@
 from flask import Blueprint, current_app as app, g, jsonify, request, Response
 from irods import message, rule
 
-from errors import UnauthorizedAPIAccessError
+from errors import InvalidAPIError, UnauthorizedAPIAccessError
 from util import log_error
 
 api_bp = Blueprint('api_bp', __name__)
@@ -24,6 +25,9 @@ def _call(fn: str) -> Response:
     if not authenticated():
         raise UnauthorizedAPIAccessError
 
+    if not re.match("^([a-z_]+)$", fn):
+        raise InvalidAPIError
+
     data: Dict[str, Any] = {}
     if 'data' in request.form:
         data = json.loads(request.form['data'])
@@ -110,6 +114,10 @@ def api_error_handler(error: Exception) -> Response:
     data: Dict[str, Any] = {}
     code = 500
 
+    if type(error) == InvalidAPIError:
+        code = 400
+        status_info = "Bad API request"
+
     if type(error) == UnauthorizedAPIAccessError:
         code = 401
         status_info = "Not authorized to use the API"
diff --git a/errors.py b/errors.py
index ed5f4d48..f303a527 100644
--- a/errors.py
+++ b/errors.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-__copyright__ = 'Copyright (c) 2021, Utrecht University'
+__copyright__ = 'Copyright (c) 2021-2024, Utrecht University'
 __license__   = 'GPLv3, see LICENSE'
 
 
@@ -12,5 +12,9 @@ class UnauthorizedAPIAccessError(YodaError):
     pass
 
 
+class InvalidAPIError(YodaError):
+    pass
+
+
 class MissingDataError(YodaError):
     pass