diff --git a/domain/attachment/endpoint.go b/domain/attachment/endpoint.go
index 825951a4..e444dc66 100644
--- a/domain/attachment/endpoint.go
+++ b/domain/attachment/endpoint.go
@@ -67,7 +67,7 @@ func (h *Handler) Download(w http.ResponseWriter, r *http.Request) {
 	// Get attachment being requested.
 	a, err := h.Store.Attachment.GetAttachment(ctx, ctx.OrgID, request.Param(r, "attachmentID"))
 	if err == sql.ErrNoRows {
-		response.WriteNotFoundError(w, method, request.Param(r, "fileID"))
+		response.WriteNotFoundError(w, method, request.Param(r, "attachmentID"))
 		return
 	}
 	if err != nil {
@@ -161,6 +161,12 @@ func (h *Handler) Download(w http.ResponseWriter, r *http.Request) {
 		canDownload = true
 	}
 
+	if  len(secureToken) == 0 && len(authToken) == 0 {
+		h.Runtime.Log.Error("get attachment received no access token", err)
+		response.WriteForbiddenError(w)
+		return
+	}
+
 	// Send back error if caller unable view attachment
 	if !canDownload {
 		h.Runtime.Log.Error("get attachment refused", err)