diff --git a/src/backups.js b/src/backups.js
index d6c5a7aea..1bc324913 100644
--- a/src/backups.js
+++ b/src/backups.js
@@ -42,9 +42,14 @@ function postProcess(result) {
 }
 
 function removePrivateFields(backup) {
+    delete backup.integrityCheckTaskId;
     return backup;
 }
 
+async function attachIntegrityTaskInfo(backup) {
+    backup.integrityCheckTask = backup.integrityCheckTaskId ? await tasks.get(String(backup.integrityCheckTaskId)) : null;
+}
+
 async function add(data) {
     assert(data && typeof data === 'object');
     assert.strictEqual(typeof data.remotePath, 'string');
@@ -82,16 +87,19 @@ async function getLatestInTargetByIdentifier(identifier, siteId) {
 
     const results = await database.query(`SELECT ${BACKUPS_FIELDS} FROM backups WHERE identifier = ? AND state = ? AND siteId = ? LIMIT 1`, [ identifier, BACKUP_STATE_NORMAL, siteId ]);
     if (!results.length) return null;
+
+    await attachIntegrityTaskInfo(results[0]);
     return postProcess(results[0]);
 }
 
 async function get(id) {
     assert.strictEqual(typeof id, 'string');
 
-    const result = await database.query(`SELECT ${BACKUPS_FIELDS} FROM backups WHERE id = ? ORDER BY creationTime DESC`, [ id ]);
-    if (result.length === 0) return null;
+    const results = await database.query(`SELECT ${BACKUPS_FIELDS} FROM backups WHERE id = ? ORDER BY creationTime DESC`, [ id ]);
+    if (results.length === 0) return null;
 
-    return postProcess(result[0]);
+    await attachIntegrityTaskInfo(results[0]);
+    return postProcess(results[0]);
 }
 
 function validateLabel(label) {
@@ -145,7 +153,10 @@ async function listByTypePaged(type, siteId, page, perPage) {
 
     const results = await database.query(`SELECT ${BACKUPS_FIELDS} FROM backups WHERE siteId=? AND type = ? ORDER BY creationTime DESC LIMIT ?,?`, [ siteId, type, (page-1)*perPage, perPage ]);
 
-    results.forEach(function (result) { postProcess(result); });
+    for (const r of results) {
+        await attachIntegrityTaskInfo(r);
+        postProcess(r);
+    }
 
     return results;
 }
@@ -158,7 +169,10 @@ async function listByIdentifierAndStatePaged(identifier, state, page, perPage) {
 
     const results = await database.query(`SELECT ${BACKUPS_FIELDS} FROM backups WHERE identifier = ? AND state = ? ORDER BY creationTime DESC LIMIT ?,?`, [ identifier, state, (page-1)*perPage, perPage ]);
 
-    results.forEach(postProcess);
+    for (const r of results) {
+        await attachIntegrityTaskInfo(r);
+        postProcess(r);
+    }
 
     return results;
 }
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 2340dfbee..8fa73dade 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -2,6 +2,7 @@ import apps from '../apps.js';
 import appstore from '../appstore.js';
 import assert from 'node:assert';
 import AuditSource from '../auditsource.js';
+import backups from '../backups.js';
 import backupSites from '../backupsites.js';
 import BoxError from '../boxerror.js';
 import community from '../community.js';
@@ -866,7 +867,7 @@ async function listBackups(req, res, next) {
     const [error, result] = await safe(apps.listBackups(req.resources.app, page, perPage));
     if (error) return next(BoxError.toHttpError(error));
 
-    next(new HttpSuccess(200, { backups: result }));
+    next(new HttpSuccess(200, { backups: result.map(backups.removePrivateFields) }));
 }
 
 async function listBackupSites(req, res, next) {
diff --git a/src/routes/backupsites.js b/src/routes/backupsites.js
index 85241147e..3d996b831 100644
--- a/src/routes/backupsites.js
+++ b/src/routes/backupsites.js
@@ -242,7 +242,7 @@ async function listBackups(req, res, next) {
 
     const [error, results] = await safe(backups.listByTypePaged(backups.BACKUP_TYPE_BOX, req.resources.backupSite.id, page, perPage));
     if (error) return next(BoxError.toHttpError(error));
-    next(new HttpSuccess(200, { backups: results }));
+    next(new HttpSuccess(200, { backups: results.map(backups.removePrivateFields) }));
 }
 
 export default {
diff --git a/src/routes/test/backups-test.js b/src/routes/test/backups-test.js
index 1cd558128..98ecb1933 100644
--- a/src/routes/test/backups-test.js
+++ b/src/routes/test/backups-test.js
@@ -3,6 +3,7 @@
 import common from './common.js';
 import expect from 'expect.js';
 import superagent from '@cloudron/superagent';
+import timers from 'timers/promises';
 
 describe('Backups API', function () {
     const { setup, cleanup, waitForTask, serverUrl, owner, admin, getDefaultBackupSite } = common;
@@ -68,4 +69,39 @@ describe('Backups API', function () {
             .send({ preserveSecs: 30, label: 'NewOrleans' });
         expect(response.status).to.equal(200);
     });
+
+    describe('integrity', function () {
+        it('start a check', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/backups/${someBackup.id}/start_integrity_check`)
+                .query({ access_token: admin.token })
+                .send({});
+            expect(response.status).to.equal(201);
+            const taskId = response.body.taskId;
+            expect(taskId).to.be.a('string');
+        });
+
+        it('wait for check', async function () {
+            let response;
+            for (let i = 0; i < 10; i++) {
+                response = await superagent.get(`${serverUrl}/api/v1/backups/${someBackup.id}`)
+                    .query({ access_token: admin.token });
+                expect(response.status).to.equal(200);
+                if (!response.body.integrityCheckTask?.active) break;
+                await timers.setTimeout(3000);
+            }
+
+            expect(response.body.integrityCheckTask).to.be(null);
+        });
+
+        it('has integrity fields', async function () {
+            const response = await superagent.get(`${serverUrl}/api/v1/backups/${someBackup.id}`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+            expect(response.status).to.equal(200);
+            expect(response.body.lastIntegrityCheckTime).to.be.a('string');
+            expect(response.body.integrityCheckStatus).to.equal('passed');
+            expect(response.body.integrityCheckResult).to.eql({ messages: [] });
+            expect(response.body.integrityCheckTask).to.be(null);
+        });
+    });
 });
diff --git a/src/test/backups-test.js b/src/test/backups-test.js
index 6da7377a6..87da568de 100644
--- a/src/test/backups-test.js
+++ b/src/test/backups-test.js
@@ -33,6 +33,7 @@ describe('backups', function () {
         integrityCheckResult: null,
         integrityCheckStatus: null,
         integrityCheckTaskId: null,
+        integrityCheckTask: null,
         lastIntegrityCheckTime: null
     };
 
@@ -55,6 +56,7 @@ describe('backups', function () {
         integrityCheckResult: null,
         integrityCheckStatus: null,
         integrityCheckTaskId: null,
+        integrityCheckTask: null,
         lastIntegrityCheckTime: null
     };