diff --git a/src/apps.js b/src/apps.js
index b10aeda35..a91ecb8a0 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -669,6 +669,8 @@ function restore(appId, data, auditSource, callback) {
 
     debug('Will restore app with id:%s', appId);
 
+    if (!data.backupId) return callback(new AppsError(AppsError.BAD_FIELD, 'Invalid backup id'));
+
     appdb.get(appId, function (error, app) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND));
         if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
@@ -686,6 +688,7 @@ function restore(appId, data, auditSource, callback) {
 
             // ## should probably query new location, access restriction from user
             values = {
+                lastBackupId: data.backupId,
                 manifest: restoreConfig.manifest,
                 portBindings: restoreConfig.portBindings,
                 memoryLimit: restoreConfig.memoryLimit,
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 72b55e40b..6147814e2 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -178,6 +178,8 @@ function restoreApp(req, res, next) {
 
     debug('Restore app id:%s', req.params.id);
 
+    if ('backupId' in data && typeof data.backupId !== 'string') return next(new HttpError(400, 'backupId must be string'));
+
     apps.restore(req.params.id, data, auditSource(req), function (error) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
         if (error && error.reason === AppsError.BAD_FIELD) return next(new HttpError(400, error.message));
diff --git a/webadmin/src/js/client.js b/webadmin/src/js/client.js
index 773982acc..4d303a80c 100644
--- a/webadmin/src/js/client.js
+++ b/webadmin/src/js/client.js
@@ -269,8 +269,8 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
         }).error(defaultErrorHandler(callback));
     };
 
-    Client.prototype.restoreApp = function (appId, password, callback) {
-        var data = { password: password };
+    Client.prototype.restoreApp = function (appId, backupId, password, callback) {
+        var data = { password: password, backupId: backupId };
         $http.post(client.apiOrigin + '/api/v1/apps/' + appId + '/restore', data).success(function (data, status) {
             if (status !== 202) return callback(new ClientError(status, data));
             callback(null);
diff --git a/webadmin/src/views/apps.js b/webadmin/src/views/apps.js
index 0fb561ea1..76f98fd13 100644
--- a/webadmin/src/views/apps.js
+++ b/webadmin/src/views/apps.js
@@ -274,7 +274,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appRestore.busy = true;
         $scope.appRestore.error.password = null;
 
-        Client.restoreApp($scope.appRestore.app.id, $scope.appRestore.password, function (error) {
+        Client.restoreApp($scope.appRestore.app.id, $scope.appRestore.app.lastBackupId, $scope.appRestore.password, function (error) {
             if (error && error.statusCode === 403) {
                 $scope.appRestore.password = '';
                 $scope.appRestore.error.password = true;