diff --git a/src/applinks.js b/src/applinks.js
index eb11ce0d6..3e46b7285 100644
--- a/src/applinks.js
+++ b/src/applinks.js
@@ -122,8 +122,8 @@ async function update(applinkId, applink) {
 
     await amendIconAndLabel(applink);
 
-    const query = 'UPDATE applinks SET label=?, icon=?, upstreamUri=?, tagsJson=? WHERE id = ?';
-    const args = [ applink.label, applink.icon, applink.upstreamUri, applink.tags ? JSON.stringify(applink.tags) : null, applinkId ];
+    const query = 'UPDATE applinks SET label=?, icon=?, upstreamUri=?, tagsJson=?, accessRestrictionJson=? WHERE id = ?';
+    const args = [ applink.label, applink.icon, applink.upstreamUri, applink.tags ? JSON.stringify(applink.tags) : null, applink.accessRestriction ? JSON.stringify(applink.accessRestriction) : null, applinkId ];
 
     const result = await database.query(query, args);
     if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Applink not found');
diff --git a/src/routes/applinks.js b/src/routes/applinks.js
index 67fc5494f..01bada555 100644
--- a/src/routes/applinks.js
+++ b/src/routes/applinks.js
@@ -31,6 +31,7 @@ async function add(req, res, next) {
     if (!req.body.upstreamUri || typeof req.body.upstreamUri !== 'string') return next(new HttpError(400, 'upstreamUri must be a non-empty string'));
     if ('label' in req.body && typeof req.body.label !== 'string') return next(new HttpError(400, 'label must be a string'));
     if ('tags' in req.body && !Array.isArray(req.body.tags)) return next(new HttpError(400, 'tags must be an array with strings'));
+    if ('accessRestriction' in req.body && typeof req.body.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction must be an object'));
 
     const [error] = await safe(applinks.add(req.body));
     if (error) return next(BoxError.toHttpError(error));
@@ -54,6 +55,7 @@ async function update(req, res, next) {
     if (!req.body.upstreamUri || typeof req.body.upstreamUri !== 'string') return next(new HttpError(400, 'upstreamUri must be a non-empty string'));
     if ('label' in req.body && typeof req.body.label !== 'string') return next(new HttpError(400, 'label must be a string'));
     if ('tags' in req.body && !Array.isArray(req.body.tags)) return next(new HttpError(400, 'tags must be an array with strings'));
+    if ('accessRestriction' in req.body && typeof req.body.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction must be an object'));
 
     const [error] = await safe(applinks.update(req.params.id, req.body));
     if (error) return next(BoxError.toHttpError(error));