diff --git a/engines/bops_submissions/app/controllers/bops_submissions/v2/authenticated_controller.rb b/engines/bops_submissions/app/controllers/bops_submissions/v2/authenticated_controller.rb
index 2a89081490..7d8dea9bd2 100644
--- a/engines/bops_submissions/app/controllers/bops_submissions/v2/authenticated_controller.rb
+++ b/engines/bops_submissions/app/controllers/bops_submissions/v2/authenticated_controller.rb
@@ -12,13 +12,27 @@ def required_api_key_scope = "planning_application"
       def authenticate_api_user
         return nil unless current_local_authority
 
-        if sqid_param?
+        if bare_token?
+          authenticate_with_token
+        elsif sqid_param?
           authenticate_with_hmac_signature
         else
           super
         end
       end
 
+      def api_users
+        current_local_authority.api_users
+      end
+
+      def bare_token?
+        request.authorization.to_s.match?(ApiUser::TOKEN_FORMAT)
+      end
+
+      def authenticate_with_token
+        api_users.authenticate(request.authorization.to_s)
+      end
+
       def sqid_param?
         params[:sqid].present?
       end
@@ -28,7 +42,7 @@ def authenticate_with_hmac_signature
         signature = request.authorization.to_s
         timestamp = request.headers["tq-timestamp"].to_s
 
-        current_local_authority.api_users.authenticate_with_hmac(sqid, signature, timestamp)
+        api_users.authenticate_with_hmac(sqid, signature, timestamp)
       end
     end
   end
diff --git a/engines/bops_submissions/spec/requests/v2/submissions_spec.rb b/engines/bops_submissions/spec/requests/v2/submissions_spec.rb
index 09c0f7055c..65d00d4371 100644
--- a/engines/bops_submissions/spec/requests/v2/submissions_spec.rb
+++ b/engines/bops_submissions/spec/requests/v2/submissions_spec.rb
@@ -51,9 +51,30 @@
       response "200", "submission accepted" do
         schema "$ref" => "#/components/schemas/SubmissionResponse"
 
-        let(:Authorization) { "Bearer #{token}" }
-
         context "for planning portal" do
+          let(:Authorization) { "Bearer #{token}" }
+
+          let(:schema) { "planning-portal" }
+          let(:event) { valid_planning_portal_submission_event }
+
+          before do
+            stub_request(:get, event["documentLinks"].first["documentLink"])
+              .to_return(
+                status: 200,
+                body: file_fixture_submissions("applications/PT-10087984.zip"),
+                headers: {"Content-Type" => "application/zip"}
+              )
+          end
+
+          run_test! do |response|
+            body = JSON.parse(response.body)
+            expect(body["uuid"]).to match(/[0-9a-f-]{36}/)
+          end
+        end
+
+        context "for planning portal with a bare token" do
+          let(:Authorization) { token }
+
           let(:schema) { "planning-portal" }
           let(:event) { valid_planning_portal_submission_event }
 
@@ -73,6 +94,8 @@
         end
 
         context "for odp" do
+          let(:Authorization) { "Bearer #{token}" }
+
           context "for planning applications" do
             let(:event) { valid_planx_submission_event }
             run_test! do |response|