diff --git a/app/api.js b/app/api.js
index 58b75cb0..6b4a1695 100644
--- a/app/api.js
+++ b/app/api.js
@@ -1,12 +1,16 @@
 import { arrayToB64, b64ToArray, delay } from './utils';
 import { ECE_RECORD_SIZE } from './ece';
 
-function post(obj) {
+function post(obj, bearerToken) {
+  const h = {
+    'Content-Type': 'application/json'
+  };
+  if (bearerToken) {
+    h['Authentication'] = `Bearer ${bearerToken}`;
+  }
   return {
     method: 'POST',
-    headers: new Headers({
-      'Content-Type': 'application/json'
-    }),
+    headers: new Headers(h),
     body: JSON.stringify(obj)
   };
 }
@@ -43,13 +47,16 @@ export async function del(id, owner_token) {
   return response.ok;
 }
 
-export async function setParams(id, owner_token, params) {
+export async function setParams(id, owner_token, bearerToken, params) {
   const response = await fetch(
     `/api/params/${id}`,
-    post({
-      owner_token,
-      dlimit: params.dlimit
-    })
+    post(
+      {
+        owner_token,
+        dlimit: params.dlimit
+      },
+      bearerToken
+    )
   );
   return response.ok;
 }
diff --git a/app/fileManager.js b/app/fileManager.js
index 4dd61ad3..c3065f2c 100644
--- a/app/fileManager.js
+++ b/app/fileManager.js
@@ -56,7 +56,11 @@ export default function(state, emitter) {
   });
 
   emitter.on('changeLimit', async ({ file, value }) => {
-    await file.changeLimit(value);
+    const ok = await file.changeLimit(value, state.user);
+    if (!ok) {
+      // TODO
+      return;
+    }
     state.storage.writeFile(file);
     metrics.changedDownloadLimit(file);
   });
@@ -138,6 +142,7 @@ export default function(state, emitter) {
       metrics.completedUpload(ownedFile);
 
       state.storage.addFile(ownedFile);
+      // TODO integrate password and limit into /upload request
       if (password) {
         emitter.emit('password', { password, file: ownedFile });
       }
diff --git a/app/ownedFile.js b/app/ownedFile.js
index 7fd8a94b..3fef67cb 100644
--- a/app/ownedFile.js
+++ b/app/ownedFile.js
@@ -48,10 +48,10 @@ export default class OwnedFile {
     return del(this.id, this.ownerToken);
   }
 
-  changeLimit(dlimit) {
+  changeLimit(dlimit, user = {}) {
     if (this.dlimit !== dlimit) {
       this.dlimit = dlimit;
-      return setParams(this.id, this.ownerToken, { dlimit });
+      return setParams(this.id, this.ownerToken, user.bearerToken, { dlimit });
     }
     return Promise.resolve(true);
   }
diff --git a/app/pages/welcome/index.js b/app/pages/welcome/index.js
index c64a1416..e94c42e5 100644
--- a/app/pages/welcome/index.js
+++ b/app/pages/welcome/index.js
@@ -129,7 +129,7 @@ module.exports = function(state, emit) {
 
     emit('upload', {
       type: 'click',
-      dlCount: state.downloadCount,
+      dlCount: state.downloadCount || 1,
       password: state.password
     });
   }
diff --git a/public/locales/en-US/send.ftl b/public/locales/en-US/send.ftl
index 29218ca5..fc462745 100644
--- a/public/locales/en-US/send.ftl
+++ b/public/locales/en-US/send.ftl
@@ -84,8 +84,14 @@ errorPageHeader = Something went wrong!
 errorPageMessage = There has been an error uploading the file.
 errorPageLink = Send another file
 fileTooBig = That file is too big to upload. It should be less than { $size }.
-tooManyFiles = Only { $count } files can be uploaded at a time.
-tooManyArchives = Only { $count } archives are allowed.
+# count will always be > 10
+tooManyFiles = { $count ->
+    *[other] Only { $count } files can be uploaded at a time.
+}
+# count will always be > 10
+tooManyArchives = { $count ->
+    *[other] Only { $count } archives are allowed.
+}
 linkExpiredAlt = Link expired
 expiredPageHeader = This link has expired or never existed in the first place!
 notSupportedHeader = Your browser is not supported.
diff --git a/server/routes/index.js b/server/routes/index.js
index 590becb4..08c2cf4a 100644
--- a/server/routes/index.js
+++ b/server/routes/index.js
@@ -87,7 +87,12 @@ module.exports = function(app) {
   app.post('/api/upload', auth.fxa, require('./upload'));
   app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
   app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
-  app.post(`/api/params/:id${ID_REGEX}`, auth.owner, require('./params'));
+  app.post(
+    `/api/params/:id${ID_REGEX}`,
+    auth.owner,
+    auth.fxa,
+    require('./params')
+  );
   app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
 
   app.get('/__version__', function(req, res) {
diff --git a/server/routes/params.js b/server/routes/params.js
index 24d1546f..08e22f25 100644
--- a/server/routes/params.js
+++ b/server/routes/params.js
@@ -2,9 +2,9 @@ const config = require('../config');
 const storage = require('../storage');
 
 module.exports = function(req, res) {
+  const max = req.user ? config.max_downloads : config.anon_max_downloads;
   const dlimit = req.body.dlimit;
-  // TODO: fxa auth
-  if (!dlimit || dlimit > config.max_downloads) {
+  if (!dlimit || dlimit > max) {
     return res.sendStatus(400);
   }