diff --git a/app/api/alpha/utils/reply.py b/app/api/alpha/utils/reply.py
index e9588975..781058cf 100644
--- a/app/api/alpha/utils/reply.py
+++ b/app/api/alpha/utils/reply.py
@@ -125,7 +125,9 @@ def post_reply(auth, data):
     body = data['body']
     post_id = data['post_id']
     parent_id = data['parent_id'] if 'parent_id' in data else None
-    language_id = data['language_id'] if 'language_id' in data else 2
+    language_id = data['language_id'] if 'language_id' in data else 2       # FIXME: use site language
+    if language_id < 2:
+        language_id = 2                                                     # FIXME: use site language
 
     input = {'body': body, 'notify_author': True, 'language_id': language_id}
     post = Post.query.get(post_id)
@@ -145,7 +147,9 @@ def put_reply(auth, data):
 
     reply_id = data['comment_id']
     body = data['body'] if 'body' in data else ''
-    language_id = data['language_id'] if 'language_id' in data else 2
+    language_id = data['language_id'] if 'language_id' in data else 2       # FIXME: use site language
+    if language_id < 2:
+        language_id = 2                                                     # FIXME: use site language
 
     input = {'body': body, 'notify_author': True, 'language_id': language_id}
     reply = PostReply.query.get(reply_id)
diff --git a/app/shared/reply.py b/app/shared/reply.py
index 27ee1a99..53239754 100644
--- a/app/shared/reply.py
+++ b/app/shared/reply.py
@@ -352,7 +352,7 @@ def make_reply(input, post, parent_id, src, auth=None):
 
 def edit_reply(input, reply, post, src, auth=None):
     if src == SRC_API:
-        user = authorise_api_user(auth, return_type='model')
+        user = authorise_api_user(auth, return_type='model', id_match=reply.user_id)
         content = input['body']
         notify_author = input['notify_author']
         language_id = input['language_id']
diff --git a/app/utils.py b/app/utils.py
index bf431def..29fc7c7c 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -1281,7 +1281,7 @@ def add_to_modlog_activitypub(action: str, actor: User, community_id: int = None
     db.session.commit()
 
 
-def authorise_api_user(auth, return_type='id'):
+def authorise_api_user(auth, return_type=None, id_match=None):
     if not auth:
         raise Exception('incorrect_login')
     token = auth[7:]     # remove 'Bearer '
@@ -1293,7 +1293,9 @@ def authorise_api_user(auth, return_type='id'):
             issued_at = decoded['iat']      # use to check against blacklisted JWTs
             user = User.query.filter_by(id=user_id, ap_id=None, verified=True, banned=False, deleted=False).scalar()
             if user:
-                if return_type == 'model':
+                if id_match and user.id != id_match:
+                    raise Exception('incorrect_login')
+                if return_type and return_type == 'model':
                     return user
                 else:
                     return user.id