diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
index 845d30a72..bed99e47d 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@@ -544,6 +544,7 @@ public class AccountController {
   @PUT
   @Path("/attributes/")
   @Consumes(MediaType.APPLICATION_JSON)
+  @Produces(MediaType.APPLICATION_JSON)
   @ChangesDeviceEnabledState
   public void setAccountAttributes(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
       @HeaderParam("X-Signal-Agent") String userAgent,
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
index ab69edffd..f47ad996b 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
@@ -8,6 +8,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.annotations.VisibleForTesting;
 import javax.validation.constraints.Size;
 import org.whispersystems.textsecuregcm.storage.Device.DeviceCapabilities;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
 
 public class AccountAttributes {
 
@@ -25,6 +26,7 @@ public class AccountAttributes {
   private String registrationLock;
 
   @JsonProperty
+  @ExactlySize({0, 16})
   private byte[] unidentifiedAccessKey;
 
   @JsonProperty
@@ -80,4 +82,9 @@ public class AccountAttributes {
   public boolean isDiscoverableByPhoneNumber() {
     return discoverableByPhoneNumber;
   }
+
+  @VisibleForTesting
+  public void setUnidentifiedAccessKey(final byte[] unidentifiedAccessKey) {
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+  }
 }
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
index 3fd37cb3b..06778915b 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@@ -1673,6 +1673,21 @@ class AccountControllerTest {
     assertThat(response.getStatus()).isEqualTo(204);
   }
 
+  @Test
+  void testSetAccountAttributesBadUnidentifiedKeyLength() {
+    final AccountAttributes attributes = new AccountAttributes(false, 2222, null, null, false, null);
+    attributes.setUnidentifiedAccessKey(new byte[7]);
+
+    Response response =
+        resources.getJerseyTest()
+            .target("/v1/accounts/attributes/")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+            .put(Entity.json(attributes));
+
+    assertThat(response.getStatus()).isEqualTo(422);
+  }
+
   @Test
   void testDeleteAccount() throws InterruptedException {
     Response response =