diff --git a/.env.example b/.env.example
index c8e3c64..ef5a110 100644
--- a/.env.example
+++ b/.env.example
@@ -2,3 +2,4 @@ OKAPI_URL=CHANGEME
 OKAPI_TENANT=CHANGEME
 OKAPI_USER=CHANGEME
 OKAPI_PASSWORD=CHANGEME
+BARCODE_REGEX=CHANGEORREMOVEME
diff --git a/app/main.py b/app/main.py
index ffbce1c..41d9f29 100644
--- a/app/main.py
+++ b/app/main.py
@@ -1,5 +1,5 @@
 from dotenv import load_dotenv
-from fastapi import APIRouter, FastAPI, Request, Response
+from fastapi import APIRouter, FastAPI, HTTPException, Request, Response
 from fastapi.routing import APIRoute
 from json2xml import json2xml
 from json2xml.utils import readfromstring
@@ -40,11 +40,15 @@ async def read_root():
 
 @router.get("/items/{barcode}")
 async def read_item(
-    barcode: int,
+    barcode: str,
     format: Optional[str] = "xml",
     replace: Optional[bool] = True,
     transform: Optional[bool] = True,
 ):
+    barcode_rx = os.getenv('BARCODE_REGEX', r'\d+')
+    if re.fullmatch(barcode_rx, barcode) is None:
+        raise HTTPException(status_code=400, detail="invalid barcode")
+
     url = f"{os.getenv('OKAPI_URL')}/inventory/items"
     params = {"query": f"(barcode=={barcode})"}
     headers = {