diff --git a/src/api/endpoints/proposals/routes.py b/src/api/endpoints/proposals/routes.py
index 9259a341..68771afd 100644
--- a/src/api/endpoints/proposals/routes.py
+++ b/src/api/endpoints/proposals/routes.py
@@ -74,7 +74,10 @@ async def get_agency_locations(
         GetProposalAgencyLocationsQueryBuilder(agency_id=proposed_agency_id)
     )
 
-@proposal_router.post("/agencies/{proposed_agency_id}/locations/{location_id}")
+@proposal_router.post(
+    "/agencies/{proposed_agency_id}/locations/{location_id}",
+    dependencies=[Depends(get_admin_access_info)],
+)
 async def add_location_to_agency(
     proposed_agency_id: int = Path(
         description="Agency ID to add location to"
@@ -89,7 +92,10 @@ async def add_location_to_agency(
     )
     return MessageResponse(message="Location added to agency.")
 
-@proposal_router.delete("/agencies/{proposed_agency_id}/locations/{location_id}")
+@proposal_router.delete(
+    "/agencies/{proposed_agency_id}/locations/{location_id}",
+    dependencies=[Depends(get_admin_access_info)],
+)
 async def remove_location_from_agency(
     proposed_agency_id: int = Path(
         description="Agency ID to remove location from"
@@ -104,7 +110,10 @@ async def remove_location_from_agency(
     )
     return MessageResponse(message="Location removed from agency.")
 
-@proposal_router.put("/agencies/{proposed_agency_id}")
+@proposal_router.put(
+    "/agencies/{proposed_agency_id}",
+    dependencies=[Depends(get_admin_access_info)],
+)
 async def update_agency(
     request: ProposalAgencyPutRequest,
     proposed_agency_id: int = Path(
diff --git a/src/api/endpoints/submit/routes.py b/src/api/endpoints/submit/routes.py
index b7e2344c..eae9d4ba 100644
--- a/src/api/endpoints/submit/routes.py
+++ b/src/api/endpoints/submit/routes.py
@@ -40,7 +40,8 @@ async def submit_url(
         409: {
             "model": SubmitDataSourceURLDuplicateSubmissionResponse
         }
-    }
+    },
+    dependencies=[Depends(get_standard_user_access_info)]
 )
 async def submit_data_source(
     request: DataSourceSubmissionRequest,
diff --git a/tests/automated/integration/api/test_sensitive_endpoint_auth_config.py b/tests/automated/integration/api/test_sensitive_endpoint_auth_config.py
new file mode 100644
index 00000000..4dc6e287
--- /dev/null
+++ b/tests/automated/integration/api/test_sensitive_endpoint_auth_config.py
@@ -0,0 +1,30 @@
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[4]
+
+
+def test_proposal_mutation_routes_require_admin_auth():
+    proposals_routes = (
+        ROOT / "src" / "api" / "endpoints" / "proposals" / "routes.py"
+    ).read_text()
+
+    assert '"/agencies/{proposed_agency_id}/locations/{location_id}",\n    dependencies=[Depends(get_admin_access_info)],' in proposals_routes
+    assert '"/agencies/{proposed_agency_id}",\n    dependencies=[Depends(get_admin_access_info)],' in proposals_routes
+
+
+def test_submit_data_source_requires_authenticated_user():
+    submit_routes = (
+        ROOT / "src" / "api" / "endpoints" / "submit" / "routes.py"
+    ).read_text()
+
+    assert (
+        '"/data-source",\n'
+        "    response_model=SubmitDataSourceURLProposalResponse,\n"
+        "    responses={\n"
+        "        409: {\n"
+        '            "model": SubmitDataSourceURLDuplicateSubmissionResponse\n'
+        "        }\n"
+        "    },\n"
+        "    dependencies=[Depends(get_standard_user_access_info)]"
+    ) in submit_routes