diff --git a/endpoints/common.py b/endpoints/common.py
index e404bde05..4a6a78983 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -67,6 +67,17 @@ def truthy_param(param):
   return param not in {False, 'false', 'False', '0', 'FALSE', '', 'null'}
 
 
+def param_required(param_name):
+  def wrapper(wrapped):
+    @wraps(wrapped)
+    def decorated(*args, **kwargs):
+      if param_name not in request.args:
+        abort(make_response('Required param: %s' % param_name, 400))
+      return wrapped(*args, **kwargs)
+    return decorated
+  return wrapper
+
+
 @login_manager.user_loader
 def load_user(username):
   logger.debug('User loader loading deferred user: %s' % username)
@@ -198,7 +209,7 @@ def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
 
   build_request = model.create_repository_build(repository, token, job_config,
                                                 dockerfile_id, build_name,
-                                                trigger, pull_robot_name = pull_robot_name)
+                                                trigger, pull_robot_name=pull_robot_name)
 
   dockerfile_build_queue.put([repository.namespace, repository.name], json.dumps({
     'build_uuid': build_request.uuid,
diff --git a/endpoints/web.py b/endpoints/web.py
index 7cd95f1a1..5b3768e3d 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -14,7 +14,7 @@ from auth.permissions import AdministerOrganizationPermission
 from util.invoice import renderInvoiceToPdf
 from util.seo import render_snapshot
 from util.cache import no_cache
-from endpoints.common import common_login, render_page_template, route_show_if, route_hide_if
+from endpoints.common import common_login, render_page_template, route_show_if, param_required
 from endpoints.csrf import csrf_protect, generate_csrf_token
 from util.names import parse_repository_name
 from util.gravatar import compute_hash
@@ -190,9 +190,9 @@ def receipt():
     abort(401)
     return
 
-  id =  request.args.get('id')
-  if id:
-    invoice = stripe.Invoice.retrieve(id)
+  invoice_id = request.args.get('id')
+  if invoice_id:
+    invoice = stripe.Invoice.retrieve(invoice_id)
     if invoice:
       user_or_org = model.get_user_or_org_by_customer_id(invoice.customer)
       
@@ -315,6 +315,9 @@ def deny_application():
 
 @web.route('/oauth/authorize', methods=['GET'])
 @no_cache
+@param_required('client_id')
+@param_required('redirect_uri')
+@param_required('scope')
 def request_authorization_code():
   provider = FlaskAuthorizationProvider()
   response_type = request.args.get('response_type', 'code')
@@ -364,6 +367,12 @@ def request_authorization_code():
 
 @web.route('/oauth/access_token', methods=['POST'])
 @no_cache
+@param_required('grant_type')
+@param_required('client_id')
+@param_required('client_secret')
+@param_required('redirect_uri')
+@param_required('code')
+@param_required('scope')
 def exchange_code_for_token():
   grant_type = request.form.get('grant_type', None)
   client_id = request.form.get('client_id', None)