diff --git a/app/controllers/api/v1/steps_controller.rb b/app/controllers/api/v1/steps_controller.rb
index 1bbebd5b2..a25760f52 100644
--- a/app/controllers/api/v1/steps_controller.rb
+++ b/app/controllers/api/v1/steps_controller.rb
@@ -77,7 +77,11 @@ module Api
 
       def load_step_for_managing
         @step = @protocol.steps.find(params.require(:id))
-        raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
+        if step_params.key?(:completed) && step_params.except(:completed).blank?
+          raise PermissionError.new(Step, :toggle_completion) unless can_complete_or_checkbox_step?(@step.protocol)
+        else
+          raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
+        end
       end
 
       def log_activity(type_of, message_items = {})
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2cc45499c..64568adee 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2708,6 +2708,9 @@ en:
         manage_permission:
           title: "Permission denied"
           detail: "You don't have permission to manage %{model}"
+        toggle_completion_permission:
+          title: "Permission denied"
+          detail: "You don't have permission to toggle %{model} completion"
         read_users_permission:
           title: "Permission denied"
           detail: "You don't have permission to read users on %{model}"