diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index 70f850e89..d093b0c91 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -10,6 +10,7 @@ class API::V2::BaseController < ApplicationController
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
   before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
+  before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
 
   before_action do
     Current.browser = 'api'
@@ -55,6 +56,12 @@ class API::V2::BaseController < ApplicationController
     end
   end
 
+  def allow_only_persisted_queries
+    if params[:queryId].blank?
+      render json: graphql_error('Without a token, only persisted queries are allowed', :forbidden), status: :forbidden
+    end
+  end
+
   def ensure_authorized_network
     if @api_token.forbidden_network?(request.remote_ip)
       address = IPAddr.new(request.remote_ip)
diff --git a/app/controllers/api/v2/dossiers_controller.rb b/app/controllers/api/v2/dossiers_controller.rb
index a07ef34eb..a13d0d473 100644
--- a/app/controllers/api/v2/dossiers_controller.rb
+++ b/app/controllers/api/v2/dossiers_controller.rb
@@ -1,6 +1,7 @@
 class API::V2::DossiersController < API::V2::BaseController
   before_action :ensure_dossier_present
   skip_before_action :authenticate_from_token
+  skip_before_action :allow_only_persisted_queries
 
   def pdf
     @acls = PiecesJustificativesService.new(user_profile: Administrateur.new, export_template: nil).acl_for_dossier_export(dossier.procedure)
diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb
index 26750062e..0c4a65312 100644
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@@ -131,7 +131,7 @@ describe API::V2::GraphqlController do
         end
 
         it {
-          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
         }
       end
 
@@ -158,7 +158,7 @@ describe API::V2::GraphqlController do
 
         it {
           expect(token).not_to be_nil
-          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+          expect(gql_errors.first[:message]).to eq("Without a token, only persisted queries are allowed")
         }
       end
 
diff --git a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
index dfd5ed005..da2189872 100644
--- a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
@@ -47,6 +47,24 @@ describe API::V2::GraphqlController do
     }
   end
 
+  describe 'when not authenticated' do
+    let(:variables) { { dossierNumber: dossier.id } }
+    let(:operation_name) { 'getDossier' }
+    let!(:authorization_header) { nil }
+
+    context 'with query' do
+      let(:query) { 'query getDossier($dossierNumber: Int!) { dossier(number: $dossierNumber) { id } }' }
+
+      it { expect(gql_errors.first[:message]).to eq('Without a token, only persisted queries are allowed') }
+    end
+
+    context 'with queryId' do
+      let(:query_id) { 'ds-query-v2' }
+
+      it { expect(gql_errors.first[:message]).to eq('An object of type Dossier was hidden due to permissions') }
+    end
+  end
+
   describe 'ds-query-v2' do
     let(:dossier) { create(:dossier, :en_construction, :with_individual, procedure:, depose_at: 4.days.ago) }
     let(:query_id) { 'ds-query-v2' }