diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb
index dbc9df1d6..31983cd2e 100644
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@@ -1,6 +1,6 @@
 class CaseLogsController < ApplicationController
-  skip_before_action :verify_authenticity_token, if: :json_create_request?
-  before_action :authenticate, if: :json_create_request?
+  skip_before_action :verify_authenticity_token, if: :json_api_request?
+  before_action :authenticate, if: :json_api_request?
 
   def index
     @submitted_case_logs = CaseLog.where(status: 1)
@@ -8,7 +8,7 @@ class CaseLogsController < ApplicationController
   end
 
   def create
-    case_log = CaseLog.create(create_params)
+    case_log = CaseLog.create(api_case_log_params)
     respond_to do |format|
       format.html { redirect_to case_log }
       format.json do
@@ -21,6 +21,15 @@ class CaseLogsController < ApplicationController
     end
   end
 
+  def update
+    @case_log = CaseLog.find(params[:id])
+    if @case_log.update(api_case_log_params)
+      render json: @case_log, status: :ok
+    else
+      render json: { errors: @case_log.errors.full_messages }, status: :unprocessable_entity
+    end
+  end
+
   # We don't have a dedicated non-editable show view
   def show
     edit
@@ -65,6 +74,8 @@ class CaseLogsController < ApplicationController
 
 private
 
+  API_ACTIONS = %w[create update].freeze
+
   def question_responses(questions_for_page)
     questions_for_page.each_with_object({}) do |(question_key, question_info), result|
       question_params = params["case_log"][question_key]
@@ -79,15 +90,15 @@ private
     end
   end
 
-  def json_create_request?
-    (request["action"] == "create") && request.format.json?
+  def json_api_request?
+    API_ACTIONS.include?(request["action"]) && request.format.json?
   end
 
   def authenticate
     http_basic_authenticate_or_request_with name: ENV["API_USER"], password: ENV["API_KEY"]
   end
 
-  def create_params
+  def api_case_log_params
     return {} unless params[:case_log]
 
     params.require(:case_log).permit(CaseLog.editable_fields)
diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb
index 6b5eb68bd..174f88de4 100644
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@@ -1,7 +1,6 @@
 require "rails_helper"
 
 RSpec.describe CaseLogsController, type: :request do
-
   let(:api_username) { "test_user" }
   let(:api_password) { "test_password" }
   let(:basic_credentials) do
@@ -106,7 +105,11 @@ RSpec.describe CaseLogsController, type: :request do
     end
 
     before do
-      post "/case_logs/#{case_log.id}", headers: headers, params: params.to_json
+      patch "/case_logs/#{case_log.id}", headers: headers, params: params.to_json
+    end
+
+    it "returns http success" do
+      expect(response).to have_http_status(:success)
     end
 
     it "updates the case log with the given fields and keeps original values where none are passed" do
@@ -114,5 +117,15 @@ RSpec.describe CaseLogsController, type: :request do
       expect(case_log.tenant_code).to eq("New Value")
       expect(case_log.property_postcode).to eq("Old Value")
     end
+
+    context "request with invalid credentials" do
+      let(:basic_credentials) do
+        ActionController::HttpAuthentication::Basic.encode_credentials(api_username, "Oops")
+      end
+
+      it "returns 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
   end
 end