diff --git a/src/customer-key-store/Controllers/KeysController.cs b/src/customer-key-store/Controllers/KeysController.cs
index 60c7b35..2bf809a 100644
--- a/src/customer-key-store/Controllers/KeysController.cs
+++ b/src/customer-key-store/Controllers/KeysController.cs
@@ -23,6 +23,8 @@ public IActionResult GetKey(string keyName)
         {
             try
             {
+                ippw.ProtocolVersionValidator.ValidateProtocolVersion(Request);
+
                 var publicKey = keyManager.GetPublicKey(GetRequestUri(Request), keyName);
 
                 return Ok(publicKey);
@@ -43,6 +45,8 @@ public IActionResult Decrypt(string keyName, string keyId, [FromBody] ippw.Encry
         {
             try
             {
+                ippw.ProtocolVersionValidator.ValidateProtocolVersion(Request);
+
                 var decryptedData = keyManager.Decrypt(HttpContext.User, keyName, keyId, encryptedData);
 
                 return Ok(decryptedData);
diff --git a/src/customer-key-store/Models/ProtocolVersionValidator.cs b/src/customer-key-store/Models/ProtocolVersionValidator.cs
new file mode 100644
index 0000000..3fcc2d8
--- /dev/null
+++ b/src/customer-key-store/Models/ProtocolVersionValidator.cs
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+namespace Microsoft.InformationProtection.Web.Models
+{
+    using System;
+    using System.Globalization;
+    using Microsoft.Extensions.Primitives;
+    using Microsoft.InformationProtection.Web.Models.Extensions;
+
+    public static class ProtocolVersionValidator
+    {
+        private const double MinSupportedVersion = 1.0;
+        private const double MaxSupportedVersion = 1.0;
+        private const string ProtocolVersion = "protocol-version";
+
+        public static void ValidateProtocolVersion(AspNetCore.Http.HttpRequest request)
+        {
+            request.ThrowIfNull(nameof(request));
+
+            StringValues values = new StringValues("1.0");  //Older versions of mip were not sending up the protocol, default to 1.0
+            if(request.Query.ContainsKey(ProtocolVersion))
+            {
+                values = request.Query[ProtocolVersion];
+            }
+
+            if(values.Count != 1)
+            {
+                throw new ArgumentException("More than one protocol-version header found");
+            }
+
+            if(!double.TryParse(values[0], NumberStyles.Any, CultureInfo.InvariantCulture, out double protocolVersion))
+            {
+                throw new ArgumentException("Unable to parse protocol_version: " + values[0]);
+            }
+
+            if(protocolVersion < MinSupportedVersion || protocolVersion > MaxSupportedVersion)
+            {
+                throw new ArgumentException("Unsupported protocol_version: " + values[0]);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/customer-key-store/Models/RoleAuthorizer.cs b/src/customer-key-store/Models/RoleAuthorizer.cs
index 914ec17..757ab28 100644
--- a/src/customer-key-store/Models/RoleAuthorizer.cs
+++ b/src/customer-key-store/Models/RoleAuthorizer.cs
@@ -22,6 +22,12 @@ public RoleAuthorizer(IConfiguration configuration)
             ldapPath = configuration["RoleAuthorizer:LDAPPath"];
         }
 
+        public static string GetRole(string memberOf)
+        {
+            memberOf.ThrowIfNull(nameof(memberOf));
+            return ParseCN(memberOf);
+        }
+
         public void AddRole(string role)
         {
             roles.Add(role);
@@ -133,11 +139,5 @@ private static string ParseCN(string distinguishedName)
 
             return role.ToString();
         }
-
-        public static string GetRole(string memberOf)
-        {
-            memberOf.ThrowIfNull(nameof(memberOf));
-            return ParseCN(memberOf);
-        }
     }
 }
\ No newline at end of file