diff --git a/app/javascript/submission_form/completed.vue b/app/javascript/submission_form/completed.vue
index 708843bf..c87f9c4f 100644
--- a/app/javascript/submission_form/completed.vue
+++ b/app/javascript/submission_form/completed.vue
@@ -161,6 +161,11 @@ export default {
       required: false,
       default: false
     },
+    fetchOptions: {
+      type: Object,
+      required: false,
+      default: () => ({})
+    },
     completedButton: {
       type: Object,
       required: false,
@@ -214,7 +219,10 @@ export default {
     download () {
       this.isDownloading = true
 
-      fetch(this.baseUrl + `/submitters/${this.submitterSlug}/download`).then(async (response) => {
+      fetch(this.baseUrl + `/submitters/${this.submitterSlug}/download`, {
+        method: 'GET',
+        ...this.fetchOptions
+      }).then(async (response) => {
         if (response.ok) {
           const urls = await response.json()
           const isMobileSafariIos = 'ontouchstart' in window && navigator.maxTouchPoints > 0 && /AppleWebKit/i.test(navigator.userAgent)
diff --git a/app/javascript/submission_form/form.vue b/app/javascript/submission_form/form.vue
index e3a3fadd..e2bdcf42 100644
--- a/app/javascript/submission_form/form.vue
+++ b/app/javascript/submission_form/form.vue
@@ -530,6 +530,7 @@
         v-else-if="isInvite"
         :submitters="inviteSubmitters"
         :optional-submitters="optionalInviteSubmitters"
+        :fetch-options="fetchOptions"
         :submitter-slug="submitterSlug"
         :authenticity-token="authenticityToken"
         :url="baseUrl + submitPath + '/invite'"
@@ -543,6 +544,7 @@
         :has-signature-fields="stepFields.some((fields) => fields.some((f) => ['signature', 'initials'].includes(f.type)))"
         :has-multiple-documents="hasMultipleDocuments"
         :completed-button="completedRedirectUrl ? {} : completedButton"
+        :fetch-options="fetchOptions"
         :completed-message="completedRedirectUrl ? {} : completedMessage"
         :with-send-copy-button="withSendCopyButton && !completedRedirectUrl"
         :with-download-button="withDownloadButton && !completedRedirectUrl && !dryRun"
@@ -678,6 +680,11 @@ export default {
       required: false,
       default: () => []
     },
+    fetchOptions: {
+      type: Object,
+      required: false,
+      default: () => ({})
+    },
     optionalInviteSubmitters: {
       type: Array,
       required: false,
@@ -1467,7 +1474,8 @@ export default {
       } else {
         return fetch(this.baseUrl + this.submitPath, {
           method: 'POST',
-          body: formData || new FormData(this.$refs.form)
+          body: formData || new FormData(this.$refs.form),
+          ...this.fetchOptions
         }).then((response) => {
           if (response.status === 200) {
             currentFieldUuids.forEach((fieldUuid) => {
diff --git a/app/javascript/submission_form/invite_form.vue b/app/javascript/submission_form/invite_form.vue
index 10c3927d..3189b0d8 100644
--- a/app/javascript/submission_form/invite_form.vue
+++ b/app/javascript/submission_form/invite_form.vue
@@ -78,6 +78,11 @@ export default {
       type: Array,
       required: true
     },
+    fetchOptions: {
+      type: Object,
+      required: false,
+      default: () => ({})
+    },
     optionalSubmitters: {
       type: Array,
       required: false,
@@ -108,7 +113,8 @@ export default {
 
       return fetch(this.url, {
         method: 'POST',
-        body: new FormData(this.$refs.form)
+        body: new FormData(this.$refs.form),
+        ...this.fetchOptions
       }).then((response) => {
         if (response.status === 200) {
           this.$emit('success')
diff --git a/lib/submitters/authorized_for_form.rb b/lib/submitters/authorized_for_form.rb
index 27fa411c..81048a16 100644
--- a/lib/submitters/authorized_for_form.rb
+++ b/lib/submitters/authorized_for_form.rb
@@ -17,9 +17,10 @@ module Submitters
                      submitter.preferences['require_email_2fa'] != true
       return true if request.cookie_jar.encrypted[:email_2fa_slug] == submitter.slug
 
-      return true if request.params[:two_factor_token].present? &&
-                     Submitter.signed_id_verifier.verified(request.params[:two_factor_token],
-                                                           purpose: :email_two_factor) == submitter.slug
+      token = request.params[:two_factor_token].presence || request.headers['x-two-factor-token'].presence
+
+      return true if token.present? &&
+                     Submitter.signed_id_verifier.verified(token, purpose: :email_two_factor) == submitter.slug
 
       false
     end
@@ -32,11 +33,10 @@ module Submitters
       return true if request.cookie_jar.encrypted[:email_2fa_slug] == submitter.slug
       return true if submitter.email == current_user&.email && current_user&.account_id == submitter.account_id
 
-      if request.params[:two_factor_token].present?
+      if (token = request.params[:two_factor_token].presence || request.headers['x-two-factor-token'].presence)
         link_2fa_key = [submitter.email.downcase.squish, submitter.submission.template.slug].join(':')
 
-        return true if Submitter.signed_id_verifier.verified(request.params[:two_factor_token],
-                                                             purpose: :email_two_factor) == link_2fa_key
+        return true if Submitter.signed_id_verifier.verified(token, purpose: :email_two_factor) == link_2fa_key
       end
 
       false