diff --git a/lib/index.js b/lib/index.js
index f16ac5a..5f3438b 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -48,7 +48,8 @@ Salti.defaults = {
   stripTrailingSlash: true,
   dbPrefix: undefined,
   dbPathTemplate: '{:db}',
-  idTokenTemplate: '{:id}'
+  idTokenTemplate: '{:id}',
+  attachmentIdTemplate: '{:attachmentId}'
 };
 
 Salti.THALI_PREFIX = '/_local/thali_';
@@ -167,10 +168,10 @@ Salti.prototype.handler = function (request, response, nextHandler) {
     }
   }
 
-  else if (pathParts.length === 3 && pathParts[2] === 'attachment') {
-    // Is /{:id}/attachment authorized?
+  else if (pathParts.length === 3) {
+    // Is /{:id}/{:attachmentId} authorized?
     lookupPath = this.dbPrefix + '/' + this.options.idTokenTemplate +
-      '/attachment';
+      '/' + this.options.attachmentIdTemplate;
     if (this.lookupPathVerb(paths, lookupPath) === Salti.PATH_VERB_FOUND) {
       return this.authorized('passed attachment check');
     } else {
diff --git a/test/acl-block.1.js b/test/acl-block.1.js
index fe71d8d..c5021f3 100644
--- a/test/acl-block.1.js
+++ b/test/acl-block.1.js
@@ -32,7 +32,7 @@ module.exports = [{
       'verbs': ['GET']
     },
     {
-      'path': '/{:db}/{:id}/attachment',
+      'path': '/{:db}/{:id}/{:attachmentId}',
       'verbs': ['GET']
     },
     {
diff --git a/test/test-core-attachment.js b/test/test-core-attachment.js
index abac406..65d2cb8 100644
--- a/test/test-core-attachment.js
+++ b/test/test-core-attachment.js
@@ -2,7 +2,7 @@
 
 /** this will check the following:
   ** DB spedific paths - note that ':db' token to be substituted with the db name in that context
-    ** | /:db/:id/attachment        | GET,     | |
+    ** | /:db/:id/:attachmentId        | GET,     | |
 */
 
 var request = require('supertest');
@@ -15,7 +15,7 @@ var lib = require('../lib/index');
 var acl = require('./acl-block.1.js');
 
 var dbName = 'foobar';
-var path = '/' + dbName + '/1234/attachment';
+var path = '/' + dbName + '/1234/attachmentId';
 
 function genericHandlers(router, path) {
   router.get(path, handlers.get);
@@ -23,7 +23,7 @@ function genericHandlers(router, path) {
 }
 
 describe(
-  'test-core-attachment.js - calling the /db/id/attachment path', function () {
+  'test-core-attachment.js - calling the /db/id/attachmentId path', function () {
   describe('using repl identity', function () {
     var app = express();
     var router = express.Router();
@@ -76,11 +76,11 @@ describe(
         .expect(401, done);
     });
 
-    it('GET zzz should be 401', function (done) {
+    it('GET zzz should be 404', function (done) {
       request(app)
         .get(path + 'zzz')
         .set('Accept', 'application/json')
-        .expect(401, done);
+        .expect(404, done);
     });
   });
 });
diff --git a/test/test-core-resources.js b/test/test-core-resources.js
index 3f93aad..906f1cf 100644
--- a/test/test-core-resources.js
+++ b/test/test-core-resources.js
@@ -89,11 +89,12 @@ describe('test-core-resources calling the /db/{id} path', function () {
         .expect(401, done);
     });
 
-    it('GET should be 401 on /1234/1234', function (done) {
+    // this looks like attachment: {:id}/{:attachmentId}
+    it('GET should be 404 on /1234/1234', function (done) {
       request(app)
         .get('/' + path + '/1234')
         .set('Accept', 'application/json')
-        .expect(401, done);
+        .expect(404, done);
     });
     it('PUT should be 401', function (done) {
       request(app)