diff --git a/tests/test_api_users.py b/tests/test_api_users.py
index 594b0be..2c56d52 100644
--- a/tests/test_api_users.py
+++ b/tests/test_api_users.py
@@ -188,10 +188,12 @@ async def test_username_select(server, reg_token_client):
     assert ret['username'] == 'f-bar.bar_'
 
 invalid_usernames = [
-    ('foo',),  # too short
-    ('fooooooooooooooooooooooooo',),  # too long
-    ('foò',),  # unicode
-    ('fo=o',),  # invalid char
+    'foo',  # too short
+    'fooooooooooooooooooooooooo',  # too long
+    'foò',  # unicode
+    'fo=o',  # invalid char
+    'fo o',  # space
+    'f\'oo',  # quote
 ]
 
 @pytest.mark.parametrize('username', invalid_usernames)
diff --git a/user_mgmt/server.py b/user_mgmt/server.py
index bb899ee..b0caef7 100644
--- a/user_mgmt/server.py
+++ b/user_mgmt/server.py
@@ -96,7 +96,7 @@ def create_server():
     server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/institutions', MultiInstitutions, kwargs)
     server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/institutions/(?P<institution>[\w\-]+)', Institution, kwargs)
     server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/institutions/(?P<institution>[\w\-]+)/users', InstitutionMultiUsers, kwargs)
-    server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/institutions/(?P<institution>[\w\-]+)/users/(?P<username>[\w\-]+)', InstitutionUser, kwargs)
+    server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/institutions/(?P<institution>[\w\-]+)/users/(?P<username>[\w\-\._]+)', InstitutionUser, kwargs)
 
     server.add_route('/api/inst_approvals', InstApprovals, kwargs)
     server.add_route(r'/api/inst_approvals/(?P<approval_id>\w+)/actions/approve', InstApprovalsActionApprove, kwargs)
@@ -112,7 +112,7 @@ def create_server():
     server.add_route(r'/api/group_approvals/(?P<approval_id>\w+)/actions/deny', GroupApprovalsActionDeny, kwargs)
 
     server.add_route(r'/api/users', MultiUser, kwargs)
-    server.add_route(r'/api/users/(?P<username>[\w\-]+)', User, kwargs)
+    server.add_route(r'/api/users/(?P<username>[\w\-\._]+)', User, kwargs)
     server.add_route('/api/username', Username, kwargs)
     server.add_route(r'/api/experiments/(?P<experiment>[\w\-]+)/associates', AssociateUsers, kwargs)
 
diff --git a/user_mgmt/users.py b/user_mgmt/users.py
index 9d11b85..6d8685d 100644
--- a/user_mgmt/users.py
+++ b/user_mgmt/users.py
@@ -85,12 +85,25 @@ def _gen_username(first_name, last_name, number):
 
     @staticmethod
     def _username_valid(username):
-        """Check if a username is valid - length, bad words."""
+        """
+        Check if a username is valid.
+
+        Valid:
+        * ascii string between 4-16 chars
+        * letters, numbers, -, ., _
+
+        Invalid:
+        * unicode
+        * quotes
+        * spaces
+        * special chars
+        * BAD_WORDS filter
+        """
         ascii_username = unidecode.unidecode(username).replace("'", '').replace(' ', '').lower()
         if ascii_username != username:
             return False
-        #if not re.fullmatch('[\w\-\._]+', username):
-        #    return False
+        if not re.fullmatch('[\w\-\._]+', username):
+            return False
         if len(username) < 5:
             return False
         if len(username) > 16: