diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs
index 5731a2e7a56b7bbf363ca1912ac45da1153f5197..08db5b91afa595a382a0b60bdb16e33499a07bc1 100644
--- a/src/Project/Controllers/ProjectController.cs
+++ b/src/Project/Controllers/ProjectController.cs
@@ -367,13 +367,23 @@ namespace Coscine.Api.Project.Controllers
         }
 
         /// <summary>
-        /// Creates a project
+        /// Creates a new project
         /// </summary>
-        /// <param name="projectObject">A Project Object</param>
-        /// <returns>JSON object or status code 401</returns>
+        /// <param name="projectObject">The project to create.</param>
+        /// <returns>A JSON representation of the created project.</returns>
+        /// <response code="200">The project was created successfully.</response>
+        /// <response code="401">The user does not have sufficient permissions to create a project.</response>
+        /// <response code="422">The project object is invalid or contains invalid data.</response>
         [HttpPost("[controller]")]
         public IActionResult Store([FromBody] ProjectObject projectObject)
         {
+            // ------
+            // This is the wrong place to do that, but we have to live with it. For the APIv2 consider moving that to a validation attribute.
+            // Also consider using the following Regex:
+            // (http|https):\/\/ror\.org\/[a-zA-Z0-9]+
+            if (projectObject.Organizations.Any(o => o.Url.Contains('#')))
+                return UnprocessableEntity("The URL of the organization cannot contain the '#' character. Only top-level organizations are allowed.");
+            // ------
             var user = _authenticator.GetUser();
 
             // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)