h3. Problem There is a use case where the user is Galaxy and submitting data it received from a user it does not trust. The problem is that the actual metadata isn't known until the tarball is extracted, but by then regardless of what it is, it's imported and live. h3. Solution Have the Galaxy v3/artifacts/collections/ endpoint V3 option take 3 optional arguments: 'expected_namespace', 'expected_name', 'expected_version'. If set, validate that the uploaded Collection is asserting these values. If they do not match, fail the import task and delete the Artifact since it was not appropriate to be saved.