diff --git a/src/c3nav/control/templates/control/user.html b/src/c3nav/control/templates/control/user.html
index d55f36d5..960dc003 100644
--- a/src/c3nav/control/templates/control/user.html
+++ b/src/c3nav/control/templates/control/user.html
@@ -23,6 +23,36 @@
         </p>
     {% endif %}
 
+    {% if request.user_permissions.grant_permissions or request.user == user %}
+        <h4>{% trans 'API secret' %}</h4>
+        <p>
+            {% if request.user_permissions.api_secret %}
+                {% if request.user == user %}
+                    {% trans 'This user has an API secret.' %}
+                {% else %}
+                    {% trans 'You have an API secret.' %}
+                {% endif %}
+                {% trans 'You can not see it, but generate a new one.' %}
+            {% else %}
+                {% trans 'This user has not an API secret.' %}
+                {% trans 'You can create one.' %}
+            {% endif %}
+        </p>
+        <form method="POST">
+            {% csrf_token %}
+            <select name="api_secret" style="width: auto;">
+                <option value="">---</option>
+                {% if request.user_permissions.api_secret %}
+                    <option value="regenerate">{% trans 'Regenerate API secret' %}</option>
+                    <option value="delete">{% trans 'Delete API secret' %}</option>
+                {% else %}
+                    <option value="generate">{% trans 'Generate API secret' %}</option>
+                {% endif %}
+            </select>
+            <button type="submit">{% trans 'Update API secret' %}</button>
+        </form>
+    {% endif %}
+
     <h4>{% trans 'Access Permissions' %}</h4>
     {% if user.accesspermissions.all %}
         <form method="post">
diff --git a/src/c3nav/control/views.py b/src/c3nav/control/views.py
index 96f514e6..7d7ff1dd 100644
--- a/src/c3nav/control/views.py
+++ b/src/c3nav/control/views.py
@@ -1,3 +1,4 @@
+import string
 from functools import wraps
 
 from django.contrib import messages
@@ -9,6 +10,7 @@ from django.db import transaction
 from django.db.models import Prefetch
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
+from django.utils.crypto import get_random_string
 from django.utils.translation import ugettext_lazy as _
 
 from c3nav.control.forms import AccessPermissionForm, AnnouncementForm, UserPermissionsForm
@@ -76,6 +78,37 @@ def user_detail(request, user):
                         messages.error(request, _('You cannot delete this Access Permission.'))
                 return redirect(request.path_info)
 
+        api_secret_action = request.POST.get('api_secret')
+        if (api_secret_action and (request.user_permissions.grant_permissions or
+                                   request.user == user and user.permissions.api_secret)):
+
+            permissions = user.permissions
+
+            if api_secret_action == 'generate' and permissions.api_secret:
+                messages.error(request, _('This user already has an API secret.'))
+                return redirect(request.path_info)
+
+            if api_secret_action in ('delete', 'regenerate') and not permissions.api_secret:
+                messages.error(request, _('This user does not have an API secret.'))
+                return redirect(request.path_info)
+
+            with transaction.atomic():
+                if api_secret_action in ('generate', 'regenerate'):
+                    api_secret = get_random_string(64, string.ascii_letters+string.digits)
+                    permissions.api_secret = api_secret
+                    permissions.save()
+
+                    messages.success(request, _('The new API secret is: %s – '
+                                                'be sure to note it down now, it won\'t be shown again.') % api_secret)
+
+                elif api_secret_action == 'delete':
+                    permissions.api_secret = None
+                    permissions.save()
+
+                    messages.success(request, _('API secret successfully deleted!'))
+
+                return redirect(request.path_info)
+
     ctx = {
         'user': user,
     }