diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
new file mode 100644
index 0000000..2838975
--- /dev/null
+++ b/app/controllers/users_controller.rb
@@ -0,0 +1,24 @@
+class UsersController < ApplicationController
+  before_action :authenticate_user!
+
+  before_action :user, only: [:token, :generate_token]
+
+  # GET /users/1/token
+  def token
+  end
+
+  # POST /users/1/generate_token
+  def generate_token
+    @user.token = SecureRandom.hex(10)
+    @user.save!
+
+    redirect_to token_user_path(@user)
+  end
+
+  private
+
+  def user
+    @user ||= User.find(params[:id])
+  end
+
+end
diff --git a/app/views/shared/_nav.html.erb b/app/views/shared/_nav.html.erb
index d4d0c45..2c7b7ff 100644
--- a/app/views/shared/_nav.html.erb
+++ b/app/views/shared/_nav.html.erb
@@ -1,55 +1,56 @@
 <!-- Fixed navbar -->
 <nav class="navbar navbar-inverse navbar-fixed-top">
   <div class="container-fluid">
     <div class="navbar-header">
       <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar">
         <span class="sr-only">Toggle navigation</span>
         <span class="icon-bar"></span>
         <span class="icon-bar"></span>
         <span class="icon-bar"></span>
       </button>
       <a class="navbar-brand" href="/">WebDNS</a>
     </div>
     <div id="navbar" class="navbar-collapse collapse">
       <ul class="nav navbar-nav">
         <li class="active"><a href="/domains">Domains</a></li>
         <li><%= mail_to WebDNS.settings[:contact_mail], 'Contact' %></li>
         <% if admin? %>
           <li class="dropdown">
             <a href="#" class="dropdown-toggle" data-toggle="dropdown">
 	      Admin<span class="caret"></span>
             </a>
             <ul class="dropdown-menu">
               <li><a href="/admin/groups/">Groups</a></li>
               <li><a href="/admin/jobs/">Jobs</a></li>
               <li><a href="/admin/users/orphans/">Orphans</a></li>
             </ul>
           </li>
         <% end %>
         <% if user_signed_in? %>
           <li class="dropdown">
             <a href="#" class="dropdown-toggle" data-toggle="dropdown">
               <%= current_user.try(:email) %>
               <span class="caret"></span>
             </a>
             <ul class="dropdown-menu">
               <li><%= link_to('Logout', destroy_user_session_path, method: :delete) %></li>
               <li class="divider"></li>
               <li class="dropdown-header">Profile</li>
               <% if current_user.can_change_password? %>
                 <li><%= link_to('Change Password', edit_user_registration_path) %></li>
               <% end %>
+              <li><%= link_to('API Token', token_user_path(current_user)) %></li>
             </ul>
           </li>
         <% end %>
 
         <form class="navbar-form navbar-left" role="search" action="/records/search" method="get">
           <div class="form-group">
             <input type="text" name="q" id="q" class="form-control" placeholder="Records" value="<%= params[:q] %>">
           </div>
           <button type="submit" class="btn btn-default">Search</button>
         </form>
       </ul>
     </div><!--/.nav-collapse -->
   </div>
 </nav>
diff --git a/app/views/users/token.html.erb b/app/views/users/token.html.erb
new file mode 100644
index 0000000..9a8077c
--- /dev/null
+++ b/app/views/users/token.html.erb
@@ -0,0 +1,16 @@
+<div>
+  <h1>API access token</h1>
+
+  <p>
+  <%= bootstrap_form_for(@user, url: generate_token_user_path(@user), method: :post) do |f| %>
+    <div class="input-group">
+      <span class="input-group-addon">Token</span>
+      <input type="text" class="form-control" value="<%= @user.token %>">
+    </div>
+  </p>
+  <p>
+    <%= f.submit 'Generate', class: 'btn btn-primary' %>
+  </p>
+
+  <% end %>
+</div>
diff --git a/config/routes.rb b/config/routes.rb
index 14044dc..a653071 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,63 +1,68 @@
 Rails.application.routes.draw do
   # Override devise user removal
   devise_scope :users do
     delete :users, to: redirect('/')
   end
   devise_for :users
   get '/auth/saml', to: 'auth#saml'
 
   root to: redirect('/domains')
 
+  resources :users, only: [] do
+    get :token, to: 'users#token', on: :member
+    post :generate_token, to: 'users#generate_token', on: :member
+  end
+
   resources :groups, only: [:show] do
     get :search_member,
         to: 'groups#search_member', on: :member
     post :members,
          to: 'groups#create_member', as: :create_member, on: :member
     delete 'member/:user_id',
            to: 'groups#destroy_member', as: :destroy_member, on: :member
   end
 
   resources :domains do
     get :edit_dnssec, to: 'domains#edit_dnssec', on: :member
     delete :full_destroy, to: 'domains#full_destroy', on: :member
 
     resources :records, except: [:index, :show] do
       # Reuse records#update instead of introducing new controller actions
       #
       # rubocop:disable Style/AlignHash
       put :disable, to: 'records#update', on: :member,
           defaults: { record: { disabled: true } }
       put :enable,  to: 'records#update', on: :member,
           defaults: { record: { disabled: false } }
 
       put :editable, to: 'records#editable', on: :collection
       post :valid, to: 'records#valid', on: :collection
       post :bulk, to: 'records#bulk', on: :collection
       # rubocop:enable Style/AlignHash
     end
   end
 
   get '/records/search', to: 'records#search'
 
   # Admin
   namespace :admin do
     root to: redirect('/admin/groups')
 
     resources :groups, except: [:show]
     resources :jobs, only: [:index, :destroy] do
       put :done, to: 'jobs#update', on: :member,
           defaults: { job: { status: 1 } }
       put :pending,  to: 'jobs#update', on: :member,
           defaults: { job: { status: 0 } }
     end
     resources :users, only: [:destroy] do
       get :orphans, to: 'users#orphans', on: :collection
       put :update_groups, to: 'users#update_groups', on: :collection
     end
   end
 
   # Private
   put 'private/replace_ds', to: 'private#replace_ds'
   put 'private/trigger_event', to: 'private#trigger_event'
 end
 
diff --git a/db/migrate/20160403094641_add_token_to_user.rb b/db/migrate/20160403094641_add_token_to_user.rb
new file mode 100644
index 0000000..fd4a5e3
--- /dev/null
+++ b/db/migrate/20160403094641_add_token_to_user.rb
@@ -0,0 +1,6 @@
+class AddTokenToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :token, :string
+    add_index :users, :token, unique: true
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index cce6fa2..1613156 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -1,314 +1,318 @@
 -- MySQL dump 10.15  Distrib 10.0.20-MariaDB, for debian-linux-gnu (x86_64)
 --
 -- Host: localhost    Database: webns
 -- ------------------------------------------------------
 -- Server version	10.0.20-MariaDB-3
 
 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
 /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
 /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
 /*!40101 SET NAMES utf8 */;
 /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
 /*!40103 SET TIME_ZONE='+00:00' */;
 /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
 /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
 /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
 /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
 
 --
 -- Table structure for table `comments`
 --
 
 DROP TABLE IF EXISTS `comments`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `comments` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `domain_id` int(11) NOT NULL,
   `name` varchar(255) NOT NULL,
   `type` varchar(10) NOT NULL,
   `modified_at` int(11) NOT NULL,
   `account` varchar(40) NOT NULL,
   `comment` mediumtext NOT NULL,
   PRIMARY KEY (`id`),
   KEY `comments_domain_id_idx` (`domain_id`),
   KEY `comments_name_type_idx` (`name`,`type`),
   KEY `comments_order_idx` (`domain_id`,`modified_at`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `cryptokeys`
 --
 
 DROP TABLE IF EXISTS `cryptokeys`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `cryptokeys` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `domain_id` int(11) NOT NULL,
   `flags` int(11) NOT NULL,
   `active` tinyint(1) DEFAULT NULL,
   `content` text,
   PRIMARY KEY (`id`),
   KEY `domainidindex` (`domain_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `dnssec_policies`
 --
 
 DROP TABLE IF EXISTS `dnssec_policies`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `dnssec_policies` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `name` varchar(255) DEFAULT NULL,
   `active` tinyint(1) DEFAULT NULL,
   `policy` text,
   `created_at` datetime NOT NULL,
   `updated_at` datetime NOT NULL,
   PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `domainmetadata`
 --
 
 DROP TABLE IF EXISTS `domainmetadata`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `domainmetadata` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `domain_id` int(11) NOT NULL,
   `kind` varchar(32) DEFAULT NULL,
   `content` text,
   PRIMARY KEY (`id`),
   KEY `domainmetadata_idx` (`domain_id`,`kind`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `domains`
 --
 
 DROP TABLE IF EXISTS `domains`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `domains` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `name` varchar(255) NOT NULL,
   `master` varchar(128) DEFAULT NULL,
   `last_check` int(11) DEFAULT NULL,
   `type` varchar(6) NOT NULL,
   `notified_serial` int(11) DEFAULT NULL,
   `account` varchar(40) DEFAULT NULL,
   `group_id` int(11) DEFAULT NULL,
   `created_at` datetime NOT NULL,
   `updated_at` datetime NOT NULL,
   `state` varchar(255) NOT NULL DEFAULT 'initial',
   `dnssec` tinyint(1) NOT NULL DEFAULT '0',
   `dnssec_parent` varchar(255) NOT NULL DEFAULT '',
   `dnssec_parent_authority` varchar(255) NOT NULL DEFAULT '',
   `dnssec_policy_id` int(11) DEFAULT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `name_index` (`name`),
   KEY `index_domains_on_group_id` (`group_id`)
 ) ENGINE=InnoDB AUTO_INCREMENT=37 DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `groups`
 --
 
 DROP TABLE IF EXISTS `groups`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `groups` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `name` varchar(255) DEFAULT NULL,
   `disabled` tinyint(1) DEFAULT '0',
   `created_at` datetime DEFAULT NULL,
   `updated_at` datetime DEFAULT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `index_groups_on_name` (`name`)
 ) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `jobs`
 --
 
 DROP TABLE IF EXISTS `jobs`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `jobs` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `job_type` varchar(255) NOT NULL,
   `domain_id` int(11) DEFAULT NULL,
   `args` varchar(255) NOT NULL,
   `status` int(11) NOT NULL DEFAULT '0',
   `retries` int(11) NOT NULL DEFAULT '0',
   `created_at` datetime DEFAULT NULL,
   `updated_at` datetime DEFAULT NULL,
   PRIMARY KEY (`id`),
   KEY `index_jobs_on_domain_id` (`domain_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `memberships`
 --
 
 DROP TABLE IF EXISTS `memberships`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `memberships` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `group_id` int(11) DEFAULT NULL,
   `user_id` int(11) DEFAULT NULL,
   `created_at` datetime DEFAULT NULL,
   `updated_at` datetime DEFAULT NULL,
   PRIMARY KEY (`id`),
   KEY `index_memberships_on_group_id` (`group_id`),
   KEY `index_memberships_on_user_id` (`user_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `records`
 --
 
 DROP TABLE IF EXISTS `records`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `records` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `domain_id` int(11) DEFAULT NULL,
   `name` varchar(255) DEFAULT NULL,
   `type` varchar(10) DEFAULT NULL,
   `content` mediumtext,
   `ttl` int(11) DEFAULT NULL,
   `prio` int(11) DEFAULT NULL,
   `change_date` int(11) DEFAULT NULL,
   `disabled` tinyint(1) DEFAULT '0',
   `ordername` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
   `auth` tinyint(1) DEFAULT '1',
   `created_at` datetime NOT NULL,
   `updated_at` datetime NOT NULL,
   PRIMARY KEY (`id`),
   KEY `nametype_index` (`name`,`type`),
   KEY `domain_id` (`domain_id`),
   KEY `recordorder` (`domain_id`,`ordername`),
   CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB AUTO_INCREMENT=32 DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `schema_migrations`
 --
 
 DROP TABLE IF EXISTS `schema_migrations`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `schema_migrations` (
   `version` varchar(255) NOT NULL,
   UNIQUE KEY `unique_schema_migrations` (`version`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `supermasters`
 --
 
 DROP TABLE IF EXISTS `supermasters`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `supermasters` (
   `ip` varchar(64) NOT NULL,
   `nameserver` varchar(255) NOT NULL,
   `account` varchar(40) NOT NULL,
   PRIMARY KEY (`ip`,`nameserver`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `tsigkeys`
 --
 
 DROP TABLE IF EXISTS `tsigkeys`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `tsigkeys` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `name` varchar(255) DEFAULT NULL,
   `algorithm` varchar(50) DEFAULT NULL,
   `secret` varchar(255) DEFAULT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `namealgoindex` (`name`,`algorithm`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --
 -- Table structure for table `users`
 --
 
 DROP TABLE IF EXISTS `users`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `users` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `email` varchar(255) NOT NULL DEFAULT '',
   `encrypted_password` varchar(255) NOT NULL DEFAULT '',
   `reset_password_token` varchar(255) DEFAULT NULL,
   `reset_password_sent_at` datetime DEFAULT NULL,
   `remember_created_at` datetime DEFAULT NULL,
   `sign_in_count` int(11) NOT NULL DEFAULT '0',
   `current_sign_in_at` datetime DEFAULT NULL,
   `last_sign_in_at` datetime DEFAULT NULL,
   `current_sign_in_ip` varchar(255) DEFAULT NULL,
   `last_sign_in_ip` varchar(255) DEFAULT NULL,
   `created_at` datetime NOT NULL,
   `updated_at` datetime NOT NULL,
   `identifier` varchar(255) DEFAULT '',
+  `token` varchar(255) DEFAULT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `index_users_on_email` (`email`),
   UNIQUE KEY `index_users_on_reset_password_token` (`reset_password_token`),
+  UNIQUE KEY `index_users_on_token` (`token`),
   KEY `index_users_on_identifier` (`identifier`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
 
 /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
 /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
 /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
 /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
 /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
 
 -- Dump completed on 2015-11-08 12:57:51
 INSERT INTO schema_migrations (version) VALUES ('20151028123326');
 
 INSERT INTO schema_migrations (version) VALUES ('20151028123327');
 
 INSERT INTO schema_migrations (version) VALUES ('20151031184819');
 
 INSERT INTO schema_migrations (version) VALUES ('20151107182656');
 
 INSERT INTO schema_migrations (version) VALUES ('20151108093333');
 
 INSERT INTO schema_migrations (version) VALUES ('20151108105701');
 
 INSERT INTO schema_migrations (version) VALUES ('20151207054417');
 
 INSERT INTO schema_migrations (version) VALUES ('20151207194729');
 
 INSERT INTO schema_migrations (version) VALUES ('20151213102322');
 
 INSERT INTO schema_migrations (version) VALUES ('20160206083933');
 
 INSERT INTO schema_migrations (version) VALUES ('20160214155026');
 
+INSERT INTO schema_migrations (version) VALUES ('20160403094641');
+