diff --git a/api/admin.py b/api/admin.py
new file mode 100644
index 0000000..51fced1
--- /dev/null
+++ b/api/admin.py
@@ -0,0 +1,41 @@
+from django.contrib import admin
+from django.utils.translation import ugettext_lazy as _
+from minecraft_manager.api.models import Token
+
+
+class TokenActiveFilter(admin.SimpleListFilter):
+    title = _('Active')
+    parameter_name = 'active'
+
+    def lookups(self, request, model_admin):
+        return (
+            ('0', _('Active')),
+            ('1', _('Inactive')),
+        )
+
+    def queryset(self, request, queryset):
+        if self.value() == '0':
+            return queryset.filter(active=True)
+        if self.value() == '1':
+            return queryset.filter(active=False)
+
+
+class TokenAdmin(admin.ModelAdmin):
+    list_filter = (TokenActiveFilter,)
+    fieldsets = (
+        (None, {
+            'fields': ('key', 'active')
+        }),
+        ('Permissions', {
+            'fields': ('web_get_permission', 'web_post_permission', 'plugin_get_permission', 'plugin_post_permission',
+                       'form_get_permission', 'form_post_permission', 'model_get_permission', 'model_post_permission',
+                       'stats_get_permission', 'stats_post_permission')
+        })
+    )
+
+
+try:
+    admin.site.register(Token, TokenAdmin)
+except admin.sites.AlreadyRegistered:
+    pass
+
diff --git a/api/models.py b/api/models.py
new file mode 100644
index 0000000..6dbdb29
--- /dev/null
+++ b/api/models.py
@@ -0,0 +1,16 @@
+from django.db import models
+
+
+class Token(models.Model):
+    key = models.CharField("Key", max_length=50, unique=True)
+    active = models.BooleanField("Active", default=True)
+    web_get_permission = models.BooleanField("Web API GET", default=False)
+    web_post_permission = models.BooleanField("Web API POST", default=False)
+    plugin_get_permission = models.BooleanField("Plugin API GET", default=False)
+    plugin_post_permission = models.BooleanField("Plugin API POST", default=False)
+    form_get_permission = models.BooleanField("Form API GET", default=False)
+    form_post_permission = models.BooleanField("Form API POST", default=False)
+    model_get_permission = models.BooleanField("Model API GET", default=False)
+    model_post_permission = models.BooleanField("Model API POST", default=False)
+    stats_get_permission = models.BooleanField("Stats API GET", default=False)
+    stats_post_permission = models.BooleanField("Stats API POST", default=False)
diff --git a/api/views.py b/api/views.py
index 7d60377..603da56 100644
--- a/api/views.py
+++ b/api/views.py
@@ -7,7 +7,6 @@ from django.apps import apps
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.http import JsonResponse, HttpResponse
-from django.urls import reverse
 from django.utils import timezone
 from django.views.generic import View
 from django.forms import modelform_factory
@@ -15,29 +14,30 @@ from django.forms import modelform_factory
 import minecraft_manager.forms as MCMForms
 from minecraft_manager.models import Player, UserSettings, Application, IP, Ticket, Warning
 import minecraft_manager.api.api as mcm_api
+from minecraft_manager.api.models import Token
 import minecraft_manager.utils as mcm_utils
 import minecraft_manager.external.stats as mcm_stats
 
 logger = logging.getLogger(__name__)
 
 
-def request_allowed(request):
+def request_allowed(request, permission):
     is_authenticated = False
     if hasattr(request, 'user'):
         if hasattr(request.user, 'is_authenticated'):
             is_authenticated = request.user.is_authenticated
-    password = getattr(settings, 'API_PASSWORD', None)
     get = request.GET
-    post= request.POST
+    post = request.POST
     request_password = None
     if 'api' in get:
         request_password = get['api']
     elif 'api' in post:
         request_password = post['api']
-    correct_password = False
-    if password and request_password:
-        correct_password = request_password == password
-    return is_authenticated or correct_password
+    token_permission = False
+    if Token.objects.filter(active=True, key=request_password).exists():
+        token = Token.objects.get(active=True, key=request_password)
+        token_permission = getattr(token, permission, False)
+    return is_authenticated or token_permission
 
 
 def clean(model, data):
@@ -60,7 +60,7 @@ class WebAPI(View):
     def get(self, request, keyword):
         get = request.GET
         data = {'success': False, 'message': 'API failed'}
-        if request_allowed(request):
+        if request_allowed(request, 'web_get_permission'):
             keyword = keyword.lower()
             if keyword == 'log':
                 html_global = ""
@@ -102,7 +102,7 @@ class WebAPI(View):
     def post(self, request, keyword):
         post = request.POST
         data = {}
-        if request_allowed(request):
+        if request_allowed(request, 'web_post_permission'):
             keyword = keyword.lower()
             if keyword == 'settings' and request.user.usersettings:
                 for s in [a for a in dir(UserSettings) if not a.startswith('__') and not callable(getattr(UserSettings,a))]:
@@ -155,7 +155,7 @@ class PluginAPI(View):
 
     def get(self, request, keyword):
         json = {'status': True, 'message': '', 'extra': ''}
-        if request_allowed(request):
+        if request_allowed(request, 'plugin_get_permission'):
             get = request.GET
             keyword = keyword.lower()
 
@@ -163,7 +163,7 @@ class PluginAPI(View):
 
     def post(self, request, keyword):
         json = {'status': True, 'message': '', 'extra': ''}
-        if request_allowed(request):
+        if request_allowed(request, 'plugin_post_permission'):
             post = request.POST
             keyword = keyword.lower()
             if "application" == keyword:
@@ -323,7 +323,7 @@ class FormAPI(View):
 
     def get(self, request, request_model):
         html = ""
-        if request_allowed(request):
+        if request_allowed(request, 'form_get_permission'):
             get = request.GET
             model = None
             for m in apps.get_app_config('minecraft_manager').get_models():
@@ -346,7 +346,7 @@ class FormAPI(View):
 
     def post(self, request, request_model):
         html = ""
-        if request_allowed(request):
+        if request_allowed(request, 'form_post_permission'):
             post = request.POST
             model = None
             for m in apps.get_app_config('minecraft_manager').get_models():
@@ -376,7 +376,7 @@ class ModelAPI(View):
 
     def get(self, request, request_model):
         json = []
-        if request_allowed(request):
+        if request_allowed(request, 'model_get_permission'):
             get = request.GET
             model = None
             for m in apps.get_app_config('minecraft_manager').get_models():
@@ -404,7 +404,7 @@ class StatsAPI(View):
 
     def get(self, request):
         json = []
-        if request_allowed(request):
+        if request_allowed(request, 'stats_get_permission'):
             get = request.GET
             if 'stat' in get:
                 if 'uuid' in get: