diff --git a/vroom.pl b/vroom.pl
index e6b3820..61415b4 100755
--- a/vroom.pl
+++ b/vroom.pl
@@ -95,7 +95,7 @@ helper valid_room_name => sub {
   my ($name) = @_;
   my $ret = {};
   # A few names are reserved
-  my @reserved = qw(about help feedback feedback_thanks goodbye admin create localize jsapi
+  my @reserved = qw(about help feedback feedback_thanks goodbye admin create localize jsapi api
                     missing dies password kicked invitation js css img fonts snd);
   if ($name !~ m/^[\w\-]{1,49}$/ || grep { $name eq $_ } @reserved){
     return 0;
@@ -449,6 +449,18 @@ helper purge_participants => sub {
   return 1;
 };
 
+# Purge api keys
+helper purge_api_keys => sub {
+  my $self = shift;
+  $self->app->log->debug('Removing expired API keys');
+  my $sth = eval {
+    $self->db->prepare('DELETE FROM `api_keys`
+                          WHERE `not_after` > CONVERT_TZ(NOW(), @@session.time_zone, \'+00:00\')');
+  };
+  $sth->execute;
+  return 1;
+};
+
 # Purge unused rooms
 helper purge_rooms => sub {
   my $self = shift;
@@ -1112,6 +1124,22 @@ any [qw(GET POST)] => '/password/(:room)' => sub {
   }
 };
 
+# API request handler
+any '/api' => sub {
+  my $self = shift;
+  $self->purge_api_keys;
+  my $key = $self->req->headers->header('X-API-Key');
+  if (!$key){
+    return $self->render(
+      json => {
+        status => 'error',
+        msg    => 'NOT_ALLOWED'
+      },
+      status => '403'
+    );
+  }
+};
+
 # Catch all route: if nothing else match, it's the name of a room
 get '/:room' => sub {
   my $self = shift;