diff --git a/assets/css/style.css b/assets/css/style.css
index 48130a4..6cab288 100644
--- a/assets/css/style.css
+++ b/assets/css/style.css
@@ -29,5 +29,5 @@ body {
 
 .heading {
 	margin: 0 0 1rem 0;
-	color: var(--primary-light-20);
+	color: var(--primary);
 }
diff --git a/assets/img/icons/backspace2.svg b/assets/img/icons/backspace2.svg
new file mode 100755
index 0000000..ff5e840
--- /dev/null
+++ b/assets/img/icons/backspace2.svg
@@ -0,0 +1,4 @@
+<!-- Generated by IcoMoon.io -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+<path d="M15.25 3h-9c-0.412 0-0.989 0.239-1.28 0.53l-4.439 4.439c-0.292 0.292-0.292 0.769 0 1.061l4.439 4.439c0.292 0.292 0.868 0.53 1.28 0.53h9c0.412 0 0.75-0.338 0.75-0.75v-9.5c0-0.413-0.338-0.75-0.75-0.75zM14 10.5l-1.5 1.5-2-2-2 2-1.5-1.5 2-2-2-2 1.5-1.5 2 2 2-2 1.5 1.5-2 2 2 2z"></path>
+</svg>
diff --git a/assets/img/icons/database-remove.svg b/assets/img/icons/database-remove.svg
new file mode 100755
index 0000000..672dec1
--- /dev/null
+++ b/assets/img/icons/database-remove.svg
@@ -0,0 +1,5 @@
+<!-- Generated by IcoMoon.io -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+<path d="M16 8.414l-1.414-1.414-2.086 2.086-2.086-2.086-1.414 1.414 2.086 2.086-2.086 2.086 1.414 1.414 2.086-2.086 2.086 2.086 1.414-1.414-2.086-2.086z"></path>
+<path d="M8 13.421c-0.752 0.173-1.611 0.266-2.5 0.266-1.242 0-2.429-0.181-3.342-0.51-0.763-0.275-1.074-0.562-1.158-0.677v-2.594c0.995 0.643 2.64 1.062 4.5 1.062 0.9 0 1.75-0.098 2.5-0.273v-1.306c-0.752 0.173-1.611 0.266-2.5 0.266-1.242 0-2.429-0.181-3.342-0.51-0.762-0.275-1.074-0.562-1.158-0.677v-2.531c0.995 0.643 2.64 1.062 4.5 1.062 3.038 0 5.5-1.119 5.5-2.5s-2.462-2.5-5.5-2.5-5.5 1.119-5.5 2.5v8c0 1.381 2.462 2.5 5.5 2.5 0.9 0 1.75-0.098 2.5-0.273v-1.306zM2.402 3.823c0.846-0.329 1.946-0.51 3.098-0.51s2.252 0.181 3.098 0.51c0.707 0.275 0.995 0.562 1.074 0.677-0.078 0.115-0.367 0.402-1.074 0.677-0.846 0.329-1.946 0.51-3.098 0.51s-2.252-0.181-3.098-0.51c-0.707-0.275-0.996-0.562-1.074-0.677 0.078-0.115 0.367-0.402 1.074-0.677z"></path>
+</svg>
diff --git a/assets/img/icons/folder-remove.svg b/assets/img/icons/folder-remove.svg
new file mode 100755
index 0000000..740062e
--- /dev/null
+++ b/assets/img/icons/folder-remove.svg
@@ -0,0 +1,4 @@
+<!-- Generated by IcoMoon.io -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+<path d="M15 4h-14l1-2h5.5l0.5 1h6.5l0.5 1zM0 5l1 10h14l1-10h-16zM11.25 7.811l-2.189 2.189 2.189 2.189-1.061 1.061-2.189-2.189-2.189 2.189-1.061-1.061 2.189-2.189-2.189-2.189 1.061-1.061 2.189 2.189 2.189-2.189 1.061 1.061z"></path>
+</svg>
diff --git a/assets/img/icons/history.svg b/assets/img/icons/history.svg
new file mode 100755
index 0000000..85a554b
--- /dev/null
+++ b/assets/img/icons/history.svg
@@ -0,0 +1,4 @@
+<!-- Generated by IcoMoon.io -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" width="17" height="16" viewBox="0 0 17 16">
+<path d="M10 1c3.866 0 7 3.134 7 7s-3.134 7-7 7v-1.5c1.469 0 2.85-0.572 3.889-1.611s1.611-2.42 1.611-3.889c0-1.469-0.572-2.85-1.611-3.889s-2.42-1.611-3.889-1.611c-1.469 0-2.85 0.572-3.889 1.611-0.799 0.799-1.322 1.801-1.52 2.889h2.909l-3.5 4-3.5-4h2.571c0.485-3.392 3.402-6 6.929-6zM13 7v2h-4v-5h2v3z"></path>
+</svg>
diff --git a/assets/img/icons/stack-cancel.svg b/assets/img/icons/stack-cancel.svg
new file mode 100755
index 0000000..49bcc1b
--- /dev/null
+++ b/assets/img/icons/stack-cancel.svg
@@ -0,0 +1,4 @@
+<!-- Generated by IcoMoon.io -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+<path d="M5 1v1.155l-2.619 0.368 0.17 1.211-2.551 0.732 3.308 11.535 10.189-2.921 0.558-0.079h1.945v-12h-11zM3.929 14.879l-2.808-9.793 1.558-0.447 1.373 9.766 2.997-0.421-3.119 0.894zM4.822 13.382l-1.418-10.088 1.595-0.224v9.93h2.543l-2.721 0.382zM15 12h-9v-10h9v10zM13 8.939v1.061h-1.061l-1.439-1.439-1.439 1.439h-1.061v-1.061l1.439-1.439-1.439-1.439v-1.061h1.061l1.439 1.439 1.439-1.439h1.061v1.061l-1.439 1.439z"></path>
+</svg>
diff --git a/config/default.cjs b/config/default.cjs
index 1afb7c8..4045aa5 100755
--- a/config/default.cjs
+++ b/config/default.cjs
@@ -23,7 +23,6 @@ module.exports = {
 			maxQueryTime: 10000,
 		},
 		timeout: 5000,
-		graphiql: false,
 		pool: {
 			min: 0,
 			max: 20,
@@ -64,6 +63,12 @@ module.exports = {
 		usernameLength: [2, 24],
 		usernamePattern: /^[a-zA-Z0-9_-]+$/,
 	},
+	apiAccess: {
+		graphqlEnabled: true,
+		keySize: 24, // bytes
+		keyLimit: 5, // max keys per user
+		keyCooldown: 1, // minutes between key generation
+	},
 	psa: {
 		text: 'Welcome to traxxx!', // html enabled
 		type: 'notice', // notice, alert
diff --git a/pages/auth/keys/+Page.vue b/pages/auth/keys/+Page.vue
new file mode 100644
index 0000000..f606b3b
--- /dev/null
+++ b/pages/auth/keys/+Page.vue
@@ -0,0 +1,271 @@
+<template>
+	<div class="page">
+		<div class="keys-header">
+			<h2 class="heading">API keys</h2>
+
+			<div class="keys-actions">
+				<Icon
+					v-tooltip="'Flush all keys'"
+					icon="stack-cancel"
+					@click="flushKeys"
+				/>
+
+				<button
+					class="button"
+					@click="createKey"
+				>New key</button>
+			</div>
+		</div>
+
+		<div
+			v-if="newKey"
+			class="newkey"
+		>
+			<p class="key-info">
+				Your new key identified by <strong>{{ newKey.identifier }}</strong> is
+				<input
+					:value="newKey.key"
+					class="input"
+					@click="copyKey"
+				>
+			</p>
+
+			<p class="key-info">Please store this key securely, you will <strong>not</strong> be able to retrieve it later. If you lose it, you must generate a new key.</p>
+		</div>
+
+		<ul
+			v-if="keys.length > 0"
+			class="keys nolist"
+		>
+			<li
+				v-for="key in keys"
+				:key="`key-${key.id}`"
+				class="key"
+			>
+				<div class="key-row key-header">
+					<strong class="key-value key-identifier ellipsis">{{ key.identifier }}</strong>
+
+					<span class="key-actions">
+						<Icon
+							icon="bin"
+							@click="removeKey(key)"
+						/>
+					</span>
+				</div>
+
+				<div class="key-row key-details">
+					<span class="key-value key-created">
+						<Icon icon="plus-circle" />
+
+						<time
+							v-tooltip="format(key.createdAt, 'yyyy-MM-dd hh:mm:ss')"
+							:datetime="key.createdAt.toISOString()"
+						>{{ formatDistanceToNowStrict(key.createdAt) }} ago</time>
+					</span>
+
+					<span class="key-value key-used">
+						<Icon icon="history" />
+
+						<template v-if="key.lastUsedAt">
+							<time
+								v-tooltip="`${key.lastUsedIp} at ${format(key.lastUsedAt, 'yyyy-MM-dd hh:mm:ss')}`"
+								:datetime="key.lastUsedAt.toISOString()"
+							>{{ formatDistanceToNowStrict(key.lastUsedAt) }} ago</time>
+						</template>
+
+						<template v-else>Never</template>
+					</span>
+				</div>
+			</li>
+		</ul>
+
+		<div
+			v-if="keys.length > 0"
+			class="info"
+		>
+			<h3 class="info-heading">HTTP headers</h3>
+
+			<code class="headers">
+				Api-User: {{ user.id }}<br>
+				Api-Key: YourSecurelyStoredApiKey12345678
+			</code>
+		</div>
+	</div>
+</template>
+
+<script setup>
+import { ref, inject } from 'vue';
+import { format, formatDistanceToNowStrict } from 'date-fns';
+
+import { get, post, del } from '#/src/api.js';
+import events from '#/src/events.js';
+
+const pageContext = inject('pageContext');
+const user = pageContext.user;
+const keys = ref(pageContext.pageProps.keys);
+const newKey = ref(null);
+
+async function createKey() {
+	const key = await post('/keys', null, {
+		appendErrorMessage: true,
+	});
+
+	newKey.value = key;
+	keys.value = await get('/me/keys');
+}
+
+async function removeKey(key) {
+	if (confirm(`Are you sure you want to remove API key '${key.identifier}' (${format(key.createdAt, 'yyyy-MM-dd hh:mm')})? It can not be restored.`)) { // eslint-disable-line no-restricted-globals, no-alert
+		newKey.value = null;
+
+		await del(`/me/keys/${key.identifier}`);
+
+		keys.value = await get('/me/keys');
+	}
+}
+
+async function flushKeys() {
+	if (confirm('Are you sure you want to remove ALL your API keys? They can not be restored.')) { // eslint-disable-line no-restricted-globals, no-alert
+		newKey.value = null;
+
+		await del('/me/keys');
+
+		keys.value = [];
+	}
+}
+
+function copyKey(event) {
+	event.target.select();
+	navigator.clipboard.writeText(newKey.value.key);
+
+	events.emit('feedback', {
+		type: 'success',
+		message: 'Key copied to clipboard',
+	});
+}
+</script>
+
+<style scoped>
+.page {
+	flex-grow: 1;
+	padding: 1rem;
+}
+
+.keys-header {
+	display: flex;
+	justify-content: space-between;
+	align-items: center;
+	margin-bottom: .5rem;
+}
+
+.keys-actions {
+	display: flex;
+	gap: 1rem;
+	align-items: center;
+
+	.icon {
+		padding: .5rem 1rem;
+	}
+}
+
+.keys-actions,
+.key-actions {
+	.icon {
+		height: 100%;
+		fill: var(--glass);
+
+		&:hover {
+			fill: var(--error);
+			cursor: pointer;
+		}
+	}
+}
+
+.keys {
+	display: grid;
+	grid-template-columns: repeat(auto-fill, minmax(25rem, 1fr));
+	gap: .5rem;
+	margin-bottom: 2rem;
+}
+
+.key {
+	background: var(--background);
+	box-shadow: 0 0 3px var(--shadow-weak-30);
+	font-size: .9rem;
+}
+
+.key-row {
+	display: flex;
+	justify-content: space-between;
+	overflow: hidden;
+}
+
+.key-value {
+	display: flex;
+	align-items: center;
+	gap: .25rem;
+	box-sizing: border-box;
+
+	.icon {
+		width: .9rem;
+		height: .9rem;
+		fill: var(--glass-strong-10);
+	}
+}
+
+.key-header .key-value {
+	padding: .5rem .5rem .25rem .5rem;
+}
+
+.key-details .key-value {
+	padding: .25rem .5rem .5rem .5rem;
+}
+
+.key-identifier {
+	display: inline-block;
+	width: 0;
+	flex-grow: 1;
+}
+
+.key-actions .icon {
+	padding: 0 .5rem .5rem .5rem;
+}
+
+.newkey {
+	display: inline-block;
+	padding: .5rem 1rem;
+	margin-bottom: 1rem;
+	background: var(--enabled-background);
+	border: solid 1px var(--success);
+	border-radius: .25rem;
+	line-height: 1.5;
+
+	.input {
+		width: 24rem;
+		padding: .25rem .75rem;
+		font-weight: bold;
+	}
+}
+
+.key-info {
+	margin: 0 0 .5rem 0;
+}
+
+.headers {
+	display: block;
+	max-width: 100%;
+	padding: .5rem 0;
+	white-space: nowrap;
+	overflow: auto;
+}
+
+.info-heading {
+	margin: 0;
+}
+
+@media(--small-20) {
+	.keys {
+		grid-template-columns: 1fr;
+	}
+}
+</style>
diff --git a/pages/auth/keys/+onBeforeRender.js b/pages/auth/keys/+onBeforeRender.js
new file mode 100644
index 0000000..68b1638
--- /dev/null
+++ b/pages/auth/keys/+onBeforeRender.js
@@ -0,0 +1,14 @@
+import { fetchUserKeys } from '#/src/auth.js';
+
+export async function onBeforeRender(pageContext) {
+	const keys = await fetchUserKeys(pageContext.user);
+
+	return {
+		pageContext: {
+			title: 'API keys',
+			pageProps: {
+				keys,
+			},
+		},
+	};
+}
diff --git a/src/actors.js b/src/actors.js
index 4e6e54e..fa7267b 100644
--- a/src/actors.js
+++ b/src/actors.js
@@ -26,7 +26,7 @@ export function curateActor(actor, context = {}) {
 		cup: actor.cup,
 		waist: actor.waist,
 		hip: actor.hip,
-		naturalBoobs: actor.naturalBoobs,
+		naturalBoobs: actor.natural_boobs,
 		height: actor.height && {
 			metric: actor.height,
 			imperial: unit(actor.height, 'cm').splitUnit(['ft', 'in']).map((value) => Math.round(value.toNumber())),
@@ -36,7 +36,7 @@ export function curateActor(actor, context = {}) {
 			imperial: Math.round(unit(actor.weight, 'kg').toNumeric('lbs')),
 		},
 		eyes: actor.eyes,
-		hairColor: actor.hairColor,
+		hairColor: actor.hair_color,
 		hasTattoos: actor.has_tattoos,
 		tattoos: actor.tattoos,
 		hasPiercings: actor.has_piercings,
diff --git a/src/api.js b/src/api.js
index 74e6848..d8684d3 100644
--- a/src/api.js
+++ b/src/api.js
@@ -79,7 +79,7 @@ export async function post(path, data, options = {}) {
 	try {
 		const res = await fetch(`/api${path}${getQuery(options.query)}`, {
 			method: 'POST',
-			body: JSON.stringify(data),
+			body: data && JSON.stringify(data),
 			...postHeaders,
 		});
 
@@ -95,8 +95,6 @@ export async function post(path, data, options = {}) {
 			return body;
 		}
 
-		console.log(body.statusMessage);
-
 		showFeedback(false, options, body.statusMessage);
 		throw new Error(body.statusMessage);
 	} catch (error) {
@@ -109,7 +107,7 @@ export async function patch(path, data, options = {}) {
 	try {
 		const res = await fetch(`/api${path}${getQuery(options.query)}`, {
 			method: 'PATCH',
-			body: JSON.stringify(data),
+			body: data && JSON.stringify(data),
 			...postHeaders,
 		});
 
@@ -136,7 +134,7 @@ export async function del(path, options = {}) {
 	try {
 		const res = await fetch(`/api${path}${getQuery(options.query)}`, {
 			method: 'DELETE',
-			body: JSON.stringify(options.data),
+			body: options.data && JSON.stringify(options.data),
 			...postHeaders,
 		});
 
diff --git a/src/auth.js b/src/auth.js
index e42a21e..c64ccd3 100755
--- a/src/auth.js
+++ b/src/auth.js
@@ -4,13 +4,17 @@ import crypto from 'crypto';
 import fs from 'fs/promises';
 import { createAvatar } from '@dicebear/core';
 import { shapes } from '@dicebear/collection';
+import { faker } from '@faker-js/faker';
 
 import { knexOwner as knex } from './knex.js';
+import redis from './redis.js';
 import { curateUser, fetchUser } from './users.js';
 import { HttpError } from './errors.js';
-import initLogger from './logger.js';
+import slugify from '../utils/slugify.js';
+import initLogger, { initAccessLogger } from './logger.js';
 
 const logger = initLogger();
+const accessLogger = initAccessLogger();
 const scrypt = util.promisify(crypto.scrypt);
 
 async function verifyPassword(password, storedPassword) {
@@ -138,3 +142,100 @@ export async function signup(credentials, userIp) {
 
 	return fetchUser(userId);
 }
+
+function curateKey(key) {
+	return {
+		id: key.id,
+		identifier: key.identifier,
+		lastUsedAt: key.last_used_at,
+		lastUsedIp: key.last_used_ip,
+		createdAt: key.created_at,
+	};
+}
+
+export async function fetchUserKeys(reqUser) {
+	const keys = await knex('users_keys')
+		.where('user_id', reqUser.id)
+		.orderBy('created_at', 'asc');
+
+	return keys.map((key) => curateKey(key));
+}
+
+export async function verifyKey(userId, key, req) {
+	if (!key || !userId) {
+		throw new HttpError('The API credentials are not provided.', 401);
+	}
+
+	const hashedKey = (await scrypt(key, '', 64)).toString('hex'); // salt redundant for randomly generated key
+
+	const storedKey = await knex('users_keys')
+		.where('user_id', userId)
+		.where('key', hashedKey)
+		.first();
+
+	if (!storedKey) {
+		throw new HttpError('The API credentials are invalid.', 401);
+	}
+
+	accessLogger.access({
+		userId,
+		identifier: storedKey.identifier,
+		ip: req.userIp,
+	});
+
+	knex('users_keys')
+		.where('id', storedKey.id)
+		.update('last_used_at', knex.raw('now()'))
+		.update('last_used_ip', req.userIp)
+		.then(() => {
+			// no need to wait for this
+		});
+}
+
+export async function createKey(reqUser) {
+	const cooldownKey = `traxxx:key_create_cooldown:${reqUser.id}`;
+
+	if (reqUser.role !== 'admin' && await redis.exists(cooldownKey)) {
+		throw new HttpError(`You can only create a new API key once every ${config.apiAccess.keyCooldown} minutes.`, 429);
+	}
+
+	const keys = await fetchUserKeys(reqUser);
+
+	if (keys.length >= config.apiAccess.keyLimit) {
+		throw new HttpError(`You can only hold ${config.apiAccess.keyLimit} API keys at one time. Please remove a key.`, 400);
+	}
+
+	const key = crypto.randomBytes(config.apiAccess.keySize).toString('base64url');
+	const hashedKey = (await scrypt(key, '', 64)).toString('hex'); // salt redundant for randomly generated key
+
+	const identifier = slugify([faker.word.adjective(), faker.animal[faker.animal.type()]()]);
+
+	const [newKey] = await knex('users_keys')
+		.insert({
+			user_id: reqUser.id,
+			key: hashedKey,
+			identifier,
+		})
+		.returning('*');
+
+	await redis.set(cooldownKey, identifier);
+	await redis.expire(cooldownKey, config.apiAccess.keyCooldown * 60);
+
+	return {
+		...curateKey(newKey),
+		key,
+	};
+}
+
+export async function removeUserKey(reqUser, identifier) {
+	await knex('users_keys')
+		.where('user_id', reqUser.id)
+		.where('identifier', identifier)
+		.delete();
+}
+
+export async function flushUserKeys(reqUser) {
+	await knex('users_keys')
+		.where('user_id', reqUser.id)
+		.delete();
+}
diff --git a/src/logger.js b/src/logger.js
index cc7a47b..f216282 100755
--- a/src/logger.js
+++ b/src/logger.js
@@ -34,3 +34,20 @@ export default function initLogger(customLabel) {
 		],
 	});
 }
+
+export function initAccessLogger() {
+	return winston.createLogger({
+		level: 'access',
+		levels: {
+			access: 0,
+		},
+		format: winston.format.printf((data) => JSON.stringify({ ...data.message, timestamp: new Date() })),
+		transports: [
+			new winston.transports.DailyRotateFile({
+				datePattern: 'YYYY-MM-DD',
+				filename: path.join('log', 'access_%DATE%.log'),
+				level: 'access',
+			}),
+		],
+	});
+}
diff --git a/src/users.js b/src/users.js
index d24be66..12ef70d 100755
--- a/src/users.js
+++ b/src/users.js
@@ -27,6 +27,7 @@ export function curateUser(user, _assets = {}) {
 		emailVerified: user.email_verified,
 		identityVerified: user.identity_verified,
 		avatar: `/media/avatars/${user.id}_${user.username}.png`,
+		role: user.role,
 		createdAt: user.created_at,
 	};
 
diff --git a/src/web/actors.js b/src/web/actors.js
index be3e98f..83fb6e9 100644
--- a/src/web/actors.js
+++ b/src/web/actors.js
@@ -46,7 +46,7 @@ export const actorsSchema = `
 			query: String
 			limit: Int! = 30
 			page: Int! = 1
-			order: [String]
+			order: [String!]
 		): ActorsResult
 
 		actor(
@@ -54,7 +54,7 @@ export const actorsSchema = `
 		): Actor
 
 		actorsById(
-			ids: [Int]!
+			ids: [Int!]!
 		): [Actor]
 	}
 
@@ -70,7 +70,7 @@ export const actorsSchema = `
 	}
 
 	type ActorsResult {
-		nodes: [Actor]
+		nodes: [Actor!]!
 		total: Int
 	}
 
@@ -81,6 +81,8 @@ export const actorsSchema = `
 		gender: String
 		dateOfBirth: Date
 		age: Int
+		ageFromBirth: Int
+		ageThen: Int
 		origin: Location
 		residence: Location
 		height: Int
diff --git a/src/web/auth.js b/src/web/auth.js
index 3564cef..f407ebf 100755
--- a/src/web/auth.js
+++ b/src/web/auth.js
@@ -1,7 +1,16 @@
 /* eslint-disable no-param-reassign */
+import { stringify } from '@brillout/json-serializer/stringify'; /* eslint-disable-line import/extensions */
 import IPCIDR from 'ip-cidr';
 
-import { login, signup } from '../auth.js';
+import {
+	login,
+	signup,
+	fetchUserKeys,
+	createKey,
+	removeUserKey,
+	flushUserKeys,
+} from '../auth.js';
+
 import { fetchUser } from '../users.js';
 
 function getIp(req) {
@@ -68,4 +77,28 @@ export async function signupApi(req, res) {
 	req.session.user = user;
 	res.send(user);
 }
+
+export async function fetchUserKeysApi(req, res) {
+	const keys = await fetchUserKeys(req.user);
+
+	res.send(stringify(keys));
+}
+
+export async function createKeyApi(req, res) {
+	const key = await createKey(req.user);
+
+	res.send(stringify(key));
+}
+
+export async function removeUserKeyApi(req, res) {
+	await removeUserKey(req.user, req.params.keyIdentifier);
+
+	res.status(204).send();
+}
+
+export async function flushUserKeysApi(req, res) {
+	await flushUserKeys(req.user);
+
+	res.status(204).send();
+}
 /* eslint-enable no-param-reassign */
diff --git a/src/web/entities.js b/src/web/entities.js
index 5a1d8ae..58ae03e 100644
--- a/src/web/entities.js
+++ b/src/web/entities.js
@@ -37,7 +37,7 @@ export const entitiesSchema = `
 	}
 
 	type EntitiesResult {
-		nodes: [Entity]
+		nodes: [Entity!]!
 	}
 
 	type Entity {
@@ -47,7 +47,7 @@ export const entitiesSchema = `
 		url: String
 		type: String
 		parent: Entity
-		children: [Entity]
+		children: [Entity!]!
 	}
 `;
 
diff --git a/src/web/graphql.js b/src/web/graphql.js
index 13b7885..01699d0 100644
--- a/src/web/graphql.js
+++ b/src/web/graphql.js
@@ -1,3 +1,4 @@
+import config from 'config';
 import { format } from 'date-fns';
 
 import {
@@ -24,6 +25,8 @@ import {
 	fetchActorsByIdGraphql,
 } from './actors.js';
 
+import { verifyKey } from '../auth.js';
+
 const schema = buildSchema(`
 	type Query {
 		movies(
@@ -61,6 +64,13 @@ const DateScalar = new GraphQLScalarType({
 });
 
 export async function graphqlApi(req, res) {
+	if (!config.apiAccess.graphqlEnabled) {
+		res.status(404).send();
+		return;
+	}
+
+	await verifyKey(req.headers['api-user'], req.headers['api-key'], req);
+
 	const data = await graphql({
 		schema,
 		source: req.body.query,
diff --git a/src/web/scenes.js b/src/web/scenes.js
index e88cb2c..1a49884 100644
--- a/src/web/scenes.js
+++ b/src/web/scenes.js
@@ -75,9 +75,9 @@ export const scenesSchema = `
 		scenes(
 			query: String
 			scope: String
-			entities: [String]
-			actorIds: [String]
-			tags: [String]
+			entities: [String!]
+			actorIds: [String!]
+			tags: [String!]
 			limit: Int! = 30
 			page: Int! = 1
 		): ReleasesResult
@@ -87,16 +87,16 @@ export const scenesSchema = `
 		): Release
 
 		scenesById(
-			ids: [Int]!
+			ids: [Int!]!
 		): [Release]
 	}
 
 	type ReleasesAggregate {
-		actors: [Actor]
+		actors: [Actor!]
 	}
 
 	type ReleasesResult {
-		nodes: [Release]
+		nodes: [Release!]!
 		total: Int
 		aggregates: ReleasesAggregate
 	}
@@ -112,13 +112,13 @@ export const scenesSchema = `
 		shootId: Int
 		channel: Entity
 		network: Entity
-		actors: [Actor]
-		tags: [Tag]
+		actors: [Actor!]!
+		tags: [Tag!]!
 		poster: Media
 		trailer: Media
-		photos: [Media]
-		covers: [Media]
-		movies: [Release]
+		photos: [Media!]!
+		covers: [Media!]!
+		movies: [Release!]!
 	}
 
 	type Tag {
diff --git a/src/web/server.js b/src/web/server.js
index c1ba0b2..174141e 100644
--- a/src/web/server.js
+++ b/src/web/server.js
@@ -28,6 +28,10 @@ import {
 	loginApi,
 	logoutApi,
 	signupApi,
+	fetchUserKeysApi,
+	createKeyApi,
+	removeUserKeyApi,
+	flushUserKeysApi,
 } from './auth.js';
 
 import {
@@ -162,6 +166,12 @@ export default async function initServer() {
 	router.post('/api/templates', createTemplateApi);
 	router.delete('/api/templates/:templateId', removeTemplateApi);
 
+	// API KEYS
+	router.get('/api/me/keys', fetchUserKeysApi);
+	router.post('/api/keys', createKeyApi);
+	router.delete('/api/me/keys/:keyIdentifier', removeUserKeyApi);
+	router.delete('/api/me/keys', flushUserKeysApi);
+
 	// ALERTS
 	router.get('/api/alerts', fetchAlertsApi);
 	router.post('/api/alerts', createAlertApi);
@@ -182,7 +192,10 @@ export default async function initServer() {
 	// TAGS
 	router.get('/api/tags', fetchTagsApi);
 
-	router.post('/graphql', graphqlApi);
+	if (config.apiAccess.graphqlEnabled) {
+		router.post('/graphql', graphqlApi);
+	}
+
 	router.use(consentHandler);
 
 	router.use((req, res, next) => {