diff --git a/docker-compose.yml b/docker-compose.yml
index 696bb38a..47f09e93 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -143,6 +143,7 @@ services:
         - SMTPS_PORT=${SMTPS_PORT:-465}
         - SMTP_PORT=${SMTP_PORT:-25}
         - API_KEY=${API_KEY:-invalid}
+        - API_KEY_READ_ONLY=${API_KEY_READ_ONLY:-invalid}
         - API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
         - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
         - SKIP_SOLR=${SKIP_SOLR:-y}
diff --git a/generate_config.sh b/generate_config.sh
index e37eaff8..c225a255 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -275,12 +275,15 @@ IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
 
 #SNAT6_TO_SOURCE=
 
-# Create or override API key for web ui
+# Create or override an API key for the web UI
 # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
-# The API key defined here has read-write access
-# API_KEY allowed chars: a-z, A-Z, 0-9, -
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
 
 #API_KEY=
+#API_KEY_READ_ONLY=
 #API_ALLOW_FROM=172.22.1.1,127.0.0.1
 
 # mail_home is ~/Maildir
diff --git a/update.sh b/update.sh
index 48af481d..d3ce2913 100755
--- a/update.sh
+++ b/update.sh
@@ -185,6 +185,7 @@ CONFIG_ARRAY=(
   "COMPOSE_PROJECT_NAME"
   "SQL_PORT"
   "API_KEY"
+  "API_KEY_READ_ONLY"
   "API_ALLOW_FROM"
   "MAILDIR_GC_TIME"
   "MAILDIR_SUB"
@@ -250,6 +251,12 @@ for option in ${CONFIG_ARRAY[@]}; do
       echo '# Create or override API key for web UI' >> mailcow.conf
       echo "#API_KEY=" >> mailcow.conf
     fi
+  elif [[ ${option} == "API_KEY_READ_ONLY" ]]; then
+    if ! grep -q ${option} mailcow.conf; then
+      echo "Adding new option \"${option}\" to mailcow.conf"
+      echo '# Create or override read-only API key for web UI' >> mailcow.conf
+      echo "#API_KEY_READ_ONLY=" >> mailcow.conf
+    fi
   elif [[ ${option} == "API_ALLOW_FROM" ]]; then
     if ! grep -q ${option} mailcow.conf; then
       echo "Adding new option \"${option}\" to mailcow.conf"