diff --git a/src/auth_manager.cpp b/src/auth_manager.cpp
index 7bf2cdf4..80aa0122 100644
--- a/src/auth_manager.cpp
+++ b/src/auth_manager.cpp
@@ -324,6 +324,10 @@ Option<uint32_t> api_key_t::validate(const nlohmann::json &key_obj) {
         }
     }
 
+    if(key_obj.count("value") != 0 && !key_obj["value"].is_string()) {
+        return Option<uint32_t>(400, std::string("Key value must be a string."));
+    }
+
     if(!key_obj["actions"].is_array() || key_obj["actions"].empty()) {
         return Option<uint32_t>(400,"Wrong format for `actions`. It should be an array of string.");
     }
diff --git a/src/core_api.cpp b/src/core_api.cpp
index 9b7c32c9..5dac7de0 100644
--- a/src/core_api.cpp
+++ b/src/core_api.cpp
@@ -945,12 +945,13 @@ bool post_create_key(const std::shared_ptr<http_req>& req, const std::shared_ptr
         return false;
     }
 
-    const std::string &rand_key = req->metadata;
-
     if(req_json.count("expires_at") == 0) {
         req_json["expires_at"] = api_key_t::FAR_FUTURE_TIMESTAMP;
     }
 
+    const std::string &rand_key = (req_json.count("value") != 0) ?
+            req_json["value"].get<std::string>() : req->metadata;
+
     api_key_t api_key(
         rand_key,
         req_json["description"].get<std::string>(),
diff --git a/test/auth_manager_test.cpp b/test/auth_manager_test.cpp
index d4b7fa20..053f7f66 100644
--- a/test/auth_manager_test.cpp
+++ b/test/auth_manager_test.cpp
@@ -390,4 +390,15 @@ TEST_F(AuthManagerTest, ValidateBadKeyProperties) {
 
     validate_op = api_key_t::validate(key_obj2);
     ASSERT_TRUE(validate_op.ok());
+
+    // check for valid value
+    nlohmann::json key_obj3;
+    key_obj3["description"] = "desc";
+    key_obj3["actions"] = {"*"};
+    key_obj3["collections"] = {"foobar"};
+    key_obj3["value"] = 100;
+
+    validate_op = api_key_t::validate(key_obj3);
+    ASSERT_FALSE(validate_op.ok());
+    ASSERT_STREQ("Key value must be a string.", validate_op.error().c_str());
 }
\ No newline at end of file