diff --git a/README-apikeys.md b/README-apikeys.md
new file mode 100644
index 0000000..a253892
--- /dev/null
+++ b/README-apikeys.md
@@ -0,0 +1,11 @@
+# API key management
+
+This applies, if you're operating shutter-api with rate limiting/api keys enabled (see `docker-compose.rate_limit.yaml` and `apikeys/apikeys.py` for more details), via `docker compose`.
+
+Keys are stored in `shutter-api/data/keys.csv`.
+
+There is a script on `shutter-api.shutter.network:shutter-api/add-apikey.sh` for adding new keys while the `compose` stack is running. It executes the python script from `apikeys/apikeys.py` inside the `docker compose` environment (see header of the python script for more documentation).
+
+When you execute it, it will ask for an email address or other reference for a new key, that will be added to `keys.csv`.
+
+If you manually change the contents of `keys.csv`, for example to remove a key, run `add-apikey.sh` and don't give a new keys reference -- that will compile the edited `.csv` and restart the webserver.
diff --git a/add-apikey.sh b/add-apikey.sh
new file mode 100644
index 0000000..9f75f0b
--- /dev/null
+++ b/add-apikey.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# This writes a new apikey to the keysfile and the configuration
+docker run --rm -it -v $(pwd)/apikeys/apikeys.py:/apikeys.py:ro -v $(pwd)/data:/data -e KEYS_FILE=/data/keys.csv -e CADDY_SNIPPET=/data/apikeys.caddy ghcr.io/astral-sh/uv:python3.13-alpine uv run --script /apikeys.py
+
+echo "Activating new API key by restarting caddy"
+tail -1 data/keys.csv
+
+docker compose -f docker-compose.yml -f docker-compose.rate_limit.yaml restart caddy