diff --git a/common/user.ts b/common/user.ts
index 8713717d..b93ed4d6 100644
--- a/common/user.ts
+++ b/common/user.ts
@@ -35,4 +35,5 @@ export type PrivateUser = {
   unsubscribedFromGenericEmails?: boolean
   initialDeviceToken?: string
   initialIpAddress?: string
+  apiKey?: string
 }
diff --git a/firestore.rules b/firestore.rules
index 24ab0941..feba35d9 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -21,6 +21,9 @@ service cloud.firestore {
 
     match /private-users/{userId} {
       allow read: if resource.data.id == request.auth.uid || isAdmin();
+      allow update: if (resource.data.id == request.auth.uid || isAdmin())
+        && request.resource.data.diff(resource.data).affectedKeys()
+            .hasOnly(['apiKey']);
     }
 
     match /private-users/{userId}/views/{viewId} {