diff --git a/app/controllers/spree/api_keys_controller.rb b/app/controllers/spree/api_keys_controller.rb
index e852afc23d..22be03d362 100644
--- a/app/controllers/spree/api_keys_controller.rb
+++ b/app/controllers/spree/api_keys_controller.rb
@@ -32,7 +32,7 @@ module Spree
     def load_object
       @user ||= find_user
       if @user
-        authorize! params[:action].to_sym, @user
+        authorize! :update, @user
       else
         redirect_to main_app.login_path
       end
diff --git a/spec/controllers/spree/api_keys_controller_spec.rb b/spec/controllers/spree/api_keys_controller_spec.rb
index 68c5f35b5f..c39b46e821 100644
--- a/spec/controllers/spree/api_keys_controller_spec.rb
+++ b/spec/controllers/spree/api_keys_controller_spec.rb
@@ -9,6 +9,7 @@ describe Spree::ApiKeysController, type: :controller, performance: true do
   include ControllerRequestsHelper
 
   let(:user) { create(:user) }
+  let(:other_user) { create(:user) }
   let(:redirect_path) { "#{spree.account_path}#/developer_settings" }
 
   before do
@@ -21,6 +22,15 @@ describe Spree::ApiKeysController, type: :controller, performance: true do
       expect(user.spree_api_key).to be_present
     end
 
+    it "denies creating a new api key for other user" do
+      expect {
+        spree_post :create, id: other_user.id
+        other_user.reload
+      }.to_not change {
+        other_user.spree_api_key
+      }
+    end
+
     it "redirects to the api keys tab on account page " do
       spree_post :create
       expect(response).to redirect_to redirect_path