diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php
index 298beb685d6..ad0c4e50080 100644
--- a/htdocs/api/class/api.class.php
+++ b/htdocs/api/class/api.class.php
@@ -16,6 +16,8 @@
  */
 
 use Luracast\Restler\Restler;
+use Luracast\Restler\RestException;
+
 
 /**
  * Class for API
@@ -78,7 +80,6 @@ class DolibarrApi {
 
 /**
  * API init
- * This class exists to show 200 code when request url root /api/
  *
  */
 class DolibarrApiInit extends DolibarrApi {
@@ -86,5 +87,54 @@ class DolibarrApiInit extends DolibarrApi {
 	function __construct() {
 
 	}
+	
+	/**
+	 * Log user with login and password
+	 * @todo : to finish!
+	 * 
+	 * @param string $login
+	 * @param string $password
+	 * @param int $entity
+	 * @throws RestException
+	 */
+	public function login($login, $password, $entity = '') {
 
-}
\ No newline at end of file
+		// Authentication mode
+		if (empty($dolibarr_main_authentication))
+			$dolibarr_main_authentication = 'http,dolibarr';
+		// Authentication mode: forceuser
+		if ($dolibarr_main_authentication == 'forceuser' && empty($dolibarr_auto_user))
+			$dolibarr_auto_user = 'auto';
+		// Set authmode
+		$authmode = explode(',', $dolibarr_main_authentication);
+
+		include_once DOL_DOCUMENT_ROOT . '/core/lib/security2.lib.php';
+		$login = checkLoginPassEntity($login, $password, $entity, $authmode);
+		if (empty($login))
+		{
+			throw new RestException(403, 'Access denied');
+		}
+
+		return array(
+			'success' => array(
+				'code' => 200,
+				'message' => 'Welcome ' . $login
+			)
+		);
+	}
+
+	/**
+	 * @access protected
+	 * @class  DolibarrApiAccess {@requires admin}
+	 */
+	public function status() {
+		require_once DOL_DOCUMENT_ROOT . '/core/lib/functions.lib.php';
+		return array(
+			'success' => array(
+				'code' => 200,
+				'dolibarr_version' => DOL_VERSION
+			)
+		);
+	}
+
+}
diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php
new file mode 100644
index 00000000000..d04f943683d
--- /dev/null
+++ b/htdocs/api/class/api_access.class.php
@@ -0,0 +1,83 @@
+<?php
+
+use \Luracast\Restler\iAuthenticate;
+use \Luracast\Restler\Resources;
+use \Luracast\Restler\Defaults;
+
+require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
+
+/**
+ * Description of DolibarrApiAccess
+ *
+ * @author jfefe
+ */
+class DolibarrApiAccess implements iAuthenticate
+{
+	const REALM = 'Restricted Dolibarr API';
+	const TEST_KEY = 'changeme';
+	
+	/**
+	 *
+	 * @var string $role		user / external / admin
+	 * @var string $requires	
+	 */
+	public static $requires = 'user';
+    public static $role = 'user';
+	
+	public function __isAllowed()
+    {
+		
+		//@todo hardcoded api_key=>role for brevity
+		//
+        $roles = array('123' => 'user', '456' => 'external', '789' => 'admin');
+		
+		$userClass = Defaults::$userIdentifierClass;
+		
+		// for dev @todo : remove this!
+		static::$role = 'user';
+		
+		if( isset($_GET['test_key'])) {
+			if( ! $_GET['test_key'] == DolibarrApiAccess::TEST_KEY) {
+				$userClass::setCacheIdentifier($_GET['test_key']);
+				return false;
+			}
+		}
+		elseif (isset($_GET['api_key'])) {
+			// @todo : check from database
+			if (!array_key_exists($_GET['api_key'], $roles)) {
+				$userClass::setCacheIdentifier($_GET['api_key']);
+				return false;
+			}
+			static::$role = $roles[$_GET['api_key']];
+        }
+		else
+		{
+			return false;
+		}
+		
+		
+		
+        $userClass::setCacheIdentifier(static::$role);
+        Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
+        return static::$requires == static::$role || static::$role == 'admin';
+	}
+	
+	public function __getWWWAuthenticateString()
+    {
+        return 'Query name="api_key"';
+    }
+	
+	/**
+     * @access private
+     */
+    public static function verifyAccess(array $m)
+    {
+        $requires =
+            isset($m['class']['DolibarrApiAccess']['properties']['requires'])
+                ? $m['class']['DolibarrApiAccess']['properties']['requires']
+                : false;
+        return $requires
+            ? static::$role == 'admin' || static::$role == $requires
+            : true;
+    }
+}
diff --git a/htdocs/public/api/index.php b/htdocs/public/api/index.php
index 7d620dbcad7..709b4436337 100644
--- a/htdocs/public/api/index.php
+++ b/htdocs/public/api/index.php
@@ -34,6 +34,7 @@ if (! $res) die("Include of main fails");
 
 require_once DOL_DOCUMENT_ROOT.'/includes/restler/vendor/autoload.php';
 require_once DOL_DOCUMENT_ROOT.'/api/class/api.class.php';
+require_once DOL_DOCUMENT_ROOT.'/api/class/api_access.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 
 // Enable and test if module Api is enabled
@@ -46,11 +47,15 @@ if (empty($conf->global->MAIN_MODULE_API))
     exit;
 }
 
+use Luracast\Restler\Defaults;
+
+
 $api = new DolibarrApi($db);
 
-$api->r->setSupportedFormats('JsonFormat', 'XmlFormat');
 $api->r->addAPIClass('Luracast\\Restler\\Resources'); //this creates resources.json at API Root
 $api->r->addAPIClass('DolibarrApiInit',''); // Just for url root page
+$api->r->setSupportedFormats('JsonFormat', 'XmlFormat');
+$api->r->addAuthenticationClass('DolibarrApiAccess','');
 
 $modulesdir = dolGetModulesDirs();
 foreach ($modulesdir as $dir)