diff --git a/proto/agynio/api/gateway/v1/users.proto b/proto/agynio/api/gateway/v1/users.proto
new file mode 100644
index 0000000..41e6308
--- /dev/null
+++ b/proto/agynio/api/gateway/v1/users.proto
@@ -0,0 +1,14 @@
+syntax = "proto3";
+
+package agynio.api.gateway.v1;
+
+import "agynio/api/users/v1/users.proto";
+
+option go_package = "github.com/agynio/api/gen/agynio/api/gateway/v1;gatewayv1";
+
+service UsersGateway {
+  // --- API Tokens ---
+  rpc CreateAPIToken(agynio.api.users.v1.CreateAPITokenRequest) returns (agynio.api.users.v1.CreateAPITokenResponse);
+  rpc ListAPITokens(agynio.api.users.v1.ListAPITokensRequest) returns (agynio.api.users.v1.ListAPITokensResponse);
+  rpc RevokeAPIToken(agynio.api.users.v1.RevokeAPITokenRequest) returns (agynio.api.users.v1.RevokeAPITokenResponse);
+}
diff --git a/proto/agynio/api/users/v1/users.proto b/proto/agynio/api/users/v1/users.proto
index 932a5d5..6fa8c3b 100644
--- a/proto/agynio/api/users/v1/users.proto
+++ b/proto/agynio/api/users/v1/users.proto
@@ -12,6 +12,10 @@ service UsersService {
   rpc GetUserByOIDCSubject(GetUserByOIDCSubjectRequest) returns (GetUserByOIDCSubjectResponse);
   rpc BatchGetUsers(BatchGetUsersRequest) returns (BatchGetUsersResponse);
   rpc UpdateUser(UpdateUserRequest) returns (UpdateUserResponse);
+  rpc CreateAPIToken(CreateAPITokenRequest) returns (CreateAPITokenResponse);
+  rpc ListAPITokens(ListAPITokensRequest) returns (ListAPITokensResponse);
+  rpc RevokeAPIToken(RevokeAPITokenRequest) returns (RevokeAPITokenResponse);
+  rpc ResolveAPIToken(ResolveAPITokenRequest) returns (ResolveAPITokenResponse);
 }
 
 message EntityMeta {
@@ -74,3 +78,44 @@ message UpdateUserRequest {
 message UpdateUserResponse {
   User user = 1;
 }
+
+message APIToken {
+  string id = 1;
+  string identity_id = 2;
+  string name = 3;
+  string token_prefix = 4;
+  google.protobuf.Timestamp expires_at = 5;
+  google.protobuf.Timestamp created_at = 6;
+  google.protobuf.Timestamp last_used_at = 7;
+}
+
+message CreateAPITokenRequest {
+  string name = 1;
+  google.protobuf.Timestamp expires_at = 2;
+}
+
+message CreateAPITokenResponse {
+  APIToken token = 1;
+  string plaintext_token = 2;
+}
+
+message ListAPITokensRequest {}
+
+message ListAPITokensResponse {
+  repeated APIToken tokens = 1;
+}
+
+message RevokeAPITokenRequest {
+  string token_id = 1;
+}
+
+message RevokeAPITokenResponse {}
+
+message ResolveAPITokenRequest {
+  string token_hash = 1;
+}
+
+message ResolveAPITokenResponse {
+  string identity_id = 1;
+  APIToken token = 2;
+}