diff --git a/src/clients.js b/src/clients.js
index cf7b4f7e0..a3bab484a 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -11,6 +11,7 @@ exports = module.exports = {
     getClientTokensByUserId: getClientTokensByUserId,
     delClientTokensByUserId: delClientTokensByUserId,
     delByAppIdAndType: delByAppIdAndType,
+    addClientTokenByUserId: addClientTokenByUserId,
 
     // keep this in sync with start.sh ADMIN_SCOPES that generates the cid-webadmin
     SCOPE_APPS: 'apps',
@@ -64,6 +65,7 @@ function ClientsError(reason, errorOrMessage) {
 util.inherits(ClientsError, Error);
 ClientsError.INVALID_SCOPE = 'Invalid scope';
 ClientsError.INVALID_CLIENT = 'Invalid client';
+ClientsError.INTERNAL_ERROR = 'Internal Error';
 
 function validateScope(scope) {
     assert.strictEqual(typeof scope, 'string');
@@ -243,3 +245,28 @@ function delByAppIdAndType(appId, type, callback) {
         callback(null);
     });
 }
+
+function addClientTokenByUserId(clientId, userId, callback) {
+    assert.strictEqual(typeof clientId, 'string');
+    assert.strictEqual(typeof userId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    get(clientId, function (error, result) {
+        if (error) return callback(error);
+
+        var token = tokendb.generateToken();
+        var expiresAt = Date.now() + 24 * 60 * 60 * 1000; // 1 day
+
+        tokendb.add(token, userId, result.id, expiresAt, result.scope, function (error) {
+            if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error));
+
+            callback(null, { token: {
+                accessToken: token,
+                identifier: userId,
+                clientId: result.id,
+                scope: result.id,
+                expires: expiresAt
+            }});
+        });
+    });
+}
diff --git a/src/routes/clients.js b/src/routes/clients.js
index 6e0904c85..7d2b335bb 100644
--- a/src/routes/clients.js
+++ b/src/routes/clients.js
@@ -5,6 +5,7 @@ exports = module.exports = {
     get: get,
     del: del,
     getAll: getAll,
+    addClientToken: addClientToken,
     getClientTokens: getClientTokens,
     delClientTokens: delClientTokens
 };
@@ -60,6 +61,17 @@ function getAll(req, res, next) {
     });
 }
 
+function addClientToken(req, res, next) {
+    assert.strictEqual(typeof req.params.clientId, 'string');
+    assert.strictEqual(typeof req.user, 'object');
+
+    clients.addClientTokenByUserId(req.params.clientId, req.user.id, function (error, result) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(404, 'no such client'));
+        if (error) return next(new HttpError(500, error));
+        next(new HttpSuccess(201, { token: result }));
+    });
+}
+
 function getClientTokens(req, res, next) {
     assert.strictEqual(typeof req.params.clientId, 'string');
     assert.strictEqual(typeof req.user, 'object');
diff --git a/src/server.js b/src/server.js
index a67b5d9ac..8ba36c97e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -151,6 +151,7 @@ function initializeExpressSync() {
     router.post('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.add);
     router.del ('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.del);
     router.get ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.getClientTokens);
+    router.post('/api/v1/oauth/clients/:clientId/tokens', routes.developer.enabled, settingsScope, routes.clients.addClientToken);
     router.del ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.delClientTokens);
 
     // app routes