diff --git a/api/changepwd.php b/api/changepwd.php
new file mode 100644
index 0000000000..af2d245553
--- /dev/null
+++ b/api/changepwd.php
@@ -0,0 +1,64 @@
+<?php
+/**
+ * API call when password has been changed outside EGroupware to eg. re-encrypting (mail) credentials
+ *
+ * Can be used eg. via CURL *after* the password has been changed:
+ *
+ * echo '<new-password>' | curl --user <username> --data-raw '<old-password>' -X POST https://egw.domain.com/egroupware/api/changepwd.php
+ *
+ * (You can also use --data @<filename-with-old-password> instead of --date-raw '<old-password>')
+ *
+ * It will connect with EGroupware (verifying the certificate), authenticate with
+ * the new credentials and send in a POST request the old credentials.
+ *
+ * EGroupware will then re-encrypt everything encrypted with the session password:
+ * - mail credentials
+ * - private S/Mime keys
+ * - let all EGroupware apps know about the password change
+ *
+ * Hook will give the following http status:
+ * - "204 No Content" on success / credentials are changed
+ * - "401 Unauthorized", if new password is wrong or not supplied via basic auth
+ * - "500 Internal server error" on error
+ *
+ * For Apache FCGI you need the following rewrite rule:
+ *
+ * 	RewriteEngine on
+ * 	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+ *
+ * Otherwise authentication request will be send over and over again, as password is NOT available to PHP!
+ *
+ * @link http://www.egroupware.org
+ * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
+ * @package api
+ * @author Ralf Becker <rb-AT-egroupware.org>
+ * @copyright (c) 2018 by Ralf Becker <rb-AT-egroupware.org>
+ */
+
+use EGroupware\Api;
+
+$GLOBALS['egw_info'] = array(
+	'flags' => array(
+		'disable_Template_class' => True,
+		'noheader'  => True,
+		'currentapp' => 'api',
+		'autocreate_session_callback' => 'EGroupware\Api\Header\Authenticate::autocreate_session_callback',
+	)
+);
+
+// if you move this file somewhere else, you need to adapt the path to the header!
+require(dirname(__DIR__).'/header.inc.php');
+
+
+try {
+	$old_password = file_get_contents('php://input');
+	if (empty($old_password)) throw new Exception('Old password must not be empty!');
+
+	Api\Auth::changepwd($old_password);
+	http_response_code(204);	// No Content
+}
+catch (\Exception $e) {
+	http_response_code(500);
+	header('Content-Type: text/plain; charset=utf-8');
+	echo $e->getMessage()."\n";
+}
\ No newline at end of file