diff --git a/admin/inc/class.uiconfig.inc.php b/admin/inc/class.uiconfig.inc.php
index 555febaf1b..237e2424f4 100644
--- a/admin/inc/class.uiconfig.inc.php
+++ b/admin/inc/class.uiconfig.inc.php
@@ -9,6 +9,8 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 /**
  * Site configuration for all apps using an $app/templates/default/config.tpl
  */
@@ -24,7 +26,7 @@ class uiconfig
 		// for POST requests validate CSRF token (or terminate request)
 		if ($_SERVER['REQUEST_METHOD'] == 'POST')
 		{
-			egw_csrf::validate($_POST['csrf_token'], __CLASS__);
+			Api\Csrf::validate($_POST['csrf_token'], __CLASS__);
 		}
 
 		if (empty($_GET['appname']) && isset($params['appname']))
@@ -44,7 +46,7 @@ class uiconfig
 		// load the translations of the app we show too, so they dont need to be in admin!
 		if ($_appname != 'admin')
 		{
-			translation::add_app($_appname);
+			Api\Translation::add_app($_appname);
 		}
 
 		if(get_magic_quotes_gpc() && is_array($_POST['newsettings']))
@@ -103,7 +105,7 @@ class uiconfig
 		// fix footer submit buttons to just {submit} {cancel}
 		$t->set_var('footer', preg_replace('/<input[^>]+value="{lang_(submit|cancel)}"[^>]*>/', '{$1}', $t->get_var('footer')));
 
-		$c = new config($config_appname);
+		$c = new Api\Config($config_appname);
 		$c->read_repository();
 		if ($_POST['cancel'] || ($_POST['submit'] || $_POST['save'] || $_POST['apply']) && $GLOBALS['egw']->acl->check('site_config_acce',2,'admin'))
 		{
@@ -177,7 +179,7 @@ class uiconfig
 		$t->set_var('th_text',   $GLOBALS['egw_info']['theme']['th_text']);
 		$t->set_var('row_on',    $GLOBALS['egw_info']['theme']['row_on']);
 		$t->set_var('row_off',   $GLOBALS['egw_info']['theme']['row_off']);
-		$t->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__CLASS__)));
+		$t->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__CLASS__)));
 
 		$vars = $t->get_undefined('body');
 
diff --git a/phpgwapi/inc/class.egw_csrf.inc.php b/api/src/Csrf.php
similarity index 73%
rename from phpgwapi/inc/class.egw_csrf.inc.php
rename to api/src/Csrf.php
index 06eab8493a..f2a4dc6ef8 100644
--- a/phpgwapi/inc/class.egw_csrf.inc.php
+++ b/api/src/Csrf.php
@@ -6,10 +6,15 @@
  * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
  * @package api
  * @author Ralf Becker <rb@stylite.de>
- * @copyright (c) 2014 by Ralf Becker <rb@stylite.de>
+ * @copyright (c) 2014-16 by Ralf Becker <rb@stylite.de>
  * @version $Id$
  */
 
+namespace EGroupware\Api;
+
+// explicitly reference classes still in phpgwapi
+use auth;
+
 /**
  * Class supplying methods to prevent successful CSRF by requesting a random token,
  * stored on server and validated when request get posted.
@@ -22,12 +27,12 @@
  * If a token does not validate (incl. purpose, if specified in generation)
  * the request will be imediatly terminated.
  */
-class egw_csrf
+class Csrf
 {
 	/**
 	 * Get a CSRF token for an optional $purpose, which can be validated
 	 *
-	 * @param mixed $_purpose=true if given it need to be used in validate too! (It must NOT be NULL)
+	 * @param mixed $_purpose =true if given it need to be used in validate too! (It must NOT be NULL)
 	 * @return string CSRF token
 	 */
 	public static function token($_purpose=true)
@@ -42,7 +47,7 @@ class egw_csrf
 			auth::randomstring(64);
 
 		// store it in session for later validation
-		egw_cache::setSession(__CLASS__, $token, $_purpose);
+		Cache::setSession(__CLASS__, $token, $_purpose);
 
 		return $token;
 	}
@@ -50,13 +55,13 @@ class egw_csrf
 	/**
 	 * Validate a CSRF token or teminate the request
 	 *
-	 * @param string $_token CSRF token generated with egw_csfr::token()
-	 * @param string $_purpose=true optional purpose string passed to token method
-	 * @param boolean $_delete_token=true true if token should be deleted after validation, it will validate no second time
+	 * @param string $_token CSRF token generated with egw_csrf::token()
+	 * @param string $_purpose =true optional purpose string passed to token method
+	 * @param boolean $_delete_token =true true if token should be deleted after validation, it will validate no second time
 	 */
 	public static function validate($_token, $_purpose=true, $_delete_token=true)
 	{
-		$stored_purpose = egw_cache::getSession(__CLASS__, $_token);
+		$stored_purpose = Cache::getSession(__CLASS__, $_token);
 
 		// if token and purpose dont validate, log and terminate request
 		if (!isset($stored_purpose) || $stored_purpose !== $_purpose)
@@ -66,6 +71,6 @@ class egw_csrf
 			// we are not throwing an exception here, but die, to not allow catching it!
 			die("CSRF detected, request terminated!");
 		}
-		if ($_delete_token) egw_cache::unsetTree (__CLASS__, $_token);
+		if ($_delete_token) Cache::unsetSession(__CLASS__, $_token);
 	}
 }
\ No newline at end of file
diff --git a/setup/account_migration.php b/setup/account_migration.php
index 96a9dce41d..1bbb6bd992 100644
--- a/setup/account_migration.php
+++ b/setup/account_migration.php
@@ -11,6 +11,8 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 include('./inc/functions.inc.php');
 
 // Authorize the user to use setup app and load the database
@@ -29,12 +31,12 @@ $setup_tpl->set_file(array(
 	'T_footer' => 'footer.tpl',
 	'T_alert_msg' => 'msg_alert_msg.tpl'
 ));
-$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 
 // check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
 if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
 {
-	egw_csrf::validate($_POST['csrf_token'], __FILE__);
+	Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 }
 
 // determine from where we migrate to what
diff --git a/setup/admin_account.php b/setup/admin_account.php
index ac9da8a826..4179a53bcb 100644
--- a/setup/admin_account.php
+++ b/setup/admin_account.php
@@ -10,6 +10,8 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 if (strpos($_SERVER['PHP_SELF'],'admin_account.php') !== false)
 {
 	include('./inc/functions.inc.php');
@@ -29,7 +31,7 @@ if ($_POST['submit'])
 	// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
 	if ($_SERVER['REQUEST_METHOD'] == 'POST')
 	{
-		egw_csrf::validate($_POST['csrf_token'], __FILE__);
+		Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 	}
 
 	/* Posted admin data */
@@ -52,7 +54,7 @@ if ($_POST['submit'])
 if(!$_POST['submit'] || $error)
 {
 	$tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
-	$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
+	$setup_tpl = new Template($tpl_root);
 	$setup_tpl->set_file(array(
 		'T_head'       => 'head.tpl',
 		'T_footer'     => 'footer.tpl',
@@ -89,7 +91,7 @@ if(!$_POST['submit'] || $error)
 	$setup_tpl->set_var('create_demo_accounts',lang('Create demo accounts'));
 	$setup_tpl->set_var('demo_desc',lang('The username/passwords are: demo/guest, demo2/guest and demo3/guest.'));
 
-	$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+	$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 
 	$setup_tpl->set_var('lang_submit',lang('Save'));
 	$setup_tpl->set_var('lang_cancel',lang('Cancel'));
diff --git a/setup/applications.php b/setup/applications.php
index 4d7b1ca8dd..5810ad82ac 100644
--- a/setup/applications.php
+++ b/setup/applications.php
@@ -10,6 +10,8 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 $DEBUG = @$_POST['debug'] || @$_GET['debug'];
 /*
  TODO: We allow a user to hose their setup here, need to make use
@@ -31,7 +33,7 @@ if (!$GLOBALS['egw_setup']->auth('Config'))
 // Does not return unless user is authorized
 
 $tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
-$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
+$setup_tpl = new Template($tpl_root);
 $setup_tpl->set_file(array(
 	'T_head' => 'head.tpl',
 	'T_footer' => 'footer.tpl',
@@ -40,12 +42,12 @@ $setup_tpl->set_file(array(
 	'T_login_stage_header' => 'login_stage_header.tpl',
 	'T_setup_main' => 'applications.tpl'
 ));
-$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 
 // check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
 if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
 {
-	egw_csrf::validate($_POST['csrf_token'], __FILE__);
+	Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 }
 
 $setup_tpl->set_block('T_login_stage_header','B_multi_domain','V_multi_domain');
diff --git a/setup/config.php b/setup/config.php
index aa2962c0b8..dc2c302de9 100644
--- a/setup/config.php
+++ b/setup/config.php
@@ -10,6 +10,8 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 include('./inc/functions.inc.php');
 
 /*
@@ -23,7 +25,7 @@ if(!$GLOBALS['egw_setup']->auth('Config') || @$_POST['cancel'])
 }
 
 $tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
-$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
+$setup_tpl = new Template($tpl_root);
 
 $setup_tpl->set_file(array(
 	'T_head' => 'head.tpl',
@@ -32,12 +34,12 @@ $setup_tpl->set_file(array(
 	'T_config_pre_script' => 'config_pre_script.tpl',
 	'T_config_post_script' => 'config_post_script.tpl'
 ));
-$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 
 // check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
 if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
 {
-	egw_csrf::validate($_POST['csrf_token'], __FILE__);
+	Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 }
 
 /* Following to ensure windows file paths are saved correctly */
@@ -78,14 +80,14 @@ if(@get_var('submit',Array('POST')) && @$newsettings)
 		/* Don't erase passwords, since we also do not print them below */
 		if(!empty($value) || !(stristr($setting,'passwd') || stristr($setting,'password') || stristr($setting,'root_pw')))
 		{
-			config::save_value($setting, $value, 'phpgwapi');
+			Api\Config::save_value($setting, $value, 'phpgwapi');
 		}
 	}
 	if(!$GLOBALS['error'])
 	{
 		$GLOBALS['egw_setup']->db->transaction_commit();
 		// unset cached config, as this is the primary source for configuration now
-		egw_cache::unsetInstance('config', 'configs');
+	Api\Cache::unsetInstance('config', 'configs');
 
 		Header('Location: index.php');
 		exit;
@@ -119,7 +121,7 @@ class phpgw
 $GLOBALS['egw'] = new phpgw;
 $GLOBALS['egw']->db     =& $GLOBALS['egw_setup']->db;
 
-$t = CreateObject('phpgwapi.Template', common::get_tpl_dir('setup'));
+$t = new Template(common::get_tpl_dir('setup'));
 
 $t->set_unknowns('keep');
 $t->set_file(array('config' => 'config.tpl'));
diff --git a/setup/db_backup.php b/setup/db_backup.php
index ffdc8f3c91..9628b8d971 100644
--- a/setup/db_backup.php
+++ b/setup/db_backup.php
@@ -45,18 +45,18 @@ if ($_POST['download'])
 	readfile($file);
 	exit;
 }
-$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
+$setup_tpl = new Template($tpl_root);
 $setup_tpl->set_file(array(
 	'T_head' => 'head.tpl',
 	'T_footer' => 'footer.tpl',
 	'T_db_backup' => 'db_backup.tpl',
 ));
-$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 
 // check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
 if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
 {
-	egw_csrf::validate($_POST['csrf_token'], __FILE__);
+	Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 }
 $setup_tpl->set_block('T_db_backup','schedule_row','schedule_rows');
 $setup_tpl->set_block('T_db_backup','set_row','set_rows');
@@ -107,13 +107,13 @@ if ($_POST['save_backup_settings'])
 }
 if ($_POST['mount'])
 {
-	egw_vfs::$is_root = true;
+	Api\Vfs::$is_root = true;
 	echo '<div align="center">'.
-		(egw_vfs::mount('filesystem://default'.$db_backup->backup_dir.'?group=Admins&mode=070','/backup',false) ?
+		(Api\Vfs::mount('filesystem://default'.$db_backup->backup_dir.'?group=Admins&mode=070','/backup',false) ?
 			lang('Backup directory %1 mounted as %2',$db_backup->backup_dir,'/backup') :
 			lang('Failed to mount Backup directory!')).
 		"</div>\n";
-	egw_vfs::$is_root = false;
+	Api\Vfs::$is_root = false;
 }
 // create a backup now
 if($_POST['backup'])
diff --git a/setup/index.php b/setup/index.php
index f40a4b7075..bb9cfba844 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -10,13 +10,15 @@
  * @version $Id$
  */
 
+use EGroupware\Api;
+
 $GLOBALS['DEBUG'] = False;
 include('./inc/functions.inc.php');
 
 @set_time_limit(0);
 
 $tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
-$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
+$setup_tpl = new Template($tpl_root);
 $setup_tpl->set_file(array
 (
 	'T_head'       => 'head.tpl',
@@ -251,7 +253,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 		$setup_tpl->set_var('V_db_filled_block',$db_filled_block);
 		break;
 	case 4:
-		$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+		$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 		$setup_tpl->set_var('oldver',lang('You appear to be running version %1 of eGroupWare',$setup_info['phpgwapi']['currentver']));
 		$setup_tpl->set_var('automatic',lang('We will automatically update your tables/records to %1',$setup_info['phpgwapi']['version']));
 		$setup_tpl->set_var('backupwarn',lang('but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>These automated scripts can easily destroy your data.</strong>'));
@@ -273,7 +275,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 		$setup_tpl->set_var('V_db_filled_block',$db_filled_block);
 		break;
 	case 5:
-		$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
+		$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
 		$setup_tpl->set_var('are_you_sure',lang('ARE YOU SURE?'));
 		$setup_tpl->set_var('really_uninstall_all_applications',lang('REALLY Uninstall all applications'));
 		$setup_tpl->set_var('dropwarn',lang('Your tables will be dropped and you will lose data'));
@@ -298,7 +300,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 						!preg_match('/^[0-9.a-z_]+$/i', $_POST['db_grant_host']) ? 'localhost' : $_POST['db_grant_host']);
 					break;
 				case 'drop':
-					egw_csrf::validate($_POST['csrf_token'], __FILE__);
+					Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 					$setup_info = $GLOBALS['egw_setup']->detection->get_versions($setup_info);
 					$setup_info = $GLOBALS['egw_setup']->process->droptables($setup_info);
 					break;
@@ -346,11 +348,11 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 					}
 					break;
 				case 'oldversion':
-					egw_csrf::validate($_POST['csrf_token'], __FILE__);
+					Api\Csrf::validate($_POST['csrf_token'], __FILE__);
 					// create a backup, before upgrading the tables
 					if ($_POST['backup'])
 					{
-						$db_backup =& CreateObject('phpgwapi.db_backup');
+						$db_backup = new Api\Db\Backup();
 						if (is_resource($f = $db_backup->fopen_backup()))
 						{
 							echo '<p align="center">'.lang('backup started, this might take a few minutes ...')."</p>\n".str_repeat(' ',4096);
@@ -373,7 +375,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 					break;
 			}
 		}
-		catch (egw_exception_db $e)
+		catch (Api\Db\Exception $e)
 		{
 			echo "<pre>".$e->getMessage()."</pre>\n";
 		}