diff --git a/apps/authentication/api/access_key.py b/apps/authentication/api/access_key.py
index 1ce992629..027fdf75f 100644
--- a/apps/authentication/api/access_key.py
+++ b/apps/authentication/api/access_key.py
@@ -7,6 +7,8 @@ from rest_framework.response import Response
 
 from common.api import JMSModelViewSet
 from rbac.permissions import RBACPermission
+from ..const import ConfirmType
+from ..permissions import UserConfirmation
 from ..serializers import AccessKeySerializer, AccessKeyCreateSerializer
 
 
@@ -27,20 +29,20 @@ class AccessKeyViewSet(JMSModelViewSet):
 
         if self.action == 'create':
             self.permission_classes = [
-                RBACPermission,
+                RBACPermission, UserConfirmation.require(ConfirmType.PASSWORD)
             ]
         return super().get_permissions()
 
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        key = self.perform_create(serializer)
-        serializer = self.get_serializer(instance=key)
-        return Response(serializer.data, status=201)
-
     def perform_create(self, serializer):
         user = self.request.user
         if user.access_keys.count() >= 10:
             raise serializers.ValidationError(_('Access keys can be created at most 10'))
         key = user.create_access_key()
         return key
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        key = self.perform_create(serializer)
+        serializer = self.get_serializer(instance=key)
+        return Response(serializer.data, status=201)