diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index dae839fdc..8c6d026ee 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -524,6 +524,40 @@ access_rules:
   ##     - ip: "XXX.XXX.XXX.XXX/32"
   ##   - allow
 
+## ===============
+## API PERMISSIONS
+## ===============
+##
+## This section allows you to define who and using what method
+## can execute commands offered by ejabberd.
+##
+## By default "console commands" section allow executing all commands
+## issued using ejabberdctl command, and "admin access" section allows
+## users in admin acl to  execute all commands except start and stop
+## with any available access method (ejabberdctl, http-api, xmlrpc
+## depending what is enabled on server).
+##
+## Remember to not remove "console commands" section when doing modifications
+## or ejabberdctl will not be able to execute commands!
+##
+##
+## api_permissions:
+##  "console commands":
+##    from:
+##      - ejabberd_ctl
+##    who: all
+##    what: "*"
+##  "admin access":
+##    who:
+##      - admin
+##      - oauth:
+##        - scope: "ejabberd:admin"
+##        - admin
+##    what:
+##      - "*"
+##      - "!stop"
+##      - "!start"
+
 ## By default the frequency of account registrations from the same IP
 ## is limited to 1 account every 10 minutes. To disable, specify: infinity
 ## registration_timeout: 600
diff --git a/src/ejabberd_access_permissions.erl b/src/ejabberd_access_permissions.erl
index 3ed0d7c8c..83defb13e 100644
--- a/src/ejabberd_access_permissions.erl
+++ b/src/ejabberd_access_permissions.erl
@@ -237,7 +237,8 @@ get_definitions(#state{definitions = Defs, fragments_generators = Gens} = State)
 			{all, none}}},
 		      {<<"admin access">>,
 		       {[],
-			[{acl, admin}],
+			[{acl,{acl,admin}},
+			 {oauth,[<<"ejabberd:admin">>],[{acl,{acl,admin}}]}],
 			{all, [start, stop]}}}],
     NDefs = case Defs of
 		none ->