diff --git a/mayan/apps/django_gpg/api_views.py b/mayan/apps/django_gpg/api_views.py
index bb8762f0a0..c8e8db033f 100644
--- a/mayan/apps/django_gpg/api_views.py
+++ b/mayan/apps/django_gpg/api_views.py
@@ -14,10 +14,8 @@ from .serializers import KeySerializer
 
 class APIKeyListView(generics.ListCreateAPIView):
     filter_backends = (MayanObjectPermissionsFilter,)
-    mayan_object_permissions = {
-        'GET': (permission_key_view,),
-        'POST': (permission_key_upload,)
-    }
+    mayan_object_permissions = {'GET': (permission_key_view,)}
+    mayan_view_permissions = {'POST': (permission_key_upload,)}
     permission_classes = (MayanPermission,)
     queryset = Key.objects.all()
     serializer_class = KeySerializer
diff --git a/mayan/apps/django_gpg/tests/test_api.py b/mayan/apps/django_gpg/tests/test_api.py
index f382c006a2..e3aa6814e4 100644
--- a/mayan/apps/django_gpg/tests/test_api.py
+++ b/mayan/apps/django_gpg/tests/test_api.py
@@ -1,15 +1,15 @@
 from __future__ import unicode_literals
 
-from django.contrib.auth import get_user_model
 from django.test import override_settings
-from django.urls import reverse
+
+from rest_framework import status
 
 from rest_api.tests import BaseAPITestCase
-from user_management.tests.literals import (
-    TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME
-)
 
 from ..models import Key
+from ..permissions import (
+    permission_key_delete, permission_key_upload, permission_key_view
+)
 
 from .literals import TEST_KEY_DATA, TEST_KEY_FINGERPRINT
 
@@ -18,42 +18,80 @@ from .literals import TEST_KEY_DATA, TEST_KEY_FINGERPRINT
 class KeyAPITestCase(BaseAPITestCase):
     def setUp(self):
         super(KeyAPITestCase, self).setUp()
-        self.admin_user = get_user_model().objects.create_superuser(
-            username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL,
-            password=TEST_ADMIN_PASSWORD
-        )
-
-        self.client.login(
-            username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD
-        )
+        self.login_user()
 
     def _create_key(self):
         return Key.objects.create(key_data=TEST_KEY_DATA)
 
-    def test_key_create_view(self):
-        response = self.client.post(
-            reverse('rest_api:key-list'), {
+    # Key creation by upload
+
+    def _request_key_create_view(self):
+        return self.post(
+            viewname='rest_api:key-list', data={
                 'key_data': TEST_KEY_DATA
             }
         )
+
+    def test_key_create_view_no_permission(self):
+        response = self._request_key_create_view()
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(Key.objects.all().count(), 0)
+
+    def test_key_create_view_with_permission(self):
+        self.grant_permission(permission=permission_key_upload)
+
+        response = self._request_key_create_view()
+
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
         self.assertEqual(response.data['fingerprint'], TEST_KEY_FINGERPRINT)
 
         key = Key.objects.first()
         self.assertEqual(Key.objects.count(), 1)
         self.assertEqual(key.fingerprint, TEST_KEY_FINGERPRINT)
 
-    def test_key_delete_view(self):
-        key = self._create_key()
+    # Key deletion
 
-        self.client.delete(reverse('rest_api:key-detail', args=(key.pk,)))
-
-        self.assertEqual(Key.objects.count(), 0)
-
-    def test_key_detail_view(self):
-        key = self._create_key()
-
-        response = self.client.get(
-            reverse('rest_api:key-detail', args=(key.pk,))
+    def _request_key_delete_view(self):
+        return self.delete(
+            viewname='rest_api:key-detail', args=(self.key.pk,)
         )
 
-        self.assertEqual(response.data['fingerprint'], key.fingerprint)
+    def test_key_delete_view_no_access(self):
+        self.key = self._create_key()
+        response = self._request_key_delete_view()
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(Key.objects.count(), 1)
+
+    def test_key_delete_view_with_access(self):
+        self.key = self._create_key()
+        self.grant_access(
+            permission=permission_key_delete, obj=self.key
+        )
+        response = self._request_key_delete_view()
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertEqual(Key.objects.count(), 0)
+
+    # Key detail
+
+    def _request_key_detail_view(self):
+        return self.get(
+            viewname='rest_api:key-detail', args=(self.key.pk,)
+        )
+
+    def test_key_detail_view_no_access(self):
+        self.key = self._create_key()
+        response = self._request_key_detail_view()
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+    def test_key_detail_view_with_access(self):
+        self.key = self._create_key()
+        self.grant_access(
+            permission=permission_key_view, obj=self.key
+        )
+        response = self._request_key_detail_view()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        self.assertEqual(
+            response.data['fingerprint'], self.key.fingerprint
+        )