diff --git a/apps/fz_http/lib/fz_http/release.ex b/apps/fz_http/lib/fz_http/release.ex
index d5d7133d0..46da2ec32 100644
--- a/apps/fz_http/lib/fz_http/release.ex
+++ b/apps/fz_http/lib/fz_http/release.ex
@@ -3,7 +3,13 @@ defmodule FzHttp.Release do
   Adds common tasks to the production app because Mix is not available.
   """
 
-  alias FzHttp.{Repo, Users, Users.User}
+  alias FzHttp.{
+    ApiTokens,
+    Repo,
+    Users,
+    Users.User
+  }
+
   import Ecto.Query, only: [from: 2]
   require Logger
 
@@ -34,11 +40,16 @@ defmodule FzHttp.Release do
       end
 
     # Notify the user
-    IO.puts("Password reset! Check $HOME/.firezone/.env for sign in credentials.")
+    IO.puts("password reset to default credentials from env")
 
     reply
   end
 
+  def create_api_token(device \\ :stdio) do
+    device
+    |> IO.write(default_admin_user() |> mint_jwt())
+  end
+
   def change_password(email, password) do
     params = %{
       "password" => password,
@@ -63,6 +74,19 @@ defmodule FzHttp.Release do
     FzHttp.Config.fetch_env!(@app, :admin_email)
   end
 
+  defp default_admin_user do
+    Users.get_by_email(email())
+  end
+
+  defp mint_jwt(%User{} = user) do
+    {:ok, api_token} = ApiTokens.create_user_api_token(user, %{})
+
+    {:ok, secret, _claims} =
+      FzHttpWeb.Auth.JSON.Authentication.fz_encode_and_sign(api_token, user)
+
+    secret
+  end
+
   defp load_app do
     Application.load(@app)
 
diff --git a/apps/fz_http/test/fz_http/release_test.exs b/apps/fz_http/test/fz_http/release_test.exs
index 1183184e8..696449274 100644
--- a/apps/fz_http/test/fz_http/release_test.exs
+++ b/apps/fz_http/test/fz_http/release_test.exs
@@ -6,7 +6,13 @@ defmodule FzHttp.ReleaseTest do
 
   use FzHttp.DataCase, async: true
 
-  alias FzHttp.{Release, Users, Users.User}
+  alias FzHttp.{
+    ApiTokens,
+    Release,
+    Users,
+    UsersFixtures,
+    Users.User
+  }
 
   describe "migrate/0" do
     test "function runs without error" do
@@ -30,6 +36,19 @@ defmodule FzHttp.ReleaseTest do
     end
   end
 
+  describe "create_api_token/1" do
+    test "creates api_token_token for default admin user" do
+      admin_user =
+        UsersFixtures.user(%{
+          role: :admin,
+          email: FzHttp.Config.fetch_env!(:fz_http, :admin_email)
+        })
+
+      assert :ok = Release.create_api_token()
+      assert ApiTokens.count_by_user_id(admin_user.id) == 1
+    end
+  end
+
   describe "change_password/2" do
     setup [:create_user]
 
diff --git a/rel/overlays/bin/create-api-token b/rel/overlays/bin/create-api-token
new file mode 100755
index 000000000..d90f2d4f5
--- /dev/null
+++ b/rel/overlays/bin/create-api-token
@@ -0,0 +1,3 @@
+#!/bin/sh
+cd -P -- "$(dirname -- "$0")"
+exec ./firezone rpc FzHttp.Release.create_api_token