diff --git a/doc/10-icinga2-client.md b/doc/10-icinga2-client.md
index 35d3a9b8a..7dce86de9 100644
--- a/doc/10-icinga2-client.md
+++ b/doc/10-icinga2-client.md
@@ -76,32 +76,39 @@ for example).
 
 Make sure to answer the first question with `n` (no).
 
-    # icinga2 node wizard
+    nbmif /etc/icinga2 # icinga2 node wizard
     Welcome to the Icinga 2 Setup Wizard!
 
     We'll guide you through all required configuration details.
 
     Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: n
     Starting the Master setup routine...
-    Please specifiy the common name (CN) [icinga2-node1.localdomain]:
+    Please specifiy the common name (CN) [icinga2-node1.localdomain]: 
+    Checking the 'api' feature...
+    'api' feature not enabled, running 'api setup' now.
+    information/cli: Generating new CA.
+
     information/base: Writing private key to '/var/lib/icinga2/ca/ca.key'.
     information/base: Writing X509 certificate to '/var/lib/icinga2/ca/ca.crt'.
     information/cli: Initializing serial file in '/var/lib/icinga2/ca/serial.txt'.
     information/cli: Generating new CSR in '/etc/icinga2/pki/icinga2-node1.localdomain.csr'.
+
     information/base: Writing private key to '/etc/icinga2/pki/icinga2-node1.localdomain.key'.
     information/base: Writing certificate signing request to '/etc/icinga2/pki/icinga2-node1.localdomain.csr'.
     information/cli: Signing CSR with CA and writing certificate to '/etc/icinga2/pki/icinga2-node1.localdomain.crt'.
+
     information/cli: Copying CA certificate to '/etc/icinga2/pki/ca.crt'.
-    information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
-    information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
-    Please specify the API bind host/port (optional):
-    Bind Host []:
-    Bind Port []:
-    information/cli: Enabling the APIlistener feature.
+
+    information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
+
+    information/cli: Enabling the ApiListener feature.
+
     Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
-    information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
+    information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
+    Please specify the API bind host/port (optional):
+    Bind Host []: 
+    Bind Port []: 
     information/cli: Updating constants.conf.
-    information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
     information/cli: Updating constants file '/etc/icinga2/constants.conf'.
     information/cli: Updating constants file '/etc/icinga2/constants.conf'.
     Done.
@@ -111,10 +118,11 @@ Make sure to answer the first question with `n` (no).
 
 The setup wizard will do the following:
 
-* Generate a local CA in `/var/lib/icinga2/ca` or use the existing one
-* Generate a new CSR, sign it with the local CA and copying it into `/etc/icinga2/pki`
+* Check if the `api` feature is already enabled, and if not:
+ * Generate a local CA in `/var/lib/icinga2/ca` or use the existing one
+ * Generate a new CSR, sign it with the local CA and copying it into `/etc/icinga2/pki`
+ * Enabling the API feature, and setting optional `bind_host` and `bind_port`
 * Generate a local zone and endpoint configuration for this master based on FQDN
-* Enabling the API feature, and setting optional `bind_host` and `bind_port`
 * Setting the `NodeName` and `TicketSalt` constants in [constants.conf](4-configuring-icinga-2.md#constants-conf)
 
 The setup wizard does not automatically restart Icinga 2.
diff --git a/doc/6-object-types.md b/doc/6-object-types.md
index be38d2d5f..42a13d921 100644
--- a/doc/6-object-types.md
+++ b/doc/6-object-types.md
@@ -9,7 +9,8 @@ description are explained as well.
 ## <a id="objecttype-apilistener"></a> ApiListener
 
 ApiListener objects are used for distributed monitoring setups
-specifying the certificate files used for ssl authorization.
+and API usage specifying the certificate files used for ssl
+authorization and additional restrictions.
 
 The `NodeName` constant must be defined in [constants.conf](4-configuring-icinga-2.md#constants-conf).
 
@@ -35,6 +36,24 @@ Configuration Attributes:
   accept\_config            |**Optional.** Accept zone configuration. Defaults to `false`.
   accept\_commands          |**Optional.** Accept remote commands. Defaults to `false`.
 
+## <a id="objecttype-apiuser"></a> ApiUser
+
+ApiUser objects are used for authentication against the Icinga 2 API.
+
+Example:
+
+    object ApiUser "root" {
+      password = "mysecretapipassword"
+    }
+
+
+Configuration Attributes:
+
+  Name                      |Description
+  --------------------------|--------------------------
+  password                  |**Optional.** Password string.
+  client\_cn                |**Optional.** Client Common Name (CN).
+
 ## <a id="objecttype-checkcommand"></a> CheckCommand
 
 A check command definition. Additional default command custom attributes can be
diff --git a/lib/cli/apisetuputility.cpp b/lib/cli/apisetuputility.cpp
index 0c7ed775f..46314f5fa 100644
--- a/lib/cli/apisetuputility.cpp
+++ b/lib/cli/apisetuputility.cpp
@@ -158,7 +158,7 @@ int ApiSetupUtility::SetupMaster(const String& cn)
 	fp.open(apiuserspathtmp.CStr(), std::ofstream::out | std::ofstream::trunc);
 
 	fp << "/**\n"
-	    << " * The API users are used for authentication against the API.\n"
+	    << " * The APIUser objects are used for authentication against the API.\n"
 	    << " */\n"
 	    << "object ApiUser \"" << api_username << "\" {\n"
 	    << "  password = \"" << api_password << "\"\n"