diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php
index 01ca1e2597..a66acb3c5f 100644
--- a/core/Controller/AppPasswordController.php
+++ b/core/Controller/AppPasswordController.php
@@ -138,4 +138,28 @@ class AppPasswordController extends \OCP\AppFramework\OCSController {
 		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
 		return new DataResponse();
 	}
+
+	/**
+	 * @NoAdminRequired
+	 */
+	public function rotateAppPassword(): DataResponse {
+		if (!$this->session->exists('app_password')) {
+			throw new OCSForbiddenException('no app password in use');
+		}
+
+		$appPassword = $this->session->get('app_password');
+
+		try {
+			$token = $this->tokenProvider->getToken($appPassword);
+		} catch (InvalidTokenException $e) {
+			throw new OCSForbiddenException('could not rotate apptoken');
+		}
+
+		$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+		$this->tokenProvider->rotate($token, $appPassword, $newToken);
+
+		return new DataResponse([
+			'apppassword' => $newToken,
+		]);
+	}
 }
diff --git a/core/routes.php b/core/routes.php
index ec8f995304..829fa8576c 100644
--- a/core/routes.php
+++ b/core/routes.php
@@ -107,6 +107,7 @@ $application->registerRoutes($this, [
 		['root' => '/core', 'name' => 'WhatsNew#get', 'url' => '/whatsnew', 'verb' => 'GET'],
 		['root' => '/core', 'name' => 'WhatsNew#dismiss', 'url' => '/whatsnew', 'verb' => 'POST'],
 		['root' => '/core', 'name' => 'AppPassword#getAppPassword', 'url' => '/getapppassword', 'verb' => 'GET'],
+		['root' => '/core', 'name' => 'AppPassword#rotateAppPassword', 'url' => '/apppassword/rotate', 'verb' => 'POST'],
 		['root' => '/core', 'name' => 'AppPassword#deleteAppPassword', 'url' => '/apppassword', 'verb' => 'DELETE'],
 
 		['root' => '/collaboration', 'name' => 'CollaborationResources#searchCollections', 'url' => '/resources/collections/search/{filter}', 'verb' => 'GET'],