diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index b0758e3d1..c096cf078 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -53,6 +53,7 @@ class Admin::UsersController < Admin::AdminController
     @user.suspended_till = params[:duration].to_i.days.from_now
     @user.suspended_at = DateTime.now
     @user.save!
+    @user.revoke_api_key
     StaffActionLogger.new(current_user).log_user_suspend(@user, params[:reason])
     MessageBus.publish "/logout", @user.id, user_ids: [@user.id]
     render nothing: true
diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index d76ea7c69..4f93fe55a 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -121,6 +121,17 @@ describe Admin::UsersController do
 
     end
 
+    context '.suspend' do
+
+      let(:evil_trout) { Fabricate(:evil_trout) }
+
+      it "also revoke any api keys" do
+        User.any_instance.expects(:revoke_api_key)
+        xhr :put, :suspend, user_id: evil_trout.id
+      end
+
+    end
+
     context '.revoke_admin' do
       before do
         @another_admin = Fabricate(:admin)
@@ -501,7 +512,6 @@ describe Admin::UsersController do
     user = DiscourseSingleSignOn.parse(sso.payload)
                                 .lookup_or_create_user
 
-
     sso.name = "Bill"
     sso.username = "Hokli$$!!"
     sso.email = "bob2@bob.com"