diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index b62b3e063..045e4395e 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -11,7 +11,7 @@ module Api
       end
 
       def authenticate_shared_key
-        api_key = "Basic #{ENV['api_shared_key']}"
+        api_key = "Basic #{ENV['internal_api_key']}"
         head(:unauthorized) unless api_key == request.authorization
       end
 
diff --git a/app/controllers/api/v1/contact_requests_controller.rb b/app/controllers/api/v1/contact_requests_controller.rb
new file mode 100644
index 000000000..2b5977f59
--- /dev/null
+++ b/app/controllers/api/v1/contact_requests_controller.rb
@@ -0,0 +1,37 @@
+module Api
+  module V1
+    class ContactRequestsController < BaseController
+      before_action :authenticate_shared_key
+
+      # POST api/v1/contact_requests/
+      def create
+        return head(:bad_request) if contact_request_params[:email].blank?
+
+        contact_request = ContactRequest.save_record(contact_request_params)
+        render json: contact_request, status: :created
+      rescue StandardError
+        head(:bad_request)
+      end
+
+      def update
+        return head(:bad_request) if params[:id].blank?
+
+        process_id(params[:id])
+      end
+
+      def process_id(id)
+        record = ContactRequest.find_by(id: id)
+        return :not_found unless record
+
+        record.update_status(contact_request_params)
+        render json: record, status: :ok
+      rescue StandardError
+        head :bad_request
+      end
+
+      def contact_request_params
+        params.require(:contact_request).permit(:email, :whois_record_id, :name, :status, :ip)
+      end
+    end
+  end
+end
diff --git a/app/models/contact_request.rb b/app/models/contact_request.rb
new file mode 100644
index 000000000..e6a5e9f7d
--- /dev/null
+++ b/app/models/contact_request.rb
@@ -0,0 +1,40 @@
+class ContactRequest < ApplicationRecord
+  establish_connection :"whois_#{Rails.env}"
+  self.table_name = 'contact_requests'
+
+  STATUS_NEW       = 'new'.freeze
+  STATUS_CONFIRMED = 'confirmed'.freeze
+  STATUS_SENT      = 'sent'.freeze
+  STATUSES         = [STATUS_NEW, STATUS_CONFIRMED, STATUS_SENT].freeze
+
+  validates :whois_record_id, presence: true
+  validates :email, presence: true
+  validates :name, presence: true
+  validates :status, inclusion: { in: STATUSES }
+
+  attr_readonly :secret,
+                :valid_to
+
+  def self.save_record(params)
+    contact_request = new(params)
+    contact_request.secret = create_random_secret
+    contact_request.valid_to = set_valid_to_24_hours_from_now
+    contact_request.status = STATUS_NEW
+    contact_request.save!
+    contact_request
+  end
+
+  def update_status(params)
+    self.status = params['status']
+    self.ip_address = params['ip']
+    save!
+  end
+
+  def self.create_random_secret
+    SecureRandom.hex(64)
+  end
+
+  def self.set_valid_to_24_hours_from_now
+    (Time.zone.now + 24.hours)
+  end
+end
diff --git a/config/application.yml.sample b/config/application.yml.sample
index 5885c47a2..21f1df8e0 100644
--- a/config/application.yml.sample
+++ b/config/application.yml.sample
@@ -90,6 +90,9 @@ registrant_api_auth_allowed_ips: '127.0.0.1, 0.0.0.0' #ips, separated with comma
 # Bounces API
 api_shared_key: testkey
 
+# Link to REST-WHOIS API
+internal_api_key: testkey
+
 # Base URL (inc. https://) of REST registrant portal
 # Leave blank to use internal registrant portal
 registrant_portal_verifications_base_url: ''
diff --git a/config/routes.rb b/config/routes.rb
index 3042eced4..1635789fe 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -91,6 +91,7 @@ Rails.application.routes.draw do
       end
 
       resources :auctions, only: %i[index show update], param: :uuid
+      resources :contact_requests, only: %i[create update], param: :id
       resources :bounces, only: %i[create]
     end
 
diff --git a/test/fixtures/contact_requests.yml b/test/fixtures/contact_requests.yml
new file mode 100644
index 000000000..030a4d726
--- /dev/null
+++ b/test/fixtures/contact_requests.yml
@@ -0,0 +1,8 @@
+new:
+  whois_record_id: 1
+  email: aaa@bbb.com
+  name: Testname
+  status: new
+  secret: somesecret
+  valid_to: 2010-07-05
+
diff --git a/test/integration/api/v1/contact_requests_test.rb b/test/integration/api/v1/contact_requests_test.rb
new file mode 100644
index 000000000..f0621b686
--- /dev/null
+++ b/test/integration/api/v1/contact_requests_test.rb
@@ -0,0 +1,68 @@
+require 'test_helper'
+
+class ApiV1ContactRequestTest < ActionDispatch::IntegrationTest
+  def setup
+    @api_key = "Basic #{ENV['api_shared_key']}"
+    @headers = { "Authorization": "#{@api_key}" }
+    @json_create = { "contact_request": valid_contact_request_create }.as_json
+    @json_update = { "contact_request": valid_contact_request_update }.as_json
+    @contact_request = contact_requests(:new)
+  end
+
+  def test_authorizes_api_request
+    post api_v1_contact_requests_path, params: @json_create, headers: @headers
+    assert_response :created
+
+    invalid_headers = { "Authorization": "Basic invalid_api_key" }
+    post api_v1_contact_requests_path, params: @json_create, headers: invalid_headers
+    assert_response :unauthorized
+  end
+
+  def test_saves_new_contact_request
+    request_body = @json_create.dup
+    random_mail = "#{rand(10000..99999)}@registry.test"
+    request_body['contact_request']['email'] = random_mail
+
+    post api_v1_contact_requests_path, params: request_body, headers: @headers
+    assert_response :created
+
+    contact_request = ContactRequest.last
+    assert_equal contact_request.email, random_mail
+    assert ContactRequest::STATUS_NEW, contact_request.status
+  end
+
+  def test_updates_existing_contact_request
+    request_body = @json_update.dup
+
+    put api_v1_contact_request_path(@contact_request.id), params: request_body, headers: @headers
+    assert_response :ok
+
+    @contact_request.reload
+    assert ContactRequest::STATUS_CONFIRMED, @contact_request.status
+  end
+
+  def test_not_updates_if_status_error
+    request_body = @json_update.dup
+    request_body['contact_request']['status'] = 'some_error_status'
+
+    put api_v1_contact_request_path(@contact_request.id), params: request_body, headers: @headers
+    assert_response 400
+
+    @contact_request.reload
+    assert ContactRequest::STATUS_NEW, @contact_request.status
+  end
+
+  def valid_contact_request_create
+    {
+      "email": "aaa@bbb.com",
+      "whois_record_id": "1",
+      "name": "test"
+    }.as_json
+  end
+
+  def valid_contact_request_update
+    {
+      "status": "#{ContactRequest::STATUS_CONFIRMED}",
+    }.as_json
+  end
+end