diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/liquibase.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/liquibase.xml
index e0f1f06686..23dde8d830 100644
--- a/server/db/src/main/resources/com/walmartlabs/concord/server/db/liquibase.xml
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/liquibase.xml
@@ -115,5 +115,6 @@
     <include file="v2.10.0.xml" relativeToChangelogFile="true"/>
     <include file="v2.12.0.xml" relativeToChangelogFile="true"/>
     <include file="v2.14.0.xml" relativeToChangelogFile="true"/>
+    <include file="v2.21.0.xml" relativeToChangelogFile="true"/>
 
 </databaseChangeLog>
diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.69.0.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.69.0.xml
index aab2a816f4..5b10e1b916 100644
--- a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.69.0.xml
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.69.0.xml
@@ -4,9 +4,11 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
-    <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>
+    <!-- concord agent user disabled from 2.21.x -->
+<!--    <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>-->
 
     <!-- moved to v1.86.0.xml (no more hard-coded default token) -->
+    <!-- concord agent user disabled from 2.21.x -->
 <!--    <changeSet id="69000" author="ybrigo@gmail.com">
             <insert tableName="USERS">
                 <column name="USER_ID">${concordAgentUserId}</column>
@@ -21,7 +23,9 @@
             </insert>
         </changeSet> -->
 
+    <!-- concord agent user disabled from 2.21.x -->
     <!-- Create agent user when not exist -->
+    <!--
     <changeSet id="69001" author="benjamin.broadaway@walmart.com.com">
         <preConditions onFail="MARK_RAN">
             <sqlCheck expectedResult="0">
@@ -37,5 +41,5 @@
             <column name="USER_TYPE">LOCAL</column>
         </insert>
     </changeSet>
-
+    -->
 </databaseChangeLog>
diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.79.0.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.79.0.xml
index 5ae08bc7b1..b62cc37df7 100644
--- a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.79.0.xml
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.79.0.xml
@@ -4,12 +4,15 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
+    <!-- concord agent user disabled from 2.21.x -->
+    <!--
     <changeSet id="79000" author="ibodrov@gmail.com">
         <insert tableName="USER_ROLES">
             <column name="ROLE_ID">${concordSystemReaderRoleId}</column>
             <column name="USER_ID">${concordAgentUserId}</column>
         </insert>
     </changeSet>
+    -->
 
     <changeSet id="79100" author="ybrigo@gmail.com">
         <addColumn tableName="API_KEYS">
diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.80.0.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.80.0.xml
index a44d519aa3..7607fbd8e6 100644
--- a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.80.0.xml
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.80.0.xml
@@ -7,16 +7,20 @@
     <property name="concordSystemWriterRoleId" value="c162d868-89ea-11e8-80be-97fd8a9f7419"/>
 
     <changeSet id="80000" author="ibodrov@gmail.com">
+        <validCheckSum>ANY</validCheckSum>
         <insert tableName="ROLES">
             <column name="ROLE_ID">${concordSystemWriterRoleId}</column>
             <column name="ROLE_NAME">concordSystemWriter</column>
             <column name="GLOBAL_WRITER">true</column>
         </insert>
 
+        <!-- concord agent user disabled from 2.21.x -->
+        <!--
         <insert tableName="USER_ROLES">
             <column name="ROLE_ID">${concordSystemWriterRoleId}</column>
             <column name="USER_ID">${concordAgentUserId}</column>
         </insert>
+        -->
     </changeSet>
 
     <!-- removed in 1.9.0+
diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.86.0.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.86.0.xml
index 3e122acf6f..30ad516e10 100644
--- a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.86.0.xml
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.86.0.xml
@@ -5,7 +5,8 @@
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
     <property name="concordAdminUserId" value="230c5c9c-d9a7-11e6-bcfd-bb681c07b26c"/>
-    <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>
+    <!-- concord agent user disabled from 2.21.x -->
+<!--    <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>-->
     <property name="concordRunnerUserId" value="2599c604-1384-4660-a767-8bc03baa7a31"/>
 
     <!-- delete old hard-coded default admin API token -->
@@ -38,6 +39,8 @@
     </changeSet>
 
     <!-- delete old hard-coded default agent API token -->
+    <!-- concord agent user disabled from 2.21.x -->
+    <!--
     <changeSet id="1860200" author="benjamin.broadaway@walmart.com" runInTransaction="false" context="!codegen">
         <sql>
             delete from API_KEYS
@@ -45,8 +48,11 @@
             and API_KEY = '1sw9eLZ41EOK4w/iV3jFnn6cqeAMeFtxfazqVY04koY'
         </sql>
     </changeSet>
+    -->
 
     <!-- Set initial agent API token when not exist  -->
+    <!-- concord agent user disabled from 2.21.x -->
+    <!--
     <changeSet id="1860300" author="benjamin.broadaway@walmart.com" runInTransaction="false" context="!codegen">
         <validCheckSum>ANY</validCheckSum>
 
@@ -60,14 +66,13 @@
         </preConditions>
 
         <customChange class="com.walmartlabs.concord.server.liquibase.ext.ApiTokenCreator">
-            <!-- default agent user id from v0.69.0.xml -->
             <param name="userId" value="${concordAgentUserId}"/>
             <param name="username" value="concordAgent"/>
-            <!-- values from concord-server.conf -->
             <param name="token" value="${defaultAgentToken}"/>
             <param name="skip" value="${skipAgentTokenGeneration}"/>
         </customChange>
     </changeSet>
+    -->
 
     <!-- Delete runner API tokens and user when exist  -->
     <changeSet id="1860400" author="benjamin.broadaway@walmart.com" runInTransaction="false" context="!codegen">
diff --git a/server/db/src/main/resources/com/walmartlabs/concord/server/db/v2.21.0.xml b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v2.21.0.xml
new file mode 100644
index 0000000000..2569a43642
--- /dev/null
+++ b/server/db/src/main/resources/com/walmartlabs/concord/server/db/v2.21.0.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
+
+    <changeSet id="2210000" author="ybrigo@gmail.com">
+        <dropNotNullConstraint tableName="API_KEYS" columnName="USER_ID"/>
+    </changeSet>
+
+    <changeSet id="2210010" author="ybrigo@gmail.com">
+        <dropIndex tableName="API_KEYS " indexName="IDX_API_KEYS_NAME_USER"/>
+
+        <sql>
+            create unique index IDX_API_KEYS_NAME_USER_NULL on API_KEYS (KEY_NAME) where USER_ID is null
+        </sql>
+        <sql>
+            create unique index IDX_API_KEYS_NAME_USER_NOT_NULL on API_KEYS (KEY_NAME, USER_ID) where USER_ID is not null
+        </sql>
+    </changeSet>
+
+    <changeSet id="2210020" author="ybrigo@gmail.com" runInTransaction="false" context="!codegen">
+        <validCheckSum>ANY</validCheckSum>
+
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">
+                select count(key_id)
+                from API_KEYS
+                where KEY_NAME = 'concordAgentKey_autogenerated';
+            </sqlCheck>
+            <!-- concordAgentUserId='d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8' -->
+            <sqlCheck expectedResult="0">
+                select count(key_id)
+                from API_KEYS
+                where USER_ID = 'd4f123c1-f8d4-40b2-8a12-b8947b9ce2d8';
+            </sqlCheck>
+        </preConditions>
+
+        <customChange class="com.walmartlabs.concord.server.liquibase.ext.ApiTokenCreator">
+            <!-- default agent user id from v0.69.0.xml -->
+            <param name="keyName" value="concordAgentKey_autogenerated"/>
+            <!-- values from concord-server.conf -->
+            <param name="token" value="${defaultAgentToken}"/>
+            <param name="skip" value="${skipAgentTokenGeneration}"/>
+        </customChange>
+    </changeSet>
+
+</databaseChangeLog>
diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
index 609893efc8..e3398c360c 100644
--- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
+++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
@@ -62,17 +62,20 @@ public boolean supports(AuthenticationToken token) {
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
         ApiKey t = (ApiKey) token;
 
-        UserEntry u = userManager.get(t.getUserId()).orElse(null);
-        if (u == null) {
-            return null;
-        }
+        UserEntry u = null;
+        if (t.getUserId() != null) {
+            u = userManager.get(t.getUserId()).orElse(null);
+            if (u == null) {
+                return null;
+            }
 
-        if (u.isDisabled()) {
-            throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
+            if (u.isDisabled()) {
+                throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
+            }
         }
 
         auditLog.add(AuditObject.SYSTEM, AuditAction.ACCESS)
-                .userId(u.getId())
+                .userId(u != null ? u.getId() : null)
                 .field("realm", REALM_NAME)
                 .field("apiKeyId", t.getKeyId())
                 .log();
diff --git a/server/liquibase-ext/src/main/java/com/walmartlabs/concord/server/liquibase/ext/ApiTokenCreator.java b/server/liquibase-ext/src/main/java/com/walmartlabs/concord/server/liquibase/ext/ApiTokenCreator.java
index 4f7d9d477a..863446832c 100644
--- a/server/liquibase-ext/src/main/java/com/walmartlabs/concord/server/liquibase/ext/ApiTokenCreator.java
+++ b/server/liquibase-ext/src/main/java/com/walmartlabs/concord/server/liquibase/ext/ApiTokenCreator.java
@@ -43,12 +43,13 @@ public class ApiTokenCreator implements CustomSqlChange, CustomSqlRollback {
 
     private static final Logger log = LoggerFactory.getLogger(ApiTokenCreator.class);
 
-    private static final String KEY_NAME = "autogenerated";
+    private static final String DEFAULT_KEY_NAME = "autogenerated";
 
     private String token;
     private String userId;
     private String username;
     private String skip;
+    private String keyName;
 
     public void setUserId(String userId) {
         this.userId = userId;
@@ -66,6 +67,10 @@ public void setSkip(String skip) {
         this.skip = skip;
     }
 
+    public void setKeyName(String keyName) {
+        this.keyName = keyName;
+    }
+
     @Override
     public SqlStatement[] generateStatements(Database database) {
         if (this.token == null) {
@@ -77,7 +82,7 @@ public SqlStatement[] generateStatements(Database database) {
                 new InsertStatement(null, null, "API_KEYS")
                         .addColumnValue("API_KEY", hash(token))
                         .addColumnValue("USER_ID", userId)
-                        .addColumnValue("KEY_NAME", KEY_NAME)
+                        .addColumnValue("KEY_NAME", getKeyName())
         };
     }
 
@@ -87,12 +92,20 @@ public SqlStatement[] generateRollbackStatements(Database database) {
             return new SqlStatement[0];
         }
 
-        return new SqlStatement[]{
-                new DeleteStatement(null, null, "API_KEYS")
-                        .setWhere("USER_ID=? and KEY_NAME=?")
-                        .addWhereParameter(userId)
-                        .addWhereParameter(KEY_NAME)
-        };
+        if (userId != null) {
+            return new SqlStatement[]{
+                    new DeleteStatement(null, null, "API_KEYS")
+                            .setWhere("USER_ID=? and KEY_NAME=?")
+                            .addWhereParameter(userId)
+                            .addWhereParameter(getKeyName())
+            };
+        } else {
+            return new SqlStatement[]{
+                    new DeleteStatement(null, null, "API_KEYS")
+                            .setWhere("KEY_NAME=?")
+                            .addWhereParameter(getKeyName())
+            };
+        }
     }
 
     @Override
@@ -137,6 +150,13 @@ public ValidationErrors validate(Database database) {
         return null;
     }
 
+    private String getKeyName() {
+        if (this.keyName != null) {
+            return this.keyName;
+        }
+        return DEFAULT_KEY_NAME;
+    }
+
     private static String newApiKey() {
         try {
             byte[] ab = new byte[16];