diff --git a/app/assets/javascripts/app/controllers/_application_controller/nav_sidebar.coffee b/app/assets/javascripts/app/controllers/_application_controller/nav_sidebar.coffee
index e3774f47f..8ac79ff67 100644
--- a/app/assets/javascripts/app/controllers/_application_controller/nav_sidebar.coffee
+++ b/app/assets/javascripts/app/controllers/_application_controller/nav_sidebar.coffee
@@ -64,10 +64,15 @@ class App.ControllerNavSidbar extends App.Controller
           groupsUnsorted.push item
         else
           match = false
-          for permissionName in item.permission
-            if !match && @permissionCheck(permissionName)
-              match = true
+          if typeof item.permission is 'function'
+            match = item.permission(@)
+            if match
               groupsUnsorted.push item
+          else
+            for permissionName in item.permission
+              if !match && @permissionCheck(permissionName)
+                match = true
+                groupsUnsorted.push item
     _.sortBy(groupsUnsorted, (item) -> return item.prio)
 
   selectedItem: (groups) =>
@@ -83,10 +88,15 @@ class App.ControllerNavSidbar extends App.Controller
               itemsUnsorted.push item
             else
               match = false
-              for permissionName in item.permission
-                if !match && @permissionCheck(permissionName)
-                  match = true
+              if typeof item.permission is 'function'
+                match = item.permission(@)
+                if match
                   itemsUnsorted.push item
+              else
+                for permissionName in item.permission
+                  if !match && @permissionCheck(permissionName)
+                    match = true
+                    itemsUnsorted.push item
 
       group.items = _.sortBy(itemsUnsorted, (item) -> return item.prio)
 
diff --git a/app/assets/javascripts/app/controllers/_profile/token_access.coffee b/app/assets/javascripts/app/controllers/_profile/token_access.coffee
index 294b9f73e..966d864b9 100644
--- a/app/assets/javascripts/app/controllers/_profile/token_access.coffee
+++ b/app/assets/javascripts/app/controllers/_profile/token_access.coffee
@@ -144,4 +144,13 @@ class Create extends App.ControllerModal
       msg:  App.i18n.translateContent(data.message || data.error)
     )
 
-App.Config.set('Token Access', { prio: 3200, name: 'Token Access', parent: '#profile', target: '#profile/token_access', controller: ProfileTokenAccess, permission: ['user_preferences.access_token']  }, 'NavBarProfile')
+App.Config.set('Token Access', {
+  prio: 3200,
+  name: 'Token Access',
+  parent: '#profile',
+  target: '#profile/token_access',
+  controller: ProfileTokenAccess,
+  permission: (controller) ->
+    return false if !App.Config.get('api_token_access')
+    return controller.permissionCheck('user_preferences.access_token')
+}, 'NavBarProfile')
diff --git a/app/assets/javascripts/app/controllers/profile.coffee b/app/assets/javascripts/app/controllers/profile.coffee
index 4e39dcdeb..974ca083c 100644
--- a/app/assets/javascripts/app/controllers/profile.coffee
+++ b/app/assets/javascripts/app/controllers/profile.coffee
@@ -2,6 +2,15 @@ class App.Profile extends App.ControllerNavSidbar
   authenticateRequired: true
   configKey: 'NavBarProfile'
 
+  constructor: (params) ->
+    super
+
+    @controllerBind('config_update', (data) =>
+      return if data.name isnt 'api_token_access'
+      @render(true)
+      @updateNavigation(true, params)
+    )
+
 class ProfileRouter extends App.ControllerPermanent
   requiredPermission: ['user_preferences.*']
 
diff --git a/db/migrate/20210909093800_issue_3168_token_setting.rb b/db/migrate/20210909093800_issue_3168_token_setting.rb
new file mode 100644
index 000000000..0ab670fa2
--- /dev/null
+++ b/db/migrate/20210909093800_issue_3168_token_setting.rb
@@ -0,0 +1,10 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class Issue3168TokenSetting < ActiveRecord::Migration[6.0]
+  def change
+    # return if it's a new setup
+    return if !Setting.exists?(name: 'system_init_done')
+
+    Setting.find_by(name: 'api_token_access').update(frontend: true)
+  end
+end
diff --git a/db/seeds/settings.rb b/db/seeds/settings.rb
index 8d8efa87d..681180126 100644
--- a/db/seeds/settings.rb
+++ b/db/seeds/settings.rb
@@ -2864,7 +2864,7 @@ Setting.create_if_not_exists(
   preferences: {
     permission: ['admin.api'],
   },
-  frontend:    false
+  frontend:    true
 )
 Setting.create_if_not_exists(
   title:       'API Password Access',
diff --git a/spec/system/profile_spec.rb b/spec/system/profile_spec.rb
index b4094acbf..3939975dc 100644
--- a/spec/system/profile_spec.rb
+++ b/spec/system/profile_spec.rb
@@ -22,4 +22,28 @@ RSpec.describe 'Profile', type: :system do
       expect(page).to have_no_css('.dropdown-menu > li > a[href="#profile"]')
     end
   end
+
+  context "Don't provide option to create API-Token if authentication via API token is disabled #3168" do
+    before do
+      visit 'profile'
+    end
+
+    it 'does show the navbar link Token Access based on the Setting api_token_access' do
+      expect(page).to have_text('Token Access')
+
+      # disable token access
+      visit 'system/api'
+      click 'label[for=api_token_access]'
+
+      visit 'profile'
+      expect(page).to have_no_text('Token Access')
+
+      # enable token access
+      visit 'system/api'
+      click 'label[for=api_token_access]'
+
+      visit 'profile'
+      expect(page).to have_text('Token Access')
+    end
+  end
 end