diff --git a/etebase_fastapi/member.py b/etebase_fastapi/member.py
index 36aa5ce..2eeb365 100644
--- a/etebase_fastapi/member.py
+++ b/etebase_fastapi/member.py
@@ -1,6 +1,7 @@
 import typing as t
 
 from django.contrib.auth import get_user_model
+from django.db import transaction
 from django.db.models import QuerySet
 from fastapi import Depends, status
 from pydantic import BaseModel
@@ -22,6 +23,10 @@ def get_queryset(user: User, collection_uid: str, queryset=default_queryset) ->
     return collection, queryset.filter(collection=collection)
 
 
+class CollectionMemberModifyAccessLevelIn(BaseModel):
+    accessLevel: models.AccessLevels
+
+
 class CollectionMemberOut(BaseModel):
     username: str
     accessLevel: models.AccessLevels
@@ -73,6 +78,24 @@ def member_delete(
     obj.revoke()
 
 
+@collection_router.patch("/{collection_uid}/member/{username}/", status_code=status.HTTP_204_NO_CONTENT)
+def member_patch(
+    collection_uid: str,
+    username: str,
+    data: CollectionMemberModifyAccessLevelIn,
+    user: User = Depends(get_authenticated_user),
+):
+    _, queryset = get_queryset(user, collection_uid)
+    instance = get_object_or_404(queryset, user__username__iexact=username)
+
+    with transaction.atomic():
+        # We only allow updating accessLevel
+        if instance.accessLevel != data.accessLevel:
+            instance.stoken = models.Stoken.objects.create()
+            instance.accessLevel = data.accessLevel
+            instance.save()
+
+
 @collection_router.post("/{collection_uid}/member/leave/", status_code=status.HTTP_204_NO_CONTENT)
 def member_leave(
     collection_uid: str,