diff --git a/pkg/api/entries.go b/pkg/api/entries.go
index 85ba65a7380362461028384b34e295ac6d1b946f..466aa8965a8f2cc4e13cb3a25167be6d15f0810f 100644
--- a/pkg/api/entries.go
+++ b/pkg/api/entries.go
@@ -131,8 +131,13 @@ func CreateLogEntryHandler(params entries.CreateLogEntryParams) middleware.Respo
 		}()
 	}
 
-	location := strfmt.URI(fmt.Sprintf("%v/%v", httpReq.URL, uuid))
-	return entries.NewCreateLogEntryCreated().WithPayload(logEntry).WithLocation(location).WithETag(uuid)
+	locationURL := httpReq.URL
+	// remove API key from output
+	query := locationURL.Query()
+	query.Del("apiKey")
+	locationURL.RawQuery = query.Encode()
+	locationURL.Path = fmt.Sprintf("%v/%v", locationURL.Path, uuid)
+	return entries.NewCreateLogEntryCreated().WithPayload(logEntry).WithLocation(strfmt.URI(locationURL.String())).WithETag(uuid)
 }
 
 func GetLogEntryByUUIDHandler(params entries.GetLogEntryByUUIDParams) middleware.Responder {
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
index 643de4df5f4a96ff983b0cf18b66cd2a7062e218..9fe96616c231fe5b342a948b1eda2092ea765f28 100644
--- a/tests/e2e_test.go
+++ b/tests/e2e_test.go
@@ -262,3 +262,24 @@ func TestX509(t *testing.T) {
 	outputContains(t, out, "Entry already exists")
 
 }
+
+func TestUploadNoAPIKeyInOutput(t *testing.T) {
+	// Create a random artifact and sign it.
+	artifactPath := filepath.Join(t.TempDir(), "artifact")
+	sigPath := filepath.Join(t.TempDir(), "signature.asc")
+
+	createdPGPSignedArtifact(t, artifactPath, sigPath)
+
+	// Write the public key to a file
+	pubPath := filepath.Join(t.TempDir(), "pubKey.asc")
+	if err := ioutil.WriteFile(pubPath, []byte(publicKey), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// It should upload successfully.
+	out := runCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath, "--public-key", pubPath, "--api-key", "foobar")
+	outputContains(t, out, "Created entry at")
+	if strings.Contains(out, "foobar") {
+		t.Errorf("CLI output contained API key when it should have squelched it")
+	}
+}