diff --git a/website/src/controllers/api-v3/groups.js b/website/src/controllers/api-v3/groups.js
index cf42b8b6de..0373d02984 100644
--- a/website/src/controllers/api-v3/groups.js
+++ b/website/src/controllers/api-v3/groups.js
@@ -160,6 +160,45 @@ api.getGroup = {
   },
 };
 
+/**
+ * @api {put} /groups/:groupId Update group
+ * @apiVersion 3.0.0
+ * @apiName UpdateGroup
+ * @apiGroup Group
+ *
+ * @apiParam {string} groupId The group _id (or 'party')
+ *
+ * @apiSuccess {Object} group The updated group object
+ */
+api.updateGroup = {
+  method: 'PUT',
+  url: '/groups/:groupId',
+  middlewares: [authWithHeaders(), cron],
+  handler (req, res, next) {
+    let user = res.locals.user;
+
+    req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();
+
+    let validationErrors = req.validationErrors();
+    if (validationErrors) return next(validationErrors);
+
+    Group.getGroup(user, req.params.groupId)
+    .then(group => {
+      if (!group) throw new NotFound(res.t('groupNotFound'));
+
+      if (group.leader !== user._id) throw new NotAuthorized(res.t('messageGroupOnlyLeaderCanUpdate'));
+
+      _.assign(group, _.merge(group.toObject(), Group.sanitizeUpdate(req.body)));
+
+      return group.save();
+    }).then(savedGroup => {
+      res.respond(200, savedGroup);
+      firebase.updateGroupData(savedGroup);
+    })
+    .catch(next);
+  },
+};
+
 /**
  * @api {post} /groups/:groupId/join Join a group
  * @apiVersion 3.0.0
diff --git a/website/src/models/group.js b/website/src/models/group.js
index 5c26330cc7..fd79686977 100644
--- a/website/src/models/group.js
+++ b/website/src/models/group.js
@@ -73,6 +73,12 @@ schema.plugin(baseModel, {
   noSet: ['_id', 'balance', 'quest', 'memberCount', 'chat', 'challengeCount'],
 });
 
+// A list of additional fields that cannot be updated (but can be set on creation)
+let noUpdate = ['privacy', 'type'];
+schema.statics.sanitizeUpdate = function sanitizeUpdate (updateObj) {
+  return model.sanitize(updateObj, noUpdate); // eslint-disable-line no-use-before-define
+};
+
 // TODO migration
 /**
  * Derby duplicated stuff. This is a temporary solution, once we're completely off derby we'll run an mongo migration