diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9a2eb65..68e89f7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -74,7 +74,20 @@
 * [#1047](https://github.com/foosel/OctoPrint/issues/1047) - Fixed 90 degree
   webcam rotation for iOS Safari.
 
-## 1.2.16rc1 (2016-09-08)
+## 1.2.16rc2 (2016-09-16)
+
+### Improvements
+
+  * Return a "400 Bad Request" instead of a "500 Internal Server Error" if a `multipart/form-data` request (e.g. a file upload) is sent which lacks the `boundary` field.
+
+### Bug Fixes
+
+  * [#1491](https://github.com/foosel/OctoPrint/issues/1491): Fixed generate/delete API key in the user settings
+  * [#1492](https://github.com/foosel/OctoPrint/issues/1492): Fixed a bug in the software update plugin depending on the presence of the ``prerelease`` flag which is only present when added manually or using a non stable release channel.
+
+([Commits](https://github.com/foosel/OctoPrint/compare/1.2.16rc1...1.2.16rc2))
+
+## 1.2.16rc1 (2016-09-09)
 
 ### Improvements
 
diff --git a/src/octoprint/plugins/softwareupdate/__init__.py b/src/octoprint/plugins/softwareupdate/__init__.py
index 8612e770..c769f07c 100644
--- a/src/octoprint/plugins/softwareupdate/__init__.py
+++ b/src/octoprint/plugins/softwareupdate/__init__.py
@@ -807,7 +807,7 @@ class SoftwareUpdatePlugin(octoprint.plugin.BlueprintPlugin,
 						# if we are using the update_script, we need to set our update_branch and force
 						# to install the exact version we requested
 
-						if check["prerelease"]:
+						if check.get("prerelease", None):
 							# we are tracking prereleases => we want to be on the correct prerelease channel/branch
 							channel = check.get("prerelease_channel", None)
 							if channel:
diff --git a/src/octoprint/server/util/tornado.py b/src/octoprint/server/util/tornado.py
index 38e0e0d0..9945ba07 100644
--- a/src/octoprint/server/util/tornado.py
+++ b/src/octoprint/server/util/tornado.py
@@ -145,6 +145,9 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 			if suffix_type in self._suffixes and suffix is not None:
 				self._suffixes[suffix_type] = suffix
 
+		# multipart boundary
+		self._multipart_boundary = None
+
 		# Parts, files and values will be stored here
 		self._parts = dict()
 		self._files = []
@@ -181,7 +184,7 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 			if self.is_multipart():
 				if not self._bytes_left:
 					# we don't support requests without a content-length
-					raise tornado.web.HTTPError(400, reason="No Content-Length supplied")
+					raise tornado.web.HTTPError(400, log_message="No Content-Length supplied")
 
 				# extract the multipart boundary
 				fields = self._content_type.split(";")
@@ -194,7 +197,14 @@ class UploadStorageFallbackHandler(tornado.web.RequestHandler):
 							self._multipart_boundary = tornado.escape.utf8(v)
 						break
 				else:
-					self._multipart_boundary = None
+					# RFC2046 section 5.1 (as referred to from RFC 7578) defines the boundary
+					# parameter as mandatory for multipart requests:
+					#
+					#     The only mandatory global parameter for the "multipart" media type is
+					#     the boundary parameter, which consists of 1 to 70 characters [...]
+					#
+					# So no boundary? 400 Bad Request
+					raise tornado.web.HTTPError(400, log_message="No multipart boundary supplied")
 		else:
 			self._fallback(self.request, b"")
 			self._finished = True
diff --git a/src/octoprint/static/js/app/viewmodels/usersettings.js b/src/octoprint/static/js/app/viewmodels/usersettings.js
index 1721ae27..b07e92f9 100644
--- a/src/octoprint/static/js/app/viewmodels/usersettings.js
+++ b/src/octoprint/static/js/app/viewmodels/usersettings.js
@@ -69,6 +69,20 @@ $(function() {
                 });
         };
 
+        self.generateApikey = function() {
+            if (!CONFIG_ACCESS_CONTROL) return;
+            self.users.generateApikey(self.currentUser().name, function(response) {
+                self.access_apikey(response.apikey);
+            });
+        };
+
+        self.deleteApikey = function() {
+            if (!CONFIG_ACCESS_CONTROL) return;
+            self.users.deleteApikey(self.currentUser().name, function() {
+                self.access_apikey(undefined);
+            });
+        };
+
         self.updateSettings = function(username, settings) {
             return OctoPrint.users.saveSettings(username, settings);
         };
diff --git a/src/octoprint/templates/dialogs/usersettings/access.jinja2 b/src/octoprint/templates/dialogs/usersettings/access.jinja2
index 38788c9e..6cb7e2f9 100644
--- a/src/octoprint/templates/dialogs/usersettings/access.jinja2
+++ b/src/octoprint/templates/dialogs/usersettings/access.jinja2
@@ -25,8 +25,8 @@
             <div class="controls">
                 <div class="input-append">
                     <input type="text" class="input-block-level uneditable-input" id="userSettings-access_apikey" data-bind="value: access_apikey, valueUpdate: 'input', attr: {placeholder: '{{ _('N/A') }}'}">
-                    <a class="btn" title="Generate new Apikey" data-bind="click: function() { users.confirmGenerateApikey(); }"><i class="icon-refresh"></i></a>
-                    <a class="btn btn-danger" title="Delete Apikey" data-bind="click: function() { users.confirmDeleteApikey(); }"><i class="icon-trash"></i></a>
+                    <a class="btn" title="Generate new Apikey" data-bind="click: generateApikey"><i class="icon-refresh"></i></a>
+                    <a class="btn btn-danger" title="Delete Apikey" data-bind="click: deleteApikey"><i class="icon-trash"></i></a>
                 </div>
 
             </div>