diff --git a/backend/src/openarchiefbeheer/api/urls.py b/backend/src/openarchiefbeheer/api/urls.py
index 8b97e4eb..e4474eb5 100644
--- a/backend/src/openarchiefbeheer/api/urls.py
+++ b/backend/src/openarchiefbeheer/api/urls.py
@@ -5,11 +5,16 @@
     SpectacularJSONAPIView,
     SpectacularRedocView,
 )
+from rest_framework import routers
 
 from openarchiefbeheer.accounts.api.views import ReviewersView
+from openarchiefbeheer.destruction.api.viewsets import DestructionListViewSet
 
 app_name = "api"
 
+router = routers.DefaultRouter(trailing_slash=False)
+router.register(r"destruction-lists", DestructionListViewSet)
+
 
 urlpatterns = [
     # API documentation
@@ -40,8 +45,16 @@
     ),
     # Actual endpoints
     path(
-        "v1/zaken/",
-        include("openarchiefbeheer.api.zaken.urls", namespace="zaken"),
+        "v1/",
+        include(
+            [
+                path(
+                    "zaken/",
+                    include("openarchiefbeheer.api.zaken.urls", namespace="zaken"),
+                ),
+                path("reviewers/", ReviewersView.as_view(), name="reviewers"),
+                path("", include(router.urls)),
+            ]
+        ),
     ),
-    path("v1/reviewers/", ReviewersView.as_view(), name="reviewers"),
 ]
diff --git a/backend/src/openarchiefbeheer/destruction/api/permissions.py b/backend/src/openarchiefbeheer/destruction/api/permissions.py
new file mode 100644
index 00000000..20964e3a
--- /dev/null
+++ b/backend/src/openarchiefbeheer/destruction/api/permissions.py
@@ -0,0 +1,10 @@
+from django.utils.translation import gettext_lazy as _
+
+from rest_framework import permissions
+
+
+class CanStartDestructionPermission(permissions.BasePermission):
+    message = _("You are not allowed to create a destruction list.")
+
+    def has_permission(self, request, view):
+        return request.user.role.can_start_destruction
diff --git a/backend/src/openarchiefbeheer/destruction/api/viewsets.py b/backend/src/openarchiefbeheer/destruction/api/viewsets.py
new file mode 100644
index 00000000..a976de45
--- /dev/null
+++ b/backend/src/openarchiefbeheer/destruction/api/viewsets.py
@@ -0,0 +1,24 @@
+from django.db import transaction
+
+from rest_framework import mixins, viewsets
+from rest_framework.permissions import IsAuthenticated
+
+from ..models import DestructionList
+from .permissions import CanStartDestructionPermission
+from .serializers import DestructionListSerializer
+
+
+class DestructionListViewSet(mixins.CreateModelMixin, viewsets.GenericViewSet):
+    serializer_class = DestructionListSerializer
+    queryset = DestructionList.objects.all()
+
+    def get_permissions(self):
+        if self.action == "create":
+            permission_classes = [IsAuthenticated & CanStartDestructionPermission]
+        else:
+            permission_classes = [IsAuthenticated]
+        return [permission() for permission in permission_classes]
+
+    @transaction.atomic
+    def create(self, request, *args, **kwargs):
+        return super().create(request, *args, **kwargs)