diff --git a/src/exchange/taler-exchange-httpd_keys.c b/src/exchange/taler-exchange-httpd_keys.c
index 5f747cccf..b7359392f 100644
--- a/src/exchange/taler-exchange-httpd_keys.c
+++ b/src/exchange/taler-exchange-httpd_keys.c
@@ -26,6 +26,7 @@
 #include "taler-exchange-httpd_keys.h"
 #include "taler-exchange-httpd_responses.h"
 #include "taler_exchangedb_plugin.h"
+#include "taler_extensions.h"
 
 
 /**
@@ -687,6 +688,7 @@ destroy_key_helpers (struct HelperState *hs)
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomination is age restricted
  */
 static void
 helper_rsa_cb (
@@ -697,7 +699,8 @@ helper_rsa_cb (
   const struct TALER_RsaPubHashP *h_rsa,
   const struct TALER_DenominationPublicKey *denom_pub,
   const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig)
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted)
 {
   struct HelperState *hs = cls;
   struct HelperDenomination *hd;
@@ -729,13 +732,17 @@ helper_rsa_cb (
   TALER_denom_pub_deep_copy (&hd->denom_pub,
                              denom_pub);
   GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher);
-  // FIXME-OEC: set AGE RESTRICTION (from 'global' variable,
-  // that itself is set from /managmenet API!) HERE!
-  // ISSUE: tricky to handle if configuration changes
-  // between denominations (some with/without age
-  // restrictions). For that, we probably need to look at
-  // configuration [$section_name] (!?).
+
+  /* Set age restriction, if applicable */
   hd->denom_pub.age_mask.mask = 0;
+  if (age_restricted)
+  {
+    /* FIXME-oec: get age mask from global */
+    GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg,
+                                                             &hd->denom_pub.
+                                                             age_mask));
+  }
+
   TALER_denom_pub_hash (&hd->denom_pub,
                         &hd->h_denom_pub);
   hd->section_name = GNUNET_strdup (section_name);
diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h
index ea53efb66..9e744c8dc 100644
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@@ -1362,6 +1362,7 @@ struct TALER_CRYPTO_RsaDenominationHelper;
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomnation has age restriction set
  */
 typedef void
 (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
@@ -1372,7 +1373,8 @@ typedef void
   const struct TALER_RsaPubHashP *h_rsa,
   const struct TALER_DenominationPublicKey *denom_pub,
   const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig);
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted);
 
 
 /**
diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h
index 7b3c3baf2..47504e510 100644
--- a/src/include/taler_exchangedb_plugin.h
+++ b/src/include/taler_exchangedb_plugin.h
@@ -629,6 +629,10 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData
    */
   struct TALER_Amount fee_refund;
 
+  /**
+   * Indication if age restriction is set for this denomination
+   */
+  bool age_restricted;
 };
 
 
diff --git a/src/util/crypto_helper_rsa.c b/src/util/crypto_helper_rsa.c
index 85741d5e5..d30f8091b 100644
--- a/src/util/crypto_helper_rsa.c
+++ b/src/util/crypto_helper_rsa.c
@@ -239,7 +239,8 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
              &h_rsa,
              &denom_pub,
              &kan->secm_pub,
-             &kan->secm_sig);
+             &kan->secm_sig,
+             (&kan->age_restricted > 0));
     TALER_denom_pub_free (&denom_pub);
   }
   return GNUNET_OK;
@@ -275,7 +276,8 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
            &pn->h_rsa,
            NULL,
            NULL,
-           NULL);
+           NULL,
+           false);
   return GNUNET_OK;
 }
 
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c
index 343ae3c43..0711fd7a5 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -1,18 +1,18 @@
 /*
-  This file is part of TALER
-  Copyright (C) 2014-2021 Taler Systems SA
+   This file is part of TALER
+   Copyright (C) 2014-2021 Taler Systems SA
 
-  TALER is free software; you can redistribute it and/or modify it under the
-  terms of the GNU General Public License as published by the Free Software
-  Foundation; either version 3, or (at your option) any later version.
+   TALER is free software; you can redistribute it and/or modify it under the
+   terms of the GNU General Public License as published by the Free Software
+   Foundation; either version 3, or (at your option) any later version.
 
-  TALER is distributed in the hope that it will be useful, but WITHOUT ANY
-  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
-  A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+   A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
 
-  You should have received a copy of the GNU General Public License along with
-  TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
-*/
+   You should have received a copy of the GNU General Public License along with
+   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
 /**
  * @file util/taler-exchange-secmod-rsa.c
  * @brief Standalone process to perform private key RSA operations
@@ -156,6 +156,11 @@ struct Denomination
    * Length of (new) RSA keys (in bits).
    */
   uint32_t rsa_keysize;
+
+  /**
+   * Is the denomination age restricted?  0 == false
+   */
+  uint8_t age_restricted;
 };
 
 
@@ -258,6 +263,7 @@ notify_client_dk_add (struct TES_Client *client,
   an->section_name_len = htons ((uint16_t) nlen);
   an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
   an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
+  an->age_restricted = denom->age_restricted;
   TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
                                   denom->section,
                                   dk->anchor,
@@ -1256,6 +1262,24 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg,
   }
   denom->rsa_keysize = (unsigned int) rsa_keysize;
   denom->section = GNUNET_strdup (ct);
+  if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg,
+                                                     ct,
+                                                     "AGE_RESTRICTED")))
+  {
+    enum GNUNET_GenericReturnValue ret;
+    if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg,
+                                                                      ct,
+                                                                      "AGE_RESTRICTED")))
+    {
+      GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                                 ct,
+                                 "AGE_RESTRICTED",
+                                 "Value must be YES or NO\n");
+      return GNUNET_SYSERR;
+    }
+    denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0;
+  }
+
   return GNUNET_OK;
 }
 
@@ -1522,8 +1546,8 @@ main (int argc,
   (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH);
 
   /* force linker to link against libtalerutil; if we do
-   not do this, the linker may "optimize" libtalerutil
-   away and skip #TALER_OS_init(), which we do need */
+     not do this, the linker may "optimize" libtalerutil
+     away and skip #TALER_OS_init(), which we do need */
   TALER_OS_init ();
   now = now_tmp = GNUNET_TIME_absolute_get ();
   ret = GNUNET_PROGRAM_run (argc, argv,
diff --git a/src/util/taler-exchange-secmod-rsa.h b/src/util/taler-exchange-secmod-rsa.h
index b0fdfbd96..9207e705a 100644
--- a/src/util/taler-exchange-secmod-rsa.h
+++ b/src/util/taler-exchange-secmod-rsa.h
@@ -77,6 +77,11 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
    */
   struct TALER_SecurityModuleSignatureP secm_sig;
 
+  /**
+   * Indicator for age restriction
+   */
+  uint8_t age_restricted;
+
   /* followed by @e pub_size bytes of the RSA public key */
 
   /* followed by @e section_name bytes of the configuration section name
diff --git a/src/util/test_helper_rsa.c b/src/util/test_helper_rsa.c
index 14ff2bfab..80a36fd0d 100644
--- a/src/util/test_helper_rsa.c
+++ b/src/util/test_helper_rsa.c
@@ -133,6 +133,7 @@ free_keys (void)
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted indication if denomination is age restricted
  */
 static void
 key_cb (void *cls,
@@ -142,7 +143,8 @@ key_cb (void *cls,
         const struct TALER_RsaPubHashP *h_rsa,
         const struct TALER_DenominationPublicKey *denom_pub,
         const struct TALER_SecurityModulePublicKeyP *sm_pub,
-        const struct TALER_SecurityModuleSignatureP *sm_sig)
+        const struct TALER_SecurityModuleSignatureP *sm_sig,
+        bool age_restricted)
 {
   (void) cls;
   (void) sm_pub;
@@ -186,6 +188,7 @@ key_cb (void *cls,
       keys[i].validity_duration = validity_duration;
       TALER_denom_pub_deep_copy (&keys[i].denom_pub,
                                  denom_pub);
+      /* FIXME-oec: take age_restriction into account!? */
       num_keys++;
       return;
     }