diff --git a/src/clients.js b/src/clients.js
index 4d14c5672..ac2abc806 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -8,7 +8,14 @@ exports = module.exports = {
     del: del,
     getAllWithDetailsByUserId: getAllWithDetailsByUserId,
     getClientTokensByUserId: getClientTokensByUserId,
-    delClientTokensByUserId: delClientTokensByUserId
+    delClientTokensByUserId: delClientTokensByUserId,
+
+    SCOPE_APPS: 'apps',
+    SCOPE_DEVELOPER: 'developer',
+    SCOPE_PROFILE: 'profile',
+    SCOPE_ROOT: 'root',
+    SCOPE_SETTINGS: 'settings',
+    SCOPE_USERS: 'users'
 };
 
 var assert = require('assert'),
@@ -47,7 +54,14 @@ ClientsError.INVALID_CLIENT = 'Invalid client';
 function validateScope(scope) {
     assert.strictEqual(typeof scope, 'string');
 
-    var VALID_SCOPES = [ 'root', 'profile', 'users', 'apps', 'developer', 'settings' ];
+    var VALID_SCOPES = [
+        exports.SCOPE_APPS,
+        exports.SCOPE_DEVELOPER,
+        exports.SCOPE_PROFILE,
+        exports.SCOPE_ROOT,
+        exports.SCOPE_SETTINGS,
+        exports.SCOPE_USERS
+    ];
 
     if (scope === '') return new ClientsError(ClientsError.INVALID_SCOPE);
     if (scope === '*') return null;
diff --git a/src/server.js b/src/server.js
index 413ffe838..577f8e27f 100644
--- a/src/server.js
+++ b/src/server.js
@@ -9,6 +9,7 @@ var assert = require('assert'),
     async = require('async'),
     auth = require('./auth.js'),
     certificates = require('./certificates.js'),
+    clients = require('./clients.js'),
     cloudron = require('./cloudron.js'),
     cron = require('./cron.js'),
     config = require('./config.js'),
@@ -65,12 +66,12 @@ function initializeExpressSync() {
     var multipart = middleware.multipart({ maxFieldsSize: FIELD_LIMIT, limit: FILE_SIZE_LIMIT, timeout: FILE_TIMEOUT });
 
     // scope middleware implicitly also adds bearer token verification
-    var rootScope = routes.oauth2.scope('root');
-    var profileScope = routes.oauth2.scope('profile');
-    var usersScope = routes.oauth2.scope('users');
-    var appsScope = routes.oauth2.scope('apps');
-    var developerScope = routes.oauth2.scope('developer');
-    var settingsScope = routes.oauth2.scope('settings');
+    var rootScope = routes.oauth2.scope(clients.SCOPE_ROOT);
+    var profileScope = routes.oauth2.scope(clients.SCOPE_PROFILE);
+    var usersScope = routes.oauth2.scope(clients.SCOPE_USERS);
+    var appsScope = routes.oauth2.scope(clients.SCOPE_APPS);
+    var developerScope = routes.oauth2.scope(clients.SCOPE_DEVELOPER);
+    var settingsScope = routes.oauth2.scope(clients.SCOPE_SETTINGS);
 
     // csrf protection
     var csrf = routes.oauth2.csrf;