diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index 9ba34c2a6..b89bb39a3 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -40,7 +40,7 @@ function validateScope(scope) {
         exports.SCOPE_DOMAIN,
         exports.SCOPE_CLIENTS,
         exports.SCOPE_MAIL,
-        '*',    // includes all scopes, but not roles
+        exports.SCOPE_ANY,    // includes all scopes, but not roles
         exports.SCOPE_ROLE_SDK
     ];
 
@@ -66,7 +66,7 @@ function validateRequestedScopes(authInfo, requestedScopes) {
         return new Error('Missing required scope role "' + exports.SCOPE_ROLE_SDK + '"');
     }
 
-    if (scopes.indexOf('*') !== -1) return null;
+    if (scopes.indexOf(exports.SCOPE_ANY) !== -1) return null;
 
     for (var i = 0; i < requestedScopes.length; ++i) {
         if (scopes.indexOf(requestedScopes[i]) === -1) {
@@ -82,7 +82,7 @@ function normalizeScope(maxScope, allowedScope) {
     assert.strictEqual(typeof maxScope, 'string');
     assert.strictEqual(typeof allowedScope, 'string');
 
-    if (maxScope === '*') return allowedScope;
+    if (maxScope === exports.SCOPE_ANY) return allowedScope;
 
     return _.intersection(maxScope.split(','), allowedScope.split(',')).join(',');
 }
diff --git a/src/routes/test/apps-test.js b/src/routes/test/apps-test.js
index 079c600c8..79182aa04 100644
--- a/src/routes/test/apps-test.js
+++ b/src/routes/test/apps-test.js
@@ -6,7 +6,8 @@
 /* global before:false */
 /* global after:false */
 
-var appdb = require('../../appdb.js'),
+var accesscontrol = require('../../accesscontrol.js'),
+    appdb = require('../../appdb.js'),
     apps = require('../../apps.js'),
     assert = require('assert'),
     async = require('async'),
@@ -215,7 +216,7 @@ function startBox(done) {
             token_1 = tokendb.generateToken();
 
             // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-            tokendb.add(token_1, user_1_id, 'test-client-id',  Date.now() + 1000000, '*', callback);
+            tokendb.add(token_1, user_1_id, 'test-client-id',  Date.now() + 1000000, accesscontrol.SCOPE_ANY, callback);
         },
 
         function (callback) {
@@ -628,7 +629,7 @@ describe('App API', function () {
 describe('App installation', function () {
     this.timeout(100000);
 
-    var apiHockInstance = hock.createHock({ throwOnUnmatched: false }), apiHockServer;
+    var apiHockInstance = hock.createHock({ throwOnUnmatched: false });
 
     var validCert1, validKey1;
 
diff --git a/src/routes/test/cloudron-test.js b/src/routes/test/cloudron-test.js
index 1f135f8a9..28b842cb3 100644
--- a/src/routes/test/cloudron-test.js
+++ b/src/routes/test/cloudron-test.js
@@ -5,7 +5,8 @@
 /* global before:false */
 /* global after:false */
 
-var async = require('async'),
+var accesscontrol = require('../../accesscontrol.js'),
+    async = require('async'),
     config = require('../../config.js'),
     database = require('../../database.js'),
     expect = require('expect.js'),
@@ -166,7 +167,7 @@ describe('Cloudron', function () {
                             userId_1 = result.body.id;
 
                             // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, '*', callback);
+                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_ANY, callback);
                         });
                 }
             ], done);
diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js
index b82354540..b3fbc18eb 100644
--- a/src/routes/test/profile-test.js
+++ b/src/routes/test/profile-test.js
@@ -6,13 +6,14 @@
 
 'use strict';
 
-var config = require('../../config.js'),
+var accesscontrol = require('../../accesscontrol.js'),
+    config = require('../../config.js'),
     database = require('../../database.js'),
-    tokendb = require('../../tokendb.js'),
     expect = require('expect.js'),
     mailer = require('../../mailer.js'),
     superagent = require('superagent'),
-    server = require('../../server.js');
+    server = require('../../server.js'),
+    tokendb = require('../../tokendb.js');
 
 const SERVER_URL = 'http://localhost:' + config.get('port');
 
@@ -116,7 +117,7 @@ describe('Profile API', function () {
             var token = tokendb.generateToken();
             var expires = Date.now() - 2000; // 1 sec
 
-            tokendb.add(token, user_0.id, null, expires, '*', function (error) {
+            tokendb.add(token, user_0.id, null, expires, accesscontrol.SCOPE_ANY, function (error) {
                 expect(error).to.not.be.ok();
 
                 superagent.get(SERVER_URL + '/api/v1/user/profile').query({ access_token: token }).end(function (error, result) {
diff --git a/src/setup.js b/src/setup.js
index fabf7fa80..de7ae6d3e 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -11,7 +11,8 @@ exports = module.exports = {
     SetupError: SetupError
 };
 
-var assert = require('assert'),
+var accesscontrol = require('./accesscontrol.js'),
+    assert = require('assert'),
     async = require('async'),
     backups = require('./backups.js'),
     BackupsError = require('./backups.js').BackupsError,
@@ -252,7 +253,7 @@ function activate(username, password, email, displayName, ip, auditSource, callb
             var token = tokendb.generateToken();
             var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
 
-            tokendb.add(token, userObject.id, result.id, expires, '*', function (error) {
+            tokendb.add(token, userObject.id, result.id, expires, accesscontrol.SCOPE_ANY, function (error) {
                 if (error) return callback(new SetupError(SetupError.INTERNAL_ERROR, error));
 
                 eventlog.add(eventlog.ACTION_ACTIVATE, auditSource, { });