diff --git a/src/caas.js b/src/caas.js
index 381af5a86..b4aa87f6b 100644
--- a/src/caas.js
+++ b/src/caas.js
@@ -61,7 +61,7 @@ function verifySetupToken(setupToken, callback) {
     settings.getCaasConfig(function (error, caasConfig) {
         if (error) return callback(new CaasError(CaasError.INTERNAL_ERROR, error));
 
-        superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId + '/setup/verify').query({ setupToken: setupToken })
+        superagent.get(config.apiServerOrigin() + '/api/v1/caas/boxes/' + caasConfig.boxId + '/setup/verify').query({ setupToken: setupToken })
             .timeout(30 * 1000)
             .end(function (error, result) {
                 if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
@@ -82,7 +82,7 @@ function setupDone(setupToken, callback) {
         if (error) return callback(new CaasError(CaasError.INTERNAL_ERROR, error));
 
         // Now let the api server know we got activated
-        superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId + '/setup/done').query({ setupToken: setupToken })
+        superagent.post(config.apiServerOrigin() + '/api/v1/caas/boxes/' + caasConfig.boxId + '/setup/done').query({ setupToken: setupToken })
             .timeout(30 * 1000)
             .end(function (error, result) {
                 if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
@@ -105,7 +105,7 @@ function backupDone(apiConfig, backupId, appBackupIds, callback) {
 
     debug('[%s] backupDone: %s apps %j', backupId, backupId, appBackupIds);
 
-    var url = config.apiServerOrigin() + '/api/v1/boxes/' + apiConfig.fqdn + '/backupDone';
+    var url = config.apiServerOrigin() + '/api/v1/caas/boxes/' + apiConfig.fqdn + '/backupDone';
     var data = {
         boxVersion: config.version(),
         backupId: backupId,
@@ -128,7 +128,7 @@ function sendHeartbeat() {
     getCaasConfig(function (error, result) {
         if (error) return debug('Caas config missing', error);
 
-        var url = config.apiServerOrigin() + '/api/v1/boxes/' + result.boxId + '/heartbeat';
+        var url = config.apiServerOrigin() + '/api/v1/caas/boxes/' + result.boxId + '/heartbeat';
         superagent.post(url).query({ token: result.token, version: config.version() }).timeout(30 * 1000).end(function (error, result) {
             if (error && !error.response) debug('Network error sending heartbeat.', error);
             else if (result.statusCode !== 200) debug('Server responded to heartbeat with %s %s', result.statusCode, result.text);
@@ -145,7 +145,7 @@ function setPtrRecord(domain, callback) {
         if (error) return callback(error);
 
         superagent
-            .post(config.apiServerOrigin() + '/api/v1/boxes/' + result.boxId + '/ptr')
+            .post(config.apiServerOrigin() + '/api/v1/caas/boxes/' + result.boxId + '/ptr')
             .query({ token: result.token })
             .send({ domain: domain })
             .timeout(5 * 1000)
diff --git a/src/routes/test/caas-test.js b/src/routes/test/caas-test.js
index 879d76c73..47b3f59d8 100644
--- a/src/routes/test/caas-test.js
+++ b/src/routes/test/caas-test.js
@@ -61,8 +61,8 @@ function setup(done) {
         domains.add.bind(null, DOMAIN_0.domain, DOMAIN_0, AUDIT_SOURCE),
 
         function createAdmin(callback) {
-            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(200, {});
-            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/BOX_ID/setup/done?setupToken=somesetuptoken').reply(201, {});
+            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/caas/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(200, {});
+            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/caas/boxes/BOX_ID/setup/done?setupToken=somesetuptoken').reply(201, {});
 
             superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                 .query({ setupToken: 'somesetuptoken' })
@@ -116,7 +116,7 @@ describe('Caas', function () {
 
         // note that while the server itself returns 503, the cloudron gets activated. this is just the way it is
         it('fails due to internal server error on appstore side', function (done) {
-            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(500, { message: 'this is wrong' });
+            var scope = nock(config.apiServerOrigin()).get('/api/v1/caas/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(500, { message: 'this is wrong' });
 
             superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                 .query({ setupToken: 'somesetuptoken' })
@@ -129,8 +129,8 @@ describe('Caas', function () {
         });
 
         xit('succeeds', function (done) {
-            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(200, {});
-            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/BOX_ID/setup/done?setupToken=somesetuptoken').reply(201, {});
+            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/caas/boxes/BOX_ID/setup/verify?setupToken=somesetuptoken').reply(200, {});
+            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/caas/boxes/BOX_ID/setup/done?setupToken=somesetuptoken').reply(201, {});
 
             superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                 .query({ setupToken: 'somesetuptoken' })
@@ -146,7 +146,7 @@ describe('Caas', function () {
     });
 
     describe('Backups API', function () {
-        var scope1 = nock(config.apiServerOrigin()).post('/api/v1/boxes/BOX_ID/awscredentials?token=BACKUP_TOKEN')
+        var scope1 = nock(config.apiServerOrigin()).post('/api/v1/caas/boxes/BOX_ID/awscredentials?token=BACKUP_TOKEN')
             .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey' } }, { 'Content-Type': 'application/json' });
 
         before(setup);
diff --git a/src/storage/s3.js b/src/storage/s3.js
index 173f62003..923749938 100644
--- a/src/storage/s3.js
+++ b/src/storage/s3.js
@@ -62,7 +62,7 @@ function getCaasConfig(apiConfig, callback) {
 
     debug('getCaasCredentials: getting new credentials');
 
-    var url = config.apiServerOrigin() + '/api/v1/boxes/' + apiConfig.fqdn + '/awscredentials';
+    var url = config.apiServerOrigin() + '/api/v1/caas/boxes/' + apiConfig.fqdn + '/awscredentials';
     superagent.post(url).query({ token: apiConfig.token }).timeout(30 * 1000).end(function (error, result) {
         if (error && !error.response) return callback(error);
         if (result.statusCode !== 201) return callback(new Error(result.text));
diff --git a/src/test/settings-test.js b/src/test/settings-test.js
index 40dcec80d..82171719e 100644
--- a/src/test/settings-test.js
+++ b/src/test/settings-test.js
@@ -100,7 +100,7 @@ describe('Settings', function () {
 
         it('can set backup config', function (done) {
             nock(config.apiServerOrigin())
-                .post(`/api/v1/boxes/${DOMAIN_0}/awscredentials?token=TOKEN`)
+                .post(`/api/v1/caas/boxes/${DOMAIN_0}/awscredentials?token=TOKEN`)
                 .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });
 
             settings.setBackupConfig({ provider: 'caas', fqdn: DOMAIN_0, token: 'TOKEN', format: 'tgz', prefix: 'boxid', bucket: 'bucket' }, function (error) {