diff --git a/src/routes/cloudron.js b/src/routes/cloudron.js
index f0ad6408f..625cce876 100644
--- a/src/routes/cloudron.js
+++ b/src/routes/cloudron.js
@@ -45,10 +45,16 @@ let assert = require('assert'),
 function login(req, res, next) {
     assert.strictEqual(typeof req.user, 'object');
 
+    if ('type' in req.body && typeof req.body.type !== 'string') return next(new HttpError(400, 'type must be a string'));
+
+    const type = req.body.type || tokens.ID_WEBADMIN;
     const ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null;
     const auditSource = { authType: 'basic', ip: ip };
 
-    tokens.add(tokens.ID_WEBADMIN, req.user.id, Date.now() + constants.DEFAULT_TOKEN_EXPIRATION, {}, function (error, result) {
+    const error = tokens.validateTokenType(type);
+    if (error) return next(new HttpError(400, error.message));
+
+    tokens.add(type, req.user.id, Date.now() + constants.DEFAULT_TOKEN_EXPIRATION, {}, function (error, result) {
         if (error) return next(new HttpError(500, error));
 
         eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource, { userId: req.user.id, user: users.removePrivateFields(req.user) });
diff --git a/src/tokens.js b/src/tokens.js
index 15071792b..0d6a37982 100644
--- a/src/tokens.js
+++ b/src/tokens.js
@@ -6,6 +6,8 @@ exports = module.exports = {
     del: del,
     getAllByUserId: getAllByUserId,
 
+    validateTokenType: validateTokenType,
+
     // token client ids. we categorize them so we can have different restrictions based on the client
     ID_WEBADMIN: 'cid-webadmin',    // dashboard oauth
     ID_SDK: 'cid-sdk',              // created by user via dashboard
@@ -26,6 +28,15 @@ function validateTokenName(name) {
     return null;
 }
 
+function validateTokenType(type) {
+    assert.strictEqual(typeof name, 'string');
+
+    const types = [ exports.ID_WEBADMIN, exports.ID_CLI, exports.ID_SDK ];
+    if (types.indexOf(type) === -1) return BoxError(BoxError.BAD_FIELD, `type must be one of ${types.join(',')}`);
+
+    return null;
+}
+
 function add(clientId, userId, expiresAt, options, callback) {
     assert.strictEqual(typeof clientId, 'string');
     assert.strictEqual(typeof userId, 'string');