diff --git a/src/routes/test/cloudron-test.js b/src/routes/test/cloudron-test.js
index d76803f8d..568790d01 100644
--- a/src/routes/test/cloudron-test.js
+++ b/src/routes/test/cloudron-test.js
@@ -167,7 +167,7 @@ describe('Cloudron', function () {
                             userId_1 = result.body.id;
 
                             // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_ANY, callback);
+                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, 'cloudron', callback);
                         });
                 }
             ], done);
diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js
index 6ca84662f..bb0d1abb2 100644
--- a/src/routes/test/groups-test.js
+++ b/src/routes/test/groups-test.js
@@ -322,7 +322,7 @@ describe('Groups API', function () {
                     token_1 = tokendb.generateToken();
 
                     // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                    tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_ANY, done);
+                    tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, 'users', done);
                 });
         });
 
diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js
index 70fc6327c..b9e62f233 100644
--- a/src/routes/test/profile-test.js
+++ b/src/routes/test/profile-test.js
@@ -117,7 +117,7 @@ describe('Profile API', function () {
             var token = tokendb.generateToken();
             var expires = Date.now() - 2000; // 1 sec
 
-            tokendb.add(token, user_0.id, null, expires, accesscontrol.SCOPE_ANY, function (error) {
+            tokendb.add(token, user_0.id, null, expires, 'profile', function (error) {
                 expect(error).to.not.be.ok();
 
                 superagent.get(SERVER_URL + '/api/v1/profile').query({ access_token: token }).end(function (error, result) {
diff --git a/src/routes/test/user-test.js b/src/routes/test/user-test.js
index f0ea3a50b..235a80e4b 100644
--- a/src/routes/test/user-test.js
+++ b/src/routes/test/user-test.js
@@ -79,7 +79,7 @@ describe('User test', function () {
                             userId_1 = result.body.id;
 
                             // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_ANY, callback);
+                            tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, 'profile', callback);
                         });
                 }
             ], done);
diff --git a/src/setup.js b/src/setup.js
index 2dd8ee973..bb361b883 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -11,7 +11,8 @@ exports = module.exports = {
     SetupError: SetupError
 };
 
-var assert = require('assert'),
+var accesscontrol = require('./accesscontrol.js'),
+    assert = require('assert'),
     async = require('async'),
     backups = require('./backups.js'),
     BackupsError = require('./backups.js').BackupsError,
@@ -252,7 +253,7 @@ function activate(username, password, email, displayName, ip, auditSource, callb
             var token = tokendb.generateToken();
             var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
 
-            tokendb.add(token, userObject.id, result.id, expires, result.scope, function (error) {
+            tokendb.add(token, userObject.id, result.id, expires, accesscontrol.canonicalScopeString(result.scope), function (error) {
                 if (error) return callback(new SetupError(SetupError.INTERNAL_ERROR, error));
 
                 eventlog.add(eventlog.ACTION_ACTIVATE, auditSource, { });
diff --git a/src/test/database-test.js b/src/test/database-test.js
index f12ef58e9..92fde4b1d 100644
--- a/src/test/database-test.js
+++ b/src/test/database-test.js
@@ -547,21 +547,21 @@ describe('database', function () {
             identifier: '0',
             clientId: 'clientid-0',
             expires: Date.now() + 60 * 60000,
-            scope: '*'
+            scope: 'clients'
         };
         var TOKEN_1 = {
             accessToken: tokendb.generateToken(),
             identifier: '1',
             clientId: 'clientid-1',
             expires: Number.MAX_SAFE_INTEGER,
-            scope: '*'
+            scope: 'settings'
         };
         var TOKEN_2 = {
             accessToken: tokendb.generateToken(),
             identifier: '2',
             clientId: 'clientid-2',
             expires: Date.now(),
-            scope: '*'
+            scope: 'apps'
         };
 
         it('add fails due to missing arguments', function () {
diff --git a/src/test/janitor-test.js b/src/test/janitor-test.js
index 91fa2ffde..19cbfb21a 100644
--- a/src/test/janitor-test.js
+++ b/src/test/janitor-test.js
@@ -33,14 +33,14 @@ describe('janitor', function () {
         identifier: '0',
         clientId: 'clientid-0',
         expires: Date.now() + 60 * 60 * 1000,
-        scope: '*'
+        scope: 'settings'
     };
     var TOKEN_1 = {
         accessToken: tokendb.generateToken(),
         identifier: '1',
         clientId: 'clientid-1',
         expires: Date.now() - 1000,
-        scope: '*',
+        scope: 'apps',
     };
 
     before(function (done) {