diff --git a/setup/start.sh b/setup/start.sh
index c0d07950e..2e7237530 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -192,12 +192,11 @@ fi
 # The domain might have changed, therefor we have to update the record
 # !!! This needs to be in sync with the webadmin, specifically login_callback.js
 echo "Add webadmin oauth cient"
-ADMIN_SCOPES="root,developer,profile,users,apps,settings"
+readonly ADMIN_SCOPES="cloudron,developer,profile,users,apps,settings"
 mysql -u root -p${mysql_root_password} \
     -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"admin\", \"secret-webadmin\", \"${admin_origin}\", \"${ADMIN_SCOPES}\")" box
 
 echo "Add localhost test oauth client"
-ADMIN_SCOPES="root,developer,profile,users,apps,settings"
 mysql -u root -p${mysql_root_password} \
     -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-test\", \"test\", \"test\", \"secret-test\", \"http://127.0.0.1:5000\", \"${ADMIN_SCOPES}\")" box
 
diff --git a/src/clients.js b/src/clients.js
index 1da6c0497..50c8f263c 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -10,6 +10,7 @@ exports = module.exports = {
     getClientTokensByUserId: getClientTokensByUserId,
     delClientTokensByUserId: delClientTokensByUserId,
 
+    // keep this in sync with start.sh ADMIN_SCOPES that generates the cid-webadmin
     SCOPE_APPS: 'apps',
     SCOPE_DEVELOPER: 'developer',
     SCOPE_PROFILE: 'profile',
diff --git a/src/test/setupTest b/src/test/setupTest
index c766e233c..6f5b07a70 100755
--- a/src/test/setupTest
+++ b/src/test/setupTest
@@ -16,7 +16,7 @@ mkdir -p data/appdata data/box/appicons data/mail data/nginx/cert data/nginx/app
 # put cert
 openssl req -x509 -newkey rsa:1024 -keyout data/nginx/cert/host.key -out data/nginx/cert/host.cert -days 3650 -subj '/CN=localhost' -nodes
 
-webadmin_scopes="root,profile,users,apps,settings"
+webadmin_scopes="cloudron,profile,users,apps,settings"
 webadmin_origin="https://${ADMIN_LOCATION}-localhost"
 mysql --user=root --password="" \
     -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"admin\", \"secret-webadmin\", \"${webadmin_origin}\", \"${webadmin_scopes}\")" boxtest