diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index 1ab236de8..783f90919 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -21,17 +21,15 @@ exports = module.exports = {
     validateScopeString: validateScopeString,
     hasScopes: hasScopes,
     intersectScopes: intersectScopes,
-    canonicalScope: canonicalScope
+    canonicalScopeString: canonicalScopeString
 };
 
 var assert = require('assert'),
     debug = require('debug')('box:accesscontrol'),
     _ = require('underscore');
 
-function canonicalScope(scope) {
-    var scopes = scope.split(',');
-    scopes = scopes.map(function (s) { return s.replace(exports.SCOPE_ANY, exports.VALID_SCOPES.join(',')); });
-    return scopes.join(',');
+function canonicalScopeString(scope) {
+    return scope === exports.SCOPE_ANY ? exports.VALID_SCOPES.join(',') : scope;
 }
 
 function intersectScopes(allowedScopes, wantedScopes) {
diff --git a/src/clients.js b/src/clients.js
index cbcdf06f6..c15ce6ce5 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -253,7 +253,7 @@ function addTokenByUserId(clientId, userId, expiresAt, callback) {
         if (error) return callback(error);
 
         var token = tokendb.generateToken();
-        var scope = accesscontrol.canonicalScope(result.scope);
+        var scope = accesscontrol.canonicalScopeString(result.scope);
 
         tokendb.add(token, userId, result.id, expiresAt, scope, function (error) {
             if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error));
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 0244a937f..264f03f72 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -97,7 +97,7 @@ function initialize() {
 
                 var token = tokendb.generateToken();
                 var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-                var scope = accesscontrol.canonicalScope(client.scope);
+                var scope = accesscontrol.canonicalScopeString(client.scope);
 
                 tokendb.add(token, authCode.userId, authCode.clientId, expires, scope, function (error) {
                     if (error) return callback(error);
@@ -116,7 +116,7 @@ function initialize() {
 
         var token = tokendb.generateToken();
         var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-        var scope = accesscontrol.canonicalScope(client.scope);
+        var scope = accesscontrol.canonicalScopeString(client.scope);
 
         tokendb.add(token, user.id, client.id, expires, scope, function (error) {
             if (error) return callback(error);
diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js
index 8f674b7a2..b2fa7aca7 100644
--- a/src/test/accesscontrol-test.js
+++ b/src/test/accesscontrol-test.js
@@ -10,13 +10,17 @@ var accesscontrol = require('../accesscontrol.js'),
     expect = require('expect.js');
 
 describe('access control', function () {
-    describe('canonicalScope', function () {
+    describe('canonicalScopeString', function () {
         it('only * scope', function () {
-            expect(accesscontrol.canonicalScope('*')).to.be(accesscontrol.VALID_SCOPES.join(','));
+            expect(accesscontrol.canonicalScopeString('*')).to.be(accesscontrol.VALID_SCOPES.join(','));
         });
 
-        it('* in the middle', function () {
-            expect(accesscontrol.canonicalScope('foo,bar,*')).to.be('foo,bar,' + accesscontrol.VALID_SCOPES.join(','));
+        it('identity for non-*', function () {
+            expect(accesscontrol.canonicalScopeString('foo,bar')).to.be('foo,bar');
+        });
+
+        it('* is not expanded otherwise', function () {
+            expect(accesscontrol.canonicalScopeString('foo,bar,*')).to.be('foo,bar,*');
         });
     });