diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index fe63df851..e32a5c997 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -12,8 +12,7 @@ exports = module.exports = {
     SCOPE_SETTINGS: 'settings',
     SCOPE_USERS_READ: 'users:read',
     SCOPE_USERS_MANAGE: 'users:manage',
-    SCOPE_APPSTORE: 'appstore',
-    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted
+    VALID_SCOPES: [ 'apps', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted
 
     SCOPE_ANY: '*',
 
diff --git a/src/routes/settings.js b/src/routes/settings.js
index e7b7dea68..c2ee807ee 100644
--- a/src/routes/settings.js
+++ b/src/routes/settings.js
@@ -269,6 +269,7 @@ function get(req, res, next) {
     case settings.DYNAMIC_DNS_KEY: return getDynamicDnsConfig(req, res, next);
     case settings.BACKUP_CONFIG_KEY: return getBackupConfig(req, res, next);
     case settings.PLATFORM_CONFIG_KEY: return getPlatformConfig(req, res, next);
+    case settings.APPSTORE_CONFIG_KEY: return getAppstoreConfig(req, res, next);
 
     case settings.APP_AUTOUPDATE_PATTERN_KEY: return getAppAutoupdatePattern(req, res, next);
     case settings.BOX_AUTOUPDATE_PATTERN_KEY: return getBoxAutoupdatePattern(req, res, next);
@@ -288,6 +289,7 @@ function set(req, res, next) {
     case settings.DYNAMIC_DNS_KEY: return setDynamicDnsConfig(req, res, next);
     case settings.BACKUP_CONFIG_KEY: return setBackupConfig(req, res, next);
     case settings.PLATFORM_CONFIG_KEY: return setPlatformConfig(req, res, next);
+    case settings.APPSTORE_CONFIG_KEY: return setAppstoreConfig(req, res, next);
 
     case settings.APP_AUTOUPDATE_PATTERN_KEY: return setAppAutoupdatePattern(req, res, next);
     case settings.BOX_AUTOUPDATE_PATTERN_KEY: return setBoxAutoupdatePattern(req, res, next);
diff --git a/src/server.js b/src/server.js
index 281144a01..3c90adb8c 100644
--- a/src/server.js
+++ b/src/server.js
@@ -100,7 +100,6 @@ function initializeExpressSync() {
     var clientsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_CLIENTS);
     var domainsReadScope = routes.accesscontrol.scope(accesscontrol.SCOPE_DOMAINS_READ);
     var domainsManageScope = routes.accesscontrol.scope(accesscontrol.SCOPE_DOMAINS_MANAGE);
-    var appstoreScope = routes.accesscontrol.scope(accesscontrol.SCOPE_APPSTORE);
 
     const isUnmanaged = routes.accesscontrol.isUnmanaged;
     const verifyDomainLock = routes.domains.verifyDomainLock;
@@ -237,8 +236,6 @@ function initializeExpressSync() {
     // settings routes (these are for the settings tab - avatar & name have public routes for normal users. see above)
     router.get('/api/v1/settings/cloudron_avatar', settingsScope, routes.settings.getCloudronAvatar);
     router.post('/api/v1/settings/cloudron_avatar', settingsScope, multipart, routes.settings.setCloudronAvatar);
-    router.get ('/api/v1/settings/appstore_config', appstoreScope, routes.settings.getAppstoreConfig);
-    router.post('/api/v1/settings/appstore_config', appstoreScope, routes.settings.setAppstoreConfig);
 
     router.get ('/api/v1/settings/:setting', settingsScope, routes.settings.get);
     router.post('/api/v1/settings/:setting', settingsScope, routes.settings.set);