diff --git a/src/clients.js b/src/clients.js
index e559c18c6..0cf8d22b2 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -24,6 +24,7 @@ exports = module.exports = {
     SCOPE_SETTINGS: 'settings',
     SCOPE_USERS: 'users',
     SCOPE_MAIL: 'mail',
+    SCOPE_CLIENTS: 'clients',
 
     // roles are handled just like the above scopes, they are parallel to scopes
     // scopes enclose API groups, roles specify the usage role
@@ -96,6 +97,7 @@ function validateScope(scope) {
         exports.SCOPE_SETTINGS,
         exports.SCOPE_USERS,
         exports.SCOPE_MAIL,
+        exports.SCOPE_CLIENTS,
         '*',    // includes all scopes, but not roles
         exports.SCOPE_ROLE_SDK
     ];
diff --git a/src/server.js b/src/server.js
index 9d12e1f53..a73f3ebe1 100644
--- a/src/server.js
+++ b/src/server.js
@@ -96,6 +96,7 @@ function initializeExpressSync() {
     var appsScope = routes.oauth2.scope(clients.SCOPE_APPS);
     var settingsScope = routes.oauth2.scope(clients.SCOPE_SETTINGS);
     var mailScope = routes.oauth2.scope(clients.SCOPE_MAIL);
+    var clientsScope = routes.oauth2.scope(clients.SCOPE_CLIENTS);
 
     // csrf protection
     var csrf = routes.oauth2.csrf;
@@ -168,15 +169,16 @@ function initializeExpressSync() {
     // oauth2 routes
     router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization);
     router.post('/api/v1/oauth/token', routes.oauth2.token);
-    router.get ('/api/v1/oauth/clients', settingsScope, routes.clients.getAll);
-    router.post('/api/v1/oauth/clients', settingsScope, routes.clients.add);
-    router.get ('/api/v1/oauth/clients/:clientId', settingsScope, routes.clients.get);
-    router.post('/api/v1/oauth/clients/:clientId', settingsScope, routes.clients.add);
-    router.del ('/api/v1/oauth/clients/:clientId', settingsScope, routes.clients.del);
-    router.get ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.getTokens);
-    router.post('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.addToken);
-    router.del ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.delTokens);
-    router.del ('/api/v1/oauth/clients/:clientId/tokens/:tokenId', settingsScope, routes.clients.delToken);
+
+    router.get ('/api/v1/oauth/clients', clientsScope, routes.clients.getAll);
+    router.post('/api/v1/oauth/clients', clientsScope, routes.clients.add);
+    router.get ('/api/v1/oauth/clients/:clientId', clientsScope, routes.clients.get);
+    router.post('/api/v1/oauth/clients/:clientId', clientsScope, routes.clients.add);
+    router.del ('/api/v1/oauth/clients/:clientId', clientsScope, routes.clients.del);
+    router.get ('/api/v1/oauth/clients/:clientId/tokens', clientsScope, routes.clients.getTokens);
+    router.post('/api/v1/oauth/clients/:clientId/tokens', clientsScope, routes.clients.addToken);
+    router.del ('/api/v1/oauth/clients/:clientId/tokens', clientsScope, routes.clients.delTokens);
+    router.del ('/api/v1/oauth/clients/:clientId/tokens/:tokenId', clientsScope, routes.clients.delToken);
 
     // app routes
     router.get ('/api/v1/apps',          appsScope, routes.apps.getApps);