diff --git a/src/routes/test/tokens-test.js b/src/routes/test/tokens-test.js
index 76e28c7b8..6114d87b1 100644
--- a/src/routes/test/tokens-test.js
+++ b/src/routes/test/tokens-test.js
@@ -15,7 +15,7 @@ describe('Tokens API', function () {
     before(setup);
     after(cleanup);
 
-    let token;
+    let token, readOnlyToken;
 
     it('cannot create token with bad name', async function () {
         const response = await superagent.post(`${serverUrl}/api/v1/tokens`)
@@ -35,13 +35,42 @@ describe('Tokens API', function () {
         token = response.body;
     });
 
+    it('can create read-only token', async function () {
+        const response = await superagent.post(`${serverUrl}/api/v1/tokens`)
+            .query({ access_token: owner.token })
+            .send({ name: 'mytoken1', scope: { '*': 'r' }});
+
+        expect(response.status).to.equal(201);
+        expect(response.body).to.be.a('object');
+        readOnlyToken = response.body;
+    });
+
+    it('cannot create read-only token with invalid scope', async function () {
+        const response = await superagent.post(`${serverUrl}/api/v1/tokens`)
+            .query({ access_token: owner.token })
+            .send({ name: 'mytoken1', scope: { 'foobar': 'rw' }})
+            .ok(() => true);
+
+        expect(response.status).to.equal(400);
+    });
+
     it('can list tokens', async function () {
         const response = await superagent.get(`${serverUrl}/api/v1/tokens`)
             .query({ access_token: owner.token });
         expect(response.statusCode).to.equal(200);
-        expect(response.body.tokens.length).to.be(2); // one is owner token on activation
+        expect(response.body.tokens.length).to.be(3); // one is owner token on activation
         const tokenIds = response.body.tokens.map(t => t.id);
         expect(tokenIds).to.contain(token.id);
+        expect(tokenIds).to.contain(readOnlyToken.id);
+    });
+
+    it('cannot create applink with read only token', async function () {
+        const response = await superagent.post(`${serverUrl}/api/v1/applinks`)
+            .query({ access_token: readOnlyToken.accessToken })
+            .send({ upstreamUri: 'https://cloudron.io' })
+            .ok(() => true);
+
+        expect(response.status).to.equal(403);
     });
 
     it('cannot get non-existent token', async function () {
diff --git a/src/server.js b/src/server.js
index 8ec5a2e61..6be8f6ea8 100644
--- a/src/server.js
+++ b/src/server.js
@@ -164,7 +164,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/app_passwords/:id',       token, routes.appPasswords.get);
     router.del ('/api/v1/app_passwords/:id',       token, routes.appPasswords.del);
 
-    // access tokenss
+    // access tokens
     router.get ('/api/v1/tokens',           token, routes.tokens.list);
     router.post('/api/v1/tokens',     json, token, routes.tokens.add);
     router.get ('/api/v1/tokens/:id',       token, routes.tokens.verifyOwnership, routes.tokens.get);