diff --git a/src/clients.js b/src/clients.js
index ac2abc806..1da6c0497 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -13,7 +13,7 @@ exports = module.exports = {
     SCOPE_APPS: 'apps',
     SCOPE_DEVELOPER: 'developer',
     SCOPE_PROFILE: 'profile',
-    SCOPE_ROOT: 'root',
+    SCOPE_CLOUDRON: 'cloudron',
     SCOPE_SETTINGS: 'settings',
     SCOPE_USERS: 'users'
 };
@@ -58,7 +58,7 @@ function validateScope(scope) {
         exports.SCOPE_APPS,
         exports.SCOPE_DEVELOPER,
         exports.SCOPE_PROFILE,
-        exports.SCOPE_ROOT,
+        exports.SCOPE_CLOUDRON,
         exports.SCOPE_SETTINGS,
         exports.SCOPE_USERS
     ];
diff --git a/src/server.js b/src/server.js
index 2d24a3882..f746747d4 100644
--- a/src/server.js
+++ b/src/server.js
@@ -69,7 +69,7 @@ function initializeExpressSync() {
     var multipart = middleware.multipart({ maxFieldsSize: FIELD_LIMIT, limit: FILE_SIZE_LIMIT, timeout: FILE_TIMEOUT });
 
     // scope middleware implicitly also adds bearer token verification
-    var rootScope = routes.oauth2.scope(clients.SCOPE_ROOT);
+    var cloudronScope = routes.oauth2.scope(clients.SCOPE_CLOUDRON);
     var profileScope = routes.oauth2.scope(clients.SCOPE_PROFILE);
     var usersScope = routes.oauth2.scope(clients.SCOPE_USERS);
     var appsScope = routes.oauth2.scope(clients.SCOPE_APPS);
@@ -91,11 +91,11 @@ function initializeExpressSync() {
     router.post('/api/v1/developer/login', routes.developer.enabled, routes.developer.login);
     router.get ('/api/v1/developer/apps', developerScope, routes.developer.enabled, routes.developer.apps);
 
-    // private routes
-    router.get ('/api/v1/cloudron/config', rootScope, routes.cloudron.getConfig);
-    router.post('/api/v1/cloudron/update', rootScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.cloudron.update);
-    router.post('/api/v1/cloudron/reboot', rootScope, routes.cloudron.reboot);
-    router.get ('/api/v1/cloudron/graphs', rootScope, routes.graphs.getGraphs);
+    // cloudron routes
+    router.get ('/api/v1/cloudron/config', cloudronScope, routes.cloudron.getConfig);
+    router.post('/api/v1/cloudron/update', cloudronScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.cloudron.update);
+    router.post('/api/v1/cloudron/reboot', cloudronScope, routes.cloudron.reboot);
+    router.get ('/api/v1/cloudron/graphs', cloudronScope, routes.graphs.getGraphs);
 
     // feedback
     router.post('/api/v1/cloudron/feedback', usersScope, routes.cloudron.feedback);