diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index ab96261aa..49b6a31a5 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -106,8 +106,11 @@ function accessTokenAuth(accessToken, callback) {
 
             // scopes here can define what capabilities that token carries
             // passport put the 'info' object into req.authInfo, where we can further validate the scopes
-            var scope = accesscontrol.intersectScope(user.scope, token.scope);
-            var info = { scope: scope, clientId: token.clientId };
+            const userScope = user.admin ? '*' : 'profile';
+            var scope = accesscontrol.intersectScope(userScope, token.scope);
+            // these clients do not require password checks unlike UI
+            const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli';
+            var info = { scope: scope, skipPasswordVerification: skipPasswordVerification };
 
             callback(null, user, info);
         });
diff --git a/src/routes/users.js b/src/routes/users.js
index 2d3bae185..3ab3302ff 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -121,8 +121,7 @@ function remove(req, res, next) {
 function verifyPassword(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
-    // using an 'sdk' token we skip password checks
-    if (req.authInfo.clientId === 'cid-sdk' || req.authInfo.clientId === 'cid-cli') return next();
+    if (req.authInfo.skipPasswordVerification) return next(); // using an 'sdk' token we skip password checks
 
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));