diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index 507569409..528647756 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -2,7 +2,6 @@
 
 exports = module.exports = {
     ROLE_ADMIN: 'admin',
-    ROLE_USER: 'user',
 
     verifyToken: verifyToken,
     hasRole: hasRole
@@ -17,7 +16,6 @@ function hasRole(user, requiredRole) {
     assert.strictEqual(typeof user, 'object');
     assert.strictEqual(typeof requiredRole, 'string');
 
-    if (requiredRole === exports.ROLE_USER) return null;
     if (requiredRole === exports.ROLE_ADMIN && user.admin) return null;
 
     return new BoxError(BoxError.ACCESS_DENIED, 'Not allowed');
diff --git a/src/server.js b/src/server.js
index b30cb8e3c..5d5a589c0 100644
--- a/src/server.js
+++ b/src/server.js
@@ -80,7 +80,6 @@ function initializeExpressSync() {
     const password = routes.accesscontrol.passwordAuth;
     const token = routes.accesscontrol.tokenAuth;
     const authorizeAdmin = routes.accesscontrol.authorize(accesscontrol.ROLE_ADMIN);
-    const authorizeUser = routes.accesscontrol.authorize(accesscontrol.ROLE_USER);
 
     // public routes
     router.post('/api/v1/cloudron/setup', routes.provision.providerTokenAuth, routes.provision.setup);    // only available until no-domain
@@ -127,9 +126,9 @@ function initializeExpressSync() {
     router.post('/api/v1/tasks/:taskId/stop', token, authorizeAdmin, routes.tasks.stopTask);
 
     // notifications
-    router.get ('/api/v1/notifications', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.list);
-    router.get ('/api/v1/notifications/:notificationId', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.get);
-    router.post('/api/v1/notifications/:notificationId', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.ack);
+    router.get ('/api/v1/notifications', token, routes.notifications.verifyOwnership, routes.notifications.list);
+    router.get ('/api/v1/notifications/:notificationId', token, routes.notifications.verifyOwnership, routes.notifications.get);
+    router.post('/api/v1/notifications/:notificationId', token, routes.notifications.verifyOwnership, routes.notifications.ack);
 
     // backups
     router.get ('/api/v1/backups', token, authorizeAdmin, routes.backups.list);
@@ -137,29 +136,29 @@ function initializeExpressSync() {
     router.post('/api/v1/backups/cleanup', token, authorizeAdmin, routes.backups.cleanup);
 
     // config route (for dashboard)
-    router.get ('/api/v1/config', token, authorizeUser, routes.cloudron.getConfig);
+    router.get ('/api/v1/config', token, routes.cloudron.getConfig);
 
     // working off the user behind the provided token
-    router.get ('/api/v1/profile', token, authorizeUser, routes.profile.get);
-    router.post('/api/v1/profile', token, authorizeUser, routes.profile.update);
+    router.get ('/api/v1/profile', token, routes.profile.get);
+    router.post('/api/v1/profile', token, routes.profile.update);
     router.get ('/api/v1/profile/avatar/:identifier', routes.profile.getAvatar); // this is not scoped so it can used directly in img tag
-    router.post('/api/v1/profile/avatar', token, authorizeUser, multipart, routes.profile.setAvatar);
-    router.del ('/api/v1/profile/avatar', token, authorizeUser, routes.profile.clearAvatar);
-    router.post('/api/v1/profile/password', token, authorizeUser, routes.users.verifyPassword, routes.profile.changePassword);
-    router.post('/api/v1/profile/twofactorauthentication', token, authorizeUser, routes.profile.setTwoFactorAuthenticationSecret);
-    router.post('/api/v1/profile/twofactorauthentication/enable', token, authorizeUser, routes.profile.enableTwoFactorAuthentication);
-    router.post('/api/v1/profile/twofactorauthentication/disable', token, authorizeUser, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
+    router.post('/api/v1/profile/avatar', token, multipart, routes.profile.setAvatar);
+    router.del ('/api/v1/profile/avatar', token, routes.profile.clearAvatar);
+    router.post('/api/v1/profile/password', token, routes.users.verifyPassword, routes.profile.changePassword);
+    router.post('/api/v1/profile/twofactorauthentication', token, routes.profile.setTwoFactorAuthenticationSecret);
+    router.post('/api/v1/profile/twofactorauthentication/enable', token, routes.profile.enableTwoFactorAuthentication);
+    router.post('/api/v1/profile/twofactorauthentication/disable', token, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
 
-    router.get ('/api/v1/app_passwords', token, authorizeUser, routes.appPasswords.list);
-    router.post('/api/v1/app_passwords', token, authorizeUser, routes.appPasswords.add);
-    router.get ('/api/v1/app_passwords/:id', token, authorizeUser, routes.appPasswords.get);
-    router.del ('/api/v1/app_passwords/:id', token, authorizeUser, routes.appPasswords.del);
+    router.get ('/api/v1/app_passwords', token, routes.appPasswords.list);
+    router.post('/api/v1/app_passwords', token, routes.appPasswords.add);
+    router.get ('/api/v1/app_passwords/:id', token, routes.appPasswords.get);
+    router.del ('/api/v1/app_passwords/:id', token, routes.appPasswords.del);
 
     // access tokens
-    router.get ('/api/v1/tokens', token, authorizeUser, routes.tokens.getAll);
-    router.post('/api/v1/tokens', token, authorizeUser, routes.tokens.add);
-    router.get ('/api/v1/tokens/:id', token, authorizeUser, routes.tokens.verifyOwnership, routes.tokens.get);
-    router.del ('/api/v1/tokens/:id', token, authorizeUser, routes.tokens.verifyOwnership, routes.tokens.del);
+    router.get ('/api/v1/tokens', token, routes.tokens.getAll);
+    router.post('/api/v1/tokens', token, routes.tokens.add);
+    router.get ('/api/v1/tokens/:id', token, routes.tokens.verifyOwnership, routes.tokens.get);
+    router.del ('/api/v1/tokens/:id', token, routes.tokens.verifyOwnership, routes.tokens.del);
 
     // user routes
     router.get ('/api/v1/users', token, authorizeAdmin, routes.users.list);
@@ -188,9 +187,9 @@ function initializeExpressSync() {
     router.get ('/api/v1/appstore/apps/:appstoreId/versions/:versionId', token, authorizeAdmin, routes.appstore.getAppVersion);
 
     // app routes
-    router.get ('/api/v1/apps',          token, authorizeUser, routes.apps.getApps);
+    router.get ('/api/v1/apps',          token, routes.apps.getApps);
     router.get ('/api/v1/apps/:id',      token, authorizeAdmin, routes.apps.getApp);
-    router.get ('/api/v1/apps/:id/icon', token, authorizeUser, routes.apps.getAppIcon);
+    router.get ('/api/v1/apps/:id/icon', token, routes.apps.getAppIcon);
 
     router.post('/api/v1/apps/install',       token, authorizeAdmin, routes.apps.installApp);
     router.post('/api/v1/apps/:id/uninstall', token, authorizeAdmin, routes.apps.uninstallApp);
@@ -269,7 +268,7 @@ function initializeExpressSync() {
 
     // domain routes
     router.post('/api/v1/domains', token, authorizeAdmin, routes.domains.add);
-    router.get ('/api/v1/domains', token, authorizeUser, routes.domains.getAll);
+    router.get ('/api/v1/domains', token, routes.domains.getAll);
     router.get ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.get);  // this is manage scope because it returns non-restricted fields
     router.put ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.update);
     router.del ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.del);