diff --git a/src/Yavsc/ApiControllers/accounting/AccountController.cs b/src/Yavsc/ApiControllers/accounting/AccountController.cs
index 2058e484..35f83402 100644
--- a/src/Yavsc/ApiControllers/accounting/AccountController.cs
+++ b/src/Yavsc/ApiControllers/accounting/AccountController.cs
@@ -13,8 +13,7 @@ using System.Diagnostics;
 
 namespace Yavsc.WebApi.Controllers
 {
-
-    [Authorize(),Route("~/api/account")]
+    [Authorize("ApiScope"),Route("~/api/account")]
     public class ApiAccountController : Controller
     {
         private UserManager<ApplicationUser> _userManager;
@@ -44,7 +43,7 @@ namespace Yavsc.WebApi.Controllers
         }
 
         // POST api/Account/ChangePassword
-        [Authorize]
+      
 		public async Task<IActionResult> ChangePassword(ChangePasswordBindingModel model)
         {
             if (!ModelState.IsValid)
@@ -66,7 +65,7 @@ namespace Yavsc.WebApi.Controllers
         }
 
         // POST api/Account/SetPassword
-        [Authorize]
+   
 		public async Task<IActionResult> SetPassword(SetPasswordBindingModel model)
         {
             if (!ModelState.IsValid)
@@ -123,7 +122,7 @@ namespace Yavsc.WebApi.Controllers
             base.Dispose(disposing);
         }
 
-        [HttpGet("~/api/me"),Authorize]
+        [HttpGet("~/api/otherme")]
         public async Task<IActionResult> Me ()
         {
             if (User==null) 
@@ -149,7 +148,7 @@ namespace Yavsc.WebApi.Controllers
             return Ok(user);
         }
 
-        [HttpGet("~/api/myhost"),Authorize]
+        [HttpGet("~/api/myhost")]
         public IActionResult MyHost ()
         {
             return Ok(new { host = Request.ForHost() });
@@ -160,7 +159,7 @@ namespace Yavsc.WebApi.Controllers
         /// </summary>
         /// <param name="me">MyUpdate containing the new user name </param>
         /// <returns>Ok when all is ok.</returns>
-        [HttpPut("~/api/me"),Authorize]
+        [HttpPut("~/api/me")]
         public async Task<IActionResult> UpdateMe(UserInfo me)
         {
             if (!ModelState.IsValid) return new BadRequestObjectResult(
@@ -175,7 +174,7 @@ namespace Yavsc.WebApi.Controllers
         /// Updates the avatar
         /// </summary>
         /// <returns></returns>
-        [HttpPost("~/api/setavatar"),Authorize]
+        [HttpPost("~/api/setavatar")]
         public async Task<IActionResult> SetAvatar()
         {
             var root = User.InitPostToFileSystem(null);
diff --git a/src/Yavsc/Extensions/HostingExtensions.cs b/src/Yavsc/Extensions/HostingExtensions.cs
index 3e0324ac..6c4d49b5 100644
--- a/src/Yavsc/Extensions/HostingExtensions.cs
+++ b/src/Yavsc/Extensions/HostingExtensions.cs
@@ -172,6 +172,17 @@ internal static class HostingExtensions
         services.AddDbContext<ApplicationDbContext>(options =>
             options.UseNpgsql(builder.Configuration.GetConnectionString("Default")));
 
+services
+    .AddAuthorization(options =>
+    {
+        options.AddPolicy("ApiScope", policy =>
+        {
+            policy
+                .RequireAuthenticatedUser()
+                .RequireClaim("scope", "api1");
+        });
+    });
+
         services.AddIdentity<ApplicationUser, IdentityRole>()
             .AddEntityFrameworkStores<ApplicationDbContext>()
             .AddDefaultTokenProviders();
@@ -210,7 +221,14 @@ internal static class HostingExtensions
         // TODO .AddServerSideSessionStore<YavscServerSideSessionStore>()
 
 
-        var authenticationBuilder = services.AddAuthentication();
+        var authenticationBuilder = services.AddAuthentication("Bearer")
+    .AddJwtBearer("Bearer", options =>
+    {
+        options.Authority = "https://localhost:5001";
+        options.TokenValidationParameters =
+            new() { ValidateAudience = false };
+    });
+
         authenticationBuilder.AddGoogle(options =>
         {
             options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
@@ -313,7 +331,12 @@ internal static class HostingExtensions
         services.AddDataProtection().PersistKeysToFileSystem(dataDir);
         services.AddAuthorization(options =>
         {
-
+            options.AddPolicy("ApiScope", policy =>
+                    {
+                        policy
+                            .RequireAuthenticatedUser()
+                            .RequireClaim("scope", "scope2");
+                    });
             options.AddPolicy("AdministratorOnly", policy =>
             {
                 _ = policy.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Constants.AdminGroupName);
@@ -351,6 +374,9 @@ internal static class HostingExtensions
         app.UseRouting();
         app.UseIdentityServer();
         app.UseAuthorization();
+        app.MapGet("/api/me", (HttpContext context) =>
+            new JsonResult(context?.User?.Claims.Select(c => new { c.Type, c.Value }))
+        ).RequireAuthorization("ApiScope");
         app.MapControllerRoute(
             name: "default",
             pattern: "{controller=Home}/{action=Index}/{id?}");