diff --git a/Iceshrimp.Backend/Controllers/Mastodon/AuthController.cs b/Iceshrimp.Backend/Controllers/Mastodon/AuthController.cs
index 4e5dbb79..5e0ad19b 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/AuthController.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/AuthController.cs
@@ -106,12 +106,12 @@ public class AuthController(DatabaseContext db) : ControllerBase
 			throw GracefulException
 				.BadRequest("The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.");
 
-		if (MastodonOauthHelpers.ExpandScopes(request.Scopes)
+		if (MastodonOauthHelpers.ExpandScopes(request.Scopes ?? [])
 		                        .Except(MastodonOauthHelpers.ExpandScopes(token.Scopes))
 		                        .Any())
 			throw GracefulException.BadRequest("The requested scope is invalid, unknown, or malformed.");
 
-		token.Scopes = request.Scopes;
+		token.Scopes = request.Scopes ?? token.Scopes;
 		token.Active = true;
 		await db.SaveChangesAsync();
 
diff --git a/Iceshrimp.Backend/Controllers/Mastodon/Schemas/AuthSchemas.cs b/Iceshrimp.Backend/Controllers/Mastodon/Schemas/AuthSchemas.cs
index 3e9e7f1c..a366dbce 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/Schemas/AuthSchemas.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/Schemas/AuthSchemas.cs
@@ -70,14 +70,14 @@ public abstract class AuthSchemas
 
 	public class OauthTokenRequest
 	{
-		public List<string> Scopes = ["read"];
+		public List<string>? Scopes;
 
 		[B(Name = "scope")]
 		[J("scope")]
 		[JC(typeof(EnsureArrayConverter))]
 		public List<string> ScopesInternal
 		{
-			get => Scopes;
+			get => Scopes ?? [];
 			set => Scopes = value.Count == 1
 				? value[0].Contains(' ')
 					? value[0].Split(' ').ToList()