diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/AlwaysAddTokenHandler.cs b/backend/src/Squidex/Areas/IdentityServer/Config/AlwaysAddTokenHandler.cs
new file mode 100644
index 000000000..6a8cf853d
--- /dev/null
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/AlwaysAddTokenHandler.cs
@@ -0,0 +1,35 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using OpenIddict.Abstractions;
+using OpenIddict.Server;
+using static OpenIddict.Server.OpenIddictServerEvents;
+
+namespace Squidex.Areas.IdentityServer.Config
+{
+    public sealed class AlwaysAddTokenHandler : IOpenIddictServerHandler<ProcessSignInContext>
+    {
+        public ValueTask HandleAsync(ProcessSignInContext context)
+        {
+            if (context == null)
+            {
+                return default;
+            }
+
+            if (!string.IsNullOrWhiteSpace(context.Response.AccessToken))
+            {
+                var scopes = context.AccessTokenPrincipal?.GetScopes() ?? ImmutableArray<string>.Empty;
+
+                context.Response.Scope = string.Join(" ", scopes);
+            }
+
+            return default;
+        }
+    }
+}
diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
index 09dece9a4..d786b0188 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@@ -20,6 +20,8 @@ using Squidex.Hosting;
 using Squidex.Web;
 using Squidex.Web.Pipeline;
 using static OpenIddict.Abstractions.OpenIddictConstants;
+using static OpenIddict.Server.OpenIddictServerEvents;
+using static OpenIddict.Server.OpenIddictServerHandlers;
 
 namespace Squidex.Areas.IdentityServer.Config
 {
@@ -78,6 +80,12 @@ namespace Squidex.Areas.IdentityServer.Config
                 })
                 .AddServer(builder =>
                 {
+                    builder.AddEventHandler<ProcessSignInContext>(builder =>
+                    {
+                        builder.UseSingletonHandler<AlwaysAddTokenHandler>()
+                            .SetOrder(AttachTokenParameters.Descriptor.Order + 1);
+                    });
+
                     builder
                         .SetAuthorizationEndpointUris("/connect/authorize")
                         .SetIntrospectionEndpointUris("/connect/introspect")
@@ -101,7 +109,6 @@ namespace Squidex.Areas.IdentityServer.Config
                     builder.AllowAuthorizationCodeFlow();
 
                     builder.UseAspNetCore()
-                        // Disable it mainly for our tests.
                         .DisableTransportSecurityRequirement()
                         .EnableAuthorizationEndpointPassthrough()
                         .EnableLogoutEndpointPassthrough()