diff --git a/API/Controller/Devices/DeviceOtaController.cs b/API/Controller/Devices/DeviceOtaController.cs
index 4fc4e62a..dd2c025e 100644
--- a/API/Controller/Devices/DeviceOtaController.cs
+++ b/API/Controller/Devices/DeviceOtaController.cs
@@ -25,7 +25,7 @@ public sealed partial class DevicesController
     /// <response code="404">Could not find device or you do not have access to it</response>
     [HttpGet("{deviceId}/ota")]
     [MapToApiVersion("1")]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType<BaseResponse<IReadOnlyCollection<OtaItem>>>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound, MediaTypeNames.Application.ProblemJson)] // DeviceNotFound
     public async Task<IActionResult> GetOtaUpdateHistory([FromRoute] Guid deviceId, [FromServices] IOtaService otaService)
diff --git a/API/Controller/Tokens/TokenController.cs b/API/Controller/Tokens/TokenController.cs
index a6587891..266ac020 100644
--- a/API/Controller/Tokens/TokenController.cs
+++ b/API/Controller/Tokens/TokenController.cs
@@ -25,7 +25,7 @@ public sealed partial class TokensController
     /// </summary>
     /// <response code="200">All tokens for the current user</response>
     [HttpGet]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType<IEnumerable<TokenResponse>>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     public async Task<IEnumerable<TokenResponse>> ListTokens()
     {
@@ -52,7 +52,7 @@ public async Task<IEnumerable<TokenResponse>> ListTokens()
     /// <response code="200">The token</response>
     /// <response code="404">The token does not exist or you do not have access to it.</response>
     [HttpGet("{tokenId}")]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType<TokenResponse>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound, MediaTypeNames.Application.ProblemJson)] // ApiTokenNotFound    
     public async Task<IActionResult> GetTokenById([FromRoute] Guid tokenId)
@@ -81,7 +81,7 @@ public async Task<IActionResult> GetTokenById([FromRoute] Guid tokenId)
     /// <response code="200">Successfully deleted token</response>
     /// <response code="404">The token does not exist or you do not have access to it.</response>
     [HttpDelete("{tokenId}")]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound, MediaTypeNames.Application.ProblemJson)] // ApiTokenNotFound    
     public async Task<IActionResult> DeleteToken([FromRoute] Guid tokenId)
@@ -105,7 +105,7 @@ public async Task<IActionResult> DeleteToken([FromRoute] Guid tokenId)
     /// <param name="body"></param>
     /// <response code="200">The created token</response>
     [HttpPost]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType<TokenCreatedResponse>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     public async Task<TokenCreatedResponse> CreateToken([FromBody] CreateTokenRequest body)
     {
@@ -139,7 +139,7 @@ public async Task<TokenCreatedResponse> CreateToken([FromBody] CreateTokenReques
     /// <response code="200">The edited token</response>
     /// <response code="404">The token does not exist or you do not have access to it.</response>
     [HttpPatch("{tokenId}")]
-    [Authorize(Roles = "User")]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionCookie)]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound, MediaTypeNames.Application.ProblemJson)] // ApiTokenNotFound    
     public async Task<IActionResult> EditToken([FromRoute] Guid tokenId, [FromBody] EditTokenRequest body)
diff --git a/API/Controller/Tokens/TokenSelfController.cs b/API/Controller/Tokens/TokenSelfController.cs
index 587e3d8f..2ae39f3d 100644
--- a/API/Controller/Tokens/TokenSelfController.cs
+++ b/API/Controller/Tokens/TokenSelfController.cs
@@ -19,7 +19,7 @@ public sealed partial class TokensController
     /// <returns></returns>
     /// <exception cref="Exception"></exception>
     [HttpGet("self")]
-    [Authorize(Policy = OpenShockAuthPolicies.TokenSessionOnly)]
+    [Authorize(AuthenticationSchemes = OpenShockAuthSchemas.ApiToken)]
     [ProducesResponseType<TokenResponse>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     public TokenResponse GetSelfToken([FromServices] IUserReferenceService userReferenceService)
     {
diff --git a/Common/Authentication/OpenShockAuthPolicies.cs b/Common/Authentication/OpenShockAuthPolicies.cs
index 1df116af..1e5f969a 100644
--- a/Common/Authentication/OpenShockAuthPolicies.cs
+++ b/Common/Authentication/OpenShockAuthPolicies.cs
@@ -2,5 +2,5 @@
 
 public static class OpenShockAuthPolicies
 {
-    public const string TokenSessionOnly = "ApiTokenOnly";
+    public const string AdminOnly = "AdminOnly";
 }
diff --git a/Common/OpenShockServiceHelper.cs b/Common/OpenShockServiceHelper.cs
index df2fc590..52216218 100644
--- a/Common/OpenShockServiceHelper.cs
+++ b/Common/OpenShockServiceHelper.cs
@@ -57,7 +57,7 @@ public static ServicesResult AddOpenShockServices(this IServiceCollection servic
         
         services.AddAuthorization(options =>
         {
-            options.AddPolicy(OpenShockAuthPolicies.TokenSessionOnly, policy => policy.RequireClaim(ClaimTypes.AuthenticationMethod, OpenShockAuthSchemas.ApiToken));
+            options.AddPolicy(OpenShockAuthPolicies.AdminOnly, policy => policy.RequireRole("Admin", "System"));
             // TODO: Add token permission policies
         });