diff --git a/common/models/access-token.json b/common/models/access-token.json
index a5f360c4..7429c838 100644
--- a/common/models/access-token.json
+++ b/common/models/access-token.json
@@ -11,6 +11,9 @@
       "default": 1209600,
       "description": "time to live in seconds (2 weeks by default)"
     },
+    "scopes": {
+      "type": ["string"]
+    },
     "created": {
       "type": "Date"
     }
@@ -20,6 +23,11 @@
       "type": "belongsTo",
       "model": "User",
       "foreignKey": "userId"
+    },
+    "application": {
+      "type": "belongsTo",
+      "model": "Application",
+      "foreignKey": "appId"
     }
   },
   "acls": [
diff --git a/common/models/user.js b/common/models/user.js
index f5f1a8c0..2ef80910 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -424,7 +424,7 @@ module.exports = function(User) {
   };
 
   /**
-   * Create a short lived acess token for temporary login. Allows users
+   * Create a short lived access token for temporary login. Allows users
    * to change passwords if forgotten.
    *
    * @options {Object} options
@@ -445,7 +445,8 @@ module.exports = function(User) {
         } else if (user) {
           // create a short lived access token for temp login to change password
           // TODO(ritch) - eventually this should only allow password change
-          user.accessTokens.create({ttl: ttl}, function(err, accessToken) {
+          user.accessTokens.create({ttl: ttl, scopes: ['resetPassword']},
+            function(err, accessToken) {
             if (err) {
               cb(err);
             } else {
diff --git a/test/support.js b/test/support.js
index 1ef0eefc..f7ca6c35 100644
--- a/test/support.js
+++ b/test/support.js
@@ -2,8 +2,10 @@
  * loopback test setup and support.
  */
 
-assert = require('assert');
+assert = require('chai').assert;
 expect = require('chai').expect;
+should = require('chai').should;
+
 loopback = require('../');
 memoryConnector = loopback.Memory;
 GeoPoint = loopback.GeoPoint;
diff --git a/test/user.test.js b/test/user.test.js
index 6caeb34d..69562b7c 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -923,6 +923,8 @@ describe('User', function() {
           assert(info.email);
           assert(info.accessToken);
           assert(info.accessToken.id);
+          assert.equal(info.accessToken.scopes.length, 0);
+          assert.equal(info.accessToken.scopes[0], 'resetPassword');
           assert.equal(info.accessToken.ttl / 60, 15);
           assert(calledBack);
           info.accessToken.user(function(err, user) {