diff --git a/api/handlers/v1/auth.go b/api/handlers/v1/auth.go
index 86ae1c1..9d8355a 100644
--- a/api/handlers/v1/auth.go
+++ b/api/handlers/v1/auth.go
@@ -90,6 +90,12 @@ func (h *Handler) AuthLogin(c echo.Context) error {
 }
 
 func (h *Handler) validateAdminToken(c echo.Context, password string) error {
+	// if the admin token is blank, then the admin wanted this disabled.
+	// this will fail right away and not progress.
+	if h.Config.AdminToken == "" {
+		return h.InternalServerErrorResponse(c, ErrUserNotFound)
+	}
+
 	if h.Config.AdminToken != password {
 		return h.ReturnUnauthorizedResponse(c, ErrUserNotFound)
 	}
@@ -102,7 +108,7 @@ func (h *Handler) validateAdminToken(c echo.Context, password string) error {
 	return c.JSON(http.StatusOK, token)
 }
 
-func (h *Handler) AddScope(c echo.Context) error {
+func (h *Handler) AddScopes(c echo.Context) error {
 	token, err := h.getJwtToken(c)
 	if err != nil {
 		return h.ReturnUnauthorizedResponse(c, err.Error())
@@ -113,7 +119,7 @@ func (h *Handler) AddScope(c echo.Context) error {
 		return h.ReturnUnauthorizedResponse(c, err.Error())
 	}
 
-	request := domain.AddScopeRequest{}
+	request := domain.UpdateScopesRequest{}
 	err = (&echo.DefaultBinder{}).BindBody(c, &request)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, domain.ErrorResponse{
@@ -132,10 +138,33 @@ func (h *Handler) AddScope(c echo.Context) error {
 	})
 }
 
-func (h *Handler) RemoveScope(c echo.Context) error {
+func (h *Handler) RemoveScopes(c echo.Context) error {
+	token, err := h.getJwtToken(c)
+	if err != nil {
+		return h.ReturnUnauthorizedResponse(c, err.Error())
+	}
+
+	err = token.IsValid(domain.ScopeAll)
+	if err != nil {
+		return h.ReturnUnauthorizedResponse(c, err.Error())
+	}
+	
+	request := domain.UpdateScopesRequest{}
+	err = (&echo.DefaultBinder{}).BindBody(c, &request)
+	if err != nil {
+		return c.JSON(http.StatusBadRequest, domain.ErrorResponse{
+			Success: false,
+			Message: err.Error(),
+		})
+	}
+
+	err = h.UserService.RemoveScopes(request.Username, request.Scopes)
+	if err != nil {
+		return h.InternalServerErrorResponse(c, err.Error())
+	}
+
 	return c.JSON(http.StatusOK, domain.ErrorResponse{
-		Success: false,
-		Message: "Not Implemented",
+		Success: true,
 	})
 }