diff --git a/dev/ory/oathkeeper.yml b/dev/ory/oathkeeper.yml
index 621cc31765f..d0cb7478fe5 100644
--- a/dev/ory/oathkeeper.yml
+++ b/dev/ory/oathkeeper.yml
@@ -38,11 +38,6 @@ authenticators:
       token_from:
         header: Oauth2-Token
 
-  oauth2_client_credentials:
-    enabled: true
-    config:
-      token_url: http://hydra:4444/oauth2/token
-
   anonymous:
     enabled: true
     config:
diff --git a/dev/ory/oathkeeper_rules.yaml b/dev/ory/oathkeeper_rules.yaml
index f254c3f0079..137fd2edbba 100644
--- a/dev/ory/oathkeeper_rules.yaml
+++ b/dev/ory/oathkeeper_rules.yaml
@@ -122,4 +122,4 @@
   mutators:
     - handler: id_token
       config: #! TODO: add aud: {"aud": ["https://api/admin/graphql"] }
-        claims: '{"sub": "{{ print .Subject }}"}'
+        claims: '{"sub": "{{ print .Subject }}", "scope": "{{ print .Extra.scope }}" }'
diff --git a/docs/hydra.md b/docs/hydra.md
index 9a17dbeb22c..b336cce49f3 100644
--- a/docs/hydra.md
+++ b/docs/hydra.md
@@ -96,11 +96,17 @@ you are now connect as the user when you add the Header `Oauth2-Token: {token}`.
 
 ### debug
 
+```sh
 hydra introspect token \
   --format json-pretty \
   --endpoint http://127.0.0.1:4445/ \
   $ory_at_TOKEN
-# OR
+```
+
+OR
+
+
+```sh
 curl -X POST http://localhost:4445/admin/oauth2/introspect -d token=$ory_at_TOKEN
 
 curl -I -X POST http://localhost:4456/decisions/graphql -H "Oauth2-Token: $ory_at_TOKEN"
@@ -109,42 +115,46 @@ curl --location 'http://localhost:4002/graphql' \
 --header 'Content-Type: application/json' \
 --header "Oauth2-Token: $ory_at_TOKEN" \
 --data '{"query":"query me {\n    me {\n        id\n        defaultAccount {\n            id\n        }\n    }\n}","variables":{}}'
-
+```
 
 ## client_credentials
 
 #### create client
 
-```
+```sh
 client=$(hydra create client \
     --endpoint http://127.0.0.1:4445/ \
     --format json \
     --grant-type client_credentials \
     --scope editor \
-    --scope admin)
+    )
 client_id=$(echo $client | jq -r '.client_id')
 client_secret=$(echo $client | jq -r '.client_secret')
 ```
 
 #### get token for client
 
-```
+```sh
 hydra perform client-credentials \
   --endpoint http://127.0.0.1:4444/ \
   --client-id $client_id \
   --client-secret $client_secret \
-  --scope editor \
-  --scope admin
+  --scope editor
 ```
 
-// could be a great option to use oauth2_client_credentials oathkeeper authentication
-// but the response is not returning the scope in the jwt
+note: this could be a great option to use oauth2_client_credentials oathkeeper authentication
+but the response is not returning the scope in the jwt
+
+```sh
 curl -s -I -X POST http://localhost:4456/decisions/graphql --user $client_id:$client_secret 
+```
 
 
 ## list OAuth 2.0 consent
 
+```sh
 export subject=092fbf63-0b3a-422f-8260-b6f0720bf4ad
 curl http://localhost:4445/admin/oauth2/auth/sessions/consent?subject=$subject
 
 curl 'http://localhost:4445/admin/oauth2/auth/sessions/consent?subject=092fbf63-0b3a-422f-8260-b6f0720bf4ad'
+```
diff --git a/test/bats/admin.bats b/test/bats/admin.bats
index a30e5fb4782..c0b9bbe3e4a 100644
--- a/test/bats/admin.bats
+++ b/test/bats/admin.bats
@@ -2,31 +2,81 @@
 
 load "helpers/setup-and-teardown"
 
-username="user1"
-
 setup_file() {
   start_server
-
-  login_user \
-    "$ADMIN_TOKEN_NAME" \
-    "$ADMIN_PHONE" \
-    "$CODE"
 }
 
 teardown_file() {
   stop_server
 }
 
-ADMIN_TOKEN_NAME="editor"
-ADMIN_PHONE="+16505554336"
-
 TESTER_TOKEN_NAME="tester"
 TESTER_PHONE="+19876543210"
+username="user1"
+
+exec_admin_graphql() {
+  local token=$1
+  local query_name=$2
+  local variables=${3:-"{}"}
+  echo "GQL query -  token: ${token} -  query: ${query_name} -  vars: ${variables}"
+  echo "{\"query\": \"$(gql_admin_query $query_name)\", \"variables\": $variables}"
+
+  AUTH_HEADER="Oauth2-Token: $token"
+
+  if [[ "${BATS_TEST_DIRNAME}" != "" ]]; then
+    run_cmd="run"
+  else
+    run_cmd=""
+  fi
+
+  gql_route="admin/graphql"
+
+  ${run_cmd} curl -s \
+    -X POST \
+    ${AUTH_HEADER:+ -H "$AUTH_HEADER"} \
+    -H "Content-Type: application/json" \
+    -d "{\"query\": \"$(gql_admin_query $query_name)\", \"variables\": $variables}" \
+    "${GALOY_ENDPOINT}/${gql_route}"
+
+  echo curl -s \
+    -X POST \
+    ${AUTH_HEADER:+ -H "$AUTH_HEADER"} \
+    -H "Content-Type: application/json" \
+    -d "{\"query\": \"$(gql_admin_query $query_name)\", \"variables\": $variables}" \
+    "${GALOY_ENDPOINT}/${gql_route}"
+
+  echo "GQL output: '$output'"
+}
+
+gql_admin_query() {
+  cat "$(gql_admin_file $1)" | tr '\n' ' ' | sed 's/"/\\"/g'
+}
+
+gql_admin_file() {
+  echo "${BATS_TEST_DIRNAME:-${REPO_ROOT}/test/bats}/admin-gql/$1.gql"
+}
+
 
 @test "admin: perform admin queries/mutations" {
-  "skip"
+  client=$(hydra create client \
+      --endpoint http://127.0.0.1:4445/ \
+      --format json \
+      --grant-type client_credentials \
+      --scope editor
+  )
+  client_id=$(echo $client | jq -r '.client_id')
+  client_secret=$(echo $client | jq -r '.client_secret')
+
+  # get token from client_id and client_secret
+  admin_token=$(hydra perform client-credentials \
+    --endpoint http://127.0.0.1:4444/ \
+    --client-id $client_id \
+    --client-secret $client_secret \
+    --scope editor \
+    --format json | jq -r .access_token
+  )
 
-  admin_token="$ADMIN_TOKEN_NAME"
+  echo $admin_token
 
   login_user \
     "$TESTER_TOKEN_NAME" \
@@ -46,7 +96,7 @@ TESTER_PHONE="+19876543210"
     '{phone: $phone}'
   )
 
-  exec_admin_graphql "$admin_token" 'account-details-by-user-phone' "$variables"
+  exec_admin_graphql $admin_token 'account-details-by-user-phone' "$variables"
   id="$(graphql_output '.data.accountDetailsByUserPhone.id')"
   [[ "$id" != "null" && "$id" != "" ]] || exit 1
   uuid="$(graphql_output '.data.accountDetailsByUserPhone.uuid')"
diff --git a/test/bats/helpers/_common.bash b/test/bats/helpers/_common.bash
index 90bbd7a8440..6f4622c6829 100644
--- a/test/bats/helpers/_common.bash
+++ b/test/bats/helpers/_common.bash
@@ -103,14 +103,6 @@ gql_file() {
   echo "${BATS_TEST_DIRNAME:-${REPO_ROOT}/test/bats}/gql/$1.gql"
 }
 
-gql_admin_query() {
-  cat "$(gql_admin_file $1)" | tr '\n' ' ' | sed 's/"/\\"/g'
-}
-
-gql_admin_file() {
-  echo "${BATS_TEST_DIRNAME:-${REPO_ROOT}/test/bats}/admin-gql/$1.gql"
-}
-
 new_idempotency_key() {
   random_uuid
 }
@@ -147,37 +139,6 @@ exec_graphql() {
   echo "GQL output: '$output'"
 }
 
-exec_admin_graphql() {
-  local token_name=$1
-  local query_name=$2
-  local variables=${3:-"{}"}
-  echo "GQL query -  user: ${token_name} -  query: ${query_name} -  vars: ${variables}"
-  echo "{\"query\": \"$(gql_admin_query $query_name)\", \"variables\": $variables}"
-
-  if [[ ${token_name} == "anon" ]]; then
-    AUTH_HEADER=""
-  else
-    AUTH_HEADER="Authorization: Bearer $(read_value ${token_name})"
-  fi
-
-  if [[ "${BATS_TEST_DIRNAME}" != "" ]]; then
-    run_cmd="run"
-  else
-    run_cmd=""
-  fi
-
-  gql_route="admin/graphql"
-
-  ${run_cmd} curl -s \
-    -X POST \
-    ${AUTH_HEADER:+ -H "$AUTH_HEADER"} \
-    -H "Content-Type: application/json" \
-    -d "{\"query\": \"$(gql_admin_query $query_name)\", \"variables\": $variables}" \
-    "${GALOY_ENDPOINT}/${gql_route}"
-
-  echo "GQL output: '$output'"
-}
-
 graphql_output() {
   echo $output | jq -r "$@"
 }