diff --git a/integration/src/test/scala/org/knora/sipi/SipiIT.scala b/integration/src/test/scala/org/knora/sipi/SipiIT.scala
index 9a92e86921..82a8ddb7b5 100644
--- a/integration/src/test/scala/org/knora/sipi/SipiIT.scala
+++ b/integration/src/test/scala/org/knora/sipi/SipiIT.scala
@@ -27,6 +27,8 @@ import scala.util.Try
 import dsp.valueobjects.UuidUtil
 import org.knora.sipi.MockDspApiServer.verify.*
 import org.knora.webapi.slice.admin.api.model.PermissionCodeAndProjectRestrictedViewSettings
+import org.knora.webapi.slice.admin.domain.model.KnoraProject.Shortcode
+import org.knora.webapi.slice.infrastructure.Scope as AuthScope
 import org.knora.webapi.testcontainers.SharedVolumes
 import org.knora.webapi.testcontainers.SipiTestContainer
 
@@ -41,7 +43,7 @@ object SipiIT extends ZIOSpecDefault {
       .map(url => Request.get(url).addHeaders(Headers(headers)))
       .flatMap(Client.request(_))
 
-  private def createJwt(scope: String): UIO[String] = for {
+  private def createJwt(scope: AuthScope): UIO[String] = for {
     now  <- Clock.instant
     uuid <- Random.nextUUID
     exp   = now.plusSeconds(3600)
@@ -52,7 +54,7 @@ object SipiIT extends ZIOSpecDefault {
               issuedAt = Some(now.getEpochSecond),
               expiration = Some(exp.getEpochSecond),
               jwtId = Some(UuidUtil.base64Encode(uuid)),
-            ) + ("scope", scope)
+            ) + ("scope", scope.toScopeString)
   } yield JwtZIOJson.encode(
     """{"typ":"JWT","alg":"HS256"}""",
     claim.toJson,
@@ -70,7 +72,7 @@ object SipiIT extends ZIOSpecDefault {
       ) {
         for {
           _   <- MockDspApiServer.resetAndAllowWithPermissionCode(prefix, imageTestfile, 2)
-          jwt <- createJwt("admin")
+          jwt <- createJwt(AuthScope.admin)
           response <- requestGet(
                         Root / prefix / imageTestfile / "file",
                         Header.Cookie(
@@ -94,7 +96,7 @@ object SipiIT extends ZIOSpecDefault {
       ) {
         for {
           _   <- MockDspApiServer.resetAndAllowWithPermissionCode(prefix, imageTestfile, 2)
-          jwt <- createJwt("admin")
+          jwt <- createJwt(AuthScope.admin)
           response <- requestGet(
                         Root / prefix / imageTestfile / "file",
                         Header.Cookie(NonEmptyChunk(Cookie.Request("KnoraAuthenticationGAXDALRQFYYDUMZTGMZQ9999", jwt))),
@@ -109,7 +111,7 @@ object SipiIT extends ZIOSpecDefault {
       ) {
         for {
           _   <- MockDspApiServer.resetAndAllowWithPermissionCode(prefix, imageTestfile, 2)
-          jwt <- createJwt("write:project:" + prefix)
+          jwt <- createJwt(AuthScope.write(Shortcode.unsafeFrom(prefix)))
           response <- requestGet(
                         Root / prefix / imageTestfile / "full" / "max" / "0" / "default.jpg",
                         Header.Cookie(NonEmptyChunk(Cookie.Request("KnoraAuthenticationGAXDALRQFYYDUMZTGMZQ9999", jwt))),
diff --git a/webapi/src/main/scala/org/knora/webapi/slice/infrastructure/Scope.scala b/webapi/src/main/scala/org/knora/webapi/slice/infrastructure/Scope.scala
index d754047980..1faa1a4875 100644
--- a/webapi/src/main/scala/org/knora/webapi/slice/infrastructure/Scope.scala
+++ b/webapi/src/main/scala/org/knora/webapi/slice/infrastructure/Scope.scala
@@ -17,6 +17,8 @@ object Scope {
   val admin: Scope = Scope(Set(ScopeValue.Admin))
 
   def from(scopeValues: Seq[ScopeValue]): Scope = scopeValues.foldLeft(Scope.empty)(_ + _)
+  def read(project: Shortcode): Scope           = Scope(Set(ScopeValue.Read(project)))
+  def write(project: Shortcode): Scope          = Scope(Set(ScopeValue.Write(project)))
 }
 
 sealed trait ScopeValue {