diff --git a/security.py b/security.py
index d3abe56..0c6f5d1 100644
--- a/security.py
+++ b/security.py
@@ -143,7 +143,7 @@ async def login_for_access_token(
     allowed_scopes = set(user.scopes.split())
     requested_scopes = set(form_data.scopes)
     access_token = create_access_token(
-        data={"sub": user.username, "scopes": list(allowed_scopes & requested_scopes)},
+        data={"sub": user.username, "scopes": list(allowed_scopes)},
         expires_delta=access_token_expires,
     )
     response.set_cookie(