diff --git a/.agents/features/api-tokens.md b/.agents/features/api-tokens.md
index 06b7ad9..9914bb2 100644
--- a/.agents/features/api-tokens.md
+++ b/.agents/features/api-tokens.md
@@ -5,7 +5,7 @@ Fine-grained access tokens that allow external integrations to interact with Tas
 ## Capabilities
 
 - Create named API tokens with an expiration date
-- Scoped permissions: task:read, task:write, label:read, label:write, dav:read, dav:write, user:read, user:write, token:write
+- Scoped permissions: Tasks.Read, Tasks.Write, Labels.Read, Labels.Write, Dav.Read, Dav.Write, User.Read, User.Write, Tokens.Write
 - Write scopes automatically include their corresponding read scope
 - Tokens are validated the same way as JWT sessions but carry scope restrictions
 - List and delete existing tokens from the settings UI
diff --git a/apiserver/internal/models/user.go b/apiserver/internal/models/user.go
index 0326129..21b43d3 100644
--- a/apiserver/internal/models/user.go
+++ b/apiserver/internal/models/user.go
@@ -32,14 +32,14 @@ type SignedInIdentity struct {
 type ApiTokenScope string
 
 const (
-	ApiTokenScopeTaskRead   ApiTokenScope = "task:read"
-	ApiTokenScopeTaskWrite  ApiTokenScope = "task:write"
-	ApiTokenScopeLabelRead  ApiTokenScope = "label:read"
-	ApiTokenScopeLabelWrite ApiTokenScope = "label:write"
-	ApiTokenScopeUserRead   ApiTokenScope = "user:read"
-	ApiTokenScopeUserWrite  ApiTokenScope = "user:write"
-	ApiTokenScopeDavRead    ApiTokenScope = "dav:read"
-	ApiTokenScopeDavWrite   ApiTokenScope = "dav:write"
+	ApiTokenScopeTaskRead   ApiTokenScope = "Tasks.Read"
+	ApiTokenScopeTaskWrite  ApiTokenScope = "Tasks.Write"
+	ApiTokenScopeLabelRead  ApiTokenScope = "Labels.Read"
+	ApiTokenScopeLabelWrite ApiTokenScope = "Labels.Write"
+	ApiTokenScopeUserRead   ApiTokenScope = "User.Read"
+	ApiTokenScopeUserWrite  ApiTokenScope = "User.Write"
+	ApiTokenScopeDavRead    ApiTokenScope = "Dav.Read"
+	ApiTokenScopeDavWrite   ApiTokenScope = "Dav.Write"
 )
 
 func AllUserScopes() []ApiTokenScope {
diff --git a/mcpserver/Program.cs b/mcpserver/Program.cs
index e1d1eaa..6b0ac32 100644
--- a/mcpserver/Program.cs
+++ b/mcpserver/Program.cs
@@ -57,11 +57,11 @@
         Resource = mcpResource,
         AuthorizationServers = { authority },
         ScopesSupported = {
-            $"{audience}/user:read",
-            $"{audience}/label:read",
-            $"{audience}/label:write",
-            $"{audience}/task:read",
-            $"{audience}/task:write",
+            $"{audience}/User.Read",
+            $"{audience}/Labels.Read",
+            $"{audience}/Labels.Write",
+            $"{audience}/Tasks.Read",
+            $"{audience}/Tasks.Write",
         },
         BearerMethodsSupported = { "header" },
     };