diff --git a/auth/auth-module.nix b/auth/auth-module.nix
index f34194b..4d8498b 100644
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -28,6 +28,7 @@ let
       kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
       kanidmServiceAccountTokenFP =
         auth-passthru.mkServiceAccountTokenFP linuxGroup;
+      isRW = oauthClientID == "selfprivacy-api";
     in
     pkgs.writeShellScript
       "${oauthClientID}-kanidm-ExecStartPost-script.sh"
@@ -53,8 +54,8 @@ let
             fi
         fi
 
-        # create a new read-only token for kanidm
-        if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" --output json)"
+        # create a new token for kanidm
+        if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
         then
             echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
             exit 1
@@ -77,7 +78,11 @@ let
       + lib.strings.optionalString isMailserver ''
         # add Kanidm service account to `idm_mail_servers` group
         $KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
-      '');
+      ''
+      + lib.strings.optionalString isRW ''
+        $KANIDM group add-members idm_admins "${kanidmServiceAccountName}"
+      ''
+      );
 in
 {
   options.selfprivacy.auth = {
diff --git a/auth/auth.nix b/auth/auth.nix
index d1c3c20..ca1e6bb 100644
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -16,13 +16,6 @@ let
 
   selfprivacy-group = config.users.users."selfprivacy-api".group;
 
-  selfprivacy-service-account-name = "sp.selfprivacy-api.service-account";
-
-  kanidm-service-account-token-name =
-    "${selfprivacy-group}-service-account-token";
-  kanidm-service-account-token-fp =
-    "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
-
   kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
     # handle a case when kanidm database is not yet created (the first startup)
     if [ -f ${config.services.kanidm.serverSettings.db_path} ]
@@ -33,52 +26,6 @@ let
     fi
   '';
 
-  spApiUserExecStartPostScript =
-    pkgs.writeShellScript "spApiUserExecStartPostScript" ''
-      export HOME=$RUNTIME_DIRECTORY/client_home
-      readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
-
-      # get Kanidm service account for SelfPrivacyAPI
-      KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${selfprivacy-service-account-name}$")"
-      echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
-      if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
-      then
-          echo "kanidm service account \"${selfprivacy-service-account-name}\" is found"
-      else
-          echo "kanidm service account \"${selfprivacy-service-account-name}\" is not found"
-          echo "creating new kanidm service account \"${selfprivacy-service-account-name}\""
-          if $KANIDM service-account create --name idm_admin "${selfprivacy-service-account-name}" "SelfPrivacy API service account" idm_admin
-          then
-              echo "kanidm service account \"${selfprivacy-service-account-name}\" created"
-          else
-              echo "error: cannot create kanidm service account \"${selfprivacy-service-account-name}\""
-              exit 1
-          fi
-      fi
-
-      $KANIDM group add-members idm_admins "${selfprivacy-service-account-name}"
-
-      # create a new read-write token for kanidm
-      if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${selfprivacy-service-account-name}" "${kanidm-service-account-token-name}" --output json)"
-      then
-          echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
-          exit 1
-      fi
-      if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
-      then
-          echo "error: cannot get service-account API token from JSON"
-          exit 1
-      fi
-
-      if ! install --mode=640 \
-      <(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
-      ${kanidm-service-account-token-fp}
-      then
-          echo "error: cannot write token to \"${kanidm-service-account-token-fp}\""
-          exit 1
-      fi
-    '';
-
   # lua stuff for nginx for debugging only
   lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
   lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
@@ -214,9 +161,6 @@ lib.mkIf config.selfprivacy.sso.enable {
     lib.mkIf (pkgs.kanidm.version == "1.5.0")
       (lib.mkBefore [ kanidmMigrateDbScript ]);
 
-  systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
-    [ spApiUserExecStartPostScript ];
-
   selfprivacy.passthru.auth = {
     inherit
       admins-group
diff --git a/flake.lock b/flake.lock
index daa2e18..615039c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -62,11 +62,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744640029,
-        "narHash": "sha256-Rqy+HhW7weEfAc5rPmxusewuo/69sWVXlQOL2a3Y9ZU=",
-        "ref": "inex/add-oauth",
-        "rev": "5393642f896d5fa4b9b7be215d72714554259de6",
-        "revCount": 1749,
+        "lastModified": 1745270427,
+        "narHash": "sha256-EHbn9AgWTmIuRwAo7Y+sULHNN+/vN0r8h2JbTqmYxZc=",
+        "ref": "use-auth-nixos-module",
+        "rev": "582d11c1fbea36d6fdbd0a64f782ca8f8c6a1338",
+        "revCount": 1750,
         "type": "git",
         "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
       },