diff --git a/module.nix b/module.nix
index a96810c..e452ca3 100644
--- a/module.nix
+++ b/module.nix
@@ -12,6 +12,7 @@ let
   auth-passthru = config.selfprivacy.passthru.auth;
   oauth2-provider-origin = config.services.kanidm.serverSettings.origin;
   usersGroup = "sp.writefreely.users";
+  adminsGroup = "sp.writefreely.admins";
   oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
 in
 {
@@ -155,7 +156,7 @@ in
     };
 
     selfprivacy.auth.clients.${oauthClientID} = {
-      inherit usersGroup;
+      inherit usersGroup adminsGroup;
       subdomain = cfg.subdomain;
       originLanding = "https://${cfg.subdomain}.${sp.domain}/";
       originUrl = "https://${cfg.subdomain}.${sp.domain}/oauth/callback/generic";