diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 8e1e23fb..25e0eb55 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -3,18 +3,29 @@ require 'swagger_helper'
 describe 'Users API', type: :request do
   path '/user' do
     get 'info about the currently logged-in user' do
+      # security [oauth2: []]
       tags '1. User'
       produces 'application/json'
+      let(:user) { create(:user) }
+      let(:api_access_token) { create(:oauth2_access_token, resource_owner_id: user.id, scopes: api_scopes&.join(' ')).token }
+      let(:Authorization) { "Bearer #{api_access_token}" }
 
       response '200', 'success' do
+        let(:api_scopes) { ['user:read'] }
         run_test! do |response|
-          let(:Authorization) { "Basic #{::Base64.strict_encode64('jsmith:jspass')}" }
           data = JSON.parse(response.body)
-          # expect(data[])
+          expect(data['user']['id']).to eq(user.id)
         end
       end
 
+      response '403', 'missing scope' do
+        let(:api_scopes) { [] }
+        run_test!
+      end
+
+
       response '401', 'not logged-in' do
+        let(:Authorization) { "" }
         run_test!
       end
     end
diff --git a/spec/support/factory_bot.rb b/spec/support/factory_bot.rb
index 655548ee..2cb72940 100644
--- a/spec/support/factory_bot.rb
+++ b/spec/support/factory_bot.rb
@@ -1,4 +1,4 @@
 RSpec.configure do |config|
   # load FactoryBot shortcuts create(), etc.
   config.include FactoryBot::Syntax::Methods
-end
+end
\ No newline at end of file
diff --git a/spec/swagger_helper.rb b/spec/swagger_helper.rb
index 0cfa8370..88f0736f 100644
--- a/spec/swagger_helper.rb
+++ b/spec/swagger_helper.rb
@@ -26,8 +26,6 @@ RSpec.configure do |config|
         securitySchemes: {
           oauth2: {
             type: :oauth2,
-            in: :header,
-            name: 'Authorization',
             flows: {
               implicit: {
                 authorizationUrl: 'http://localhost:3000/f/oauth/authorize',
diff --git a/swagger/v1/swagger.yaml b/swagger/v1/swagger.yaml
index 549db1d2..7702e953 100644
--- a/swagger/v1/swagger.yaml
+++ b/swagger/v1/swagger.yaml
@@ -12,14 +12,14 @@ paths:
       responses:
         '200':
           description: success
+        '403':
+          description: missing scope
         '401':
           description: not logged-in
 components:
   securitySchemes:
     oauth2:
       type: oauth2
-      in: header
-      name: Authorization
       flows:
         implicit:
           authorizationUrl: http://localhost:3000/f/oauth/authorize