diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 6ed8026960..e7d09f8dde 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -999,7 +999,7 @@ class BaseOAuth2TokenSerializer(BaseSerializer):
         )
         read_only_fields = ('user', 'token', 'expires', 'refresh_token')
         extra_kwargs = {
-            'scope': {'allow_null': False, 'required': True},
+            'scope': {'allow_null': False, 'required': False},
             'user': {'allow_null': False, 'required': True}
         }
 
@@ -1061,7 +1061,7 @@ class UserAuthorizedTokenSerializer(BaseOAuth2TokenSerializer):
 
     class Meta:
         extra_kwargs = {
-            'scope': {'allow_null': False, 'required': True},
+            'scope': {'allow_null': False, 'required': False},
             'user': {'allow_null': False, 'required': True},
             'application': {'allow_null': False, 'required': True}
         }
diff --git a/awx/main/migrations/0033_v330_oauth_help_text.py b/awx/main/migrations/0033_v330_oauth_help_text.py
index 41704307b0..0b64579d65 100644
--- a/awx/main/migrations/0033_v330_oauth_help_text.py
+++ b/awx/main/migrations/0033_v330_oauth_help_text.py
@@ -20,7 +20,7 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oauth2accesstoken',
             name='scope',
-            field=models.TextField(blank=True, help_text="Allowed scopes, further restricts user's permissions."),
+            field=models.TextField(blank=True, default=b'write', help_text="Allowed scopes, further restricts user's permissions."),
         ),
         migrations.AlterField(
             model_name='oauth2accesstoken',
diff --git a/awx/main/models/oauth.py b/awx/main/models/oauth.py
index 45e13fc8b0..a23ec6afeb 100644
--- a/awx/main/models/oauth.py
+++ b/awx/main/models/oauth.py
@@ -109,6 +109,7 @@ class OAuth2AccessToken(AbstractAccessToken):
     )
     scope = models.TextField(
         blank=True,
+        default='write',
         help_text=_('Allowed scopes, further restricts user\'s permissions. Must be a simple space-separated string with allowed scopes [\'read\', \'write\'].')
     )
 
diff --git a/awx/main/tests/functional/api/test_oauth.py b/awx/main/tests/functional/api/test_oauth.py
index 7e8b63eb08..f4011fa590 100644
--- a/awx/main/tests/functional/api/test_oauth.py
+++ b/awx/main/tests/functional/api/test_oauth.py
@@ -28,6 +28,26 @@ def test_personal_access_token_creation(oauth_application, post, alice):
     assert 'refresh_token' in resp_json
 
 
+@pytest.mark.django_db
+def test_pat_creation_no_default_scope(oauth_application, post, admin):
+    # tests that the default scope is overriden
+    url = reverse('api:o_auth2_token_list')
+    response = post(url, {'description': 'test token',
+                          'scope': 'read',
+                          'application': oauth_application.pk,
+                          }, admin)
+    assert response.data['scope'] == 'read'
+    
+    
+@pytest.mark.django_db
+def test_pat_creation_no_scope(oauth_application, post, admin):
+    url = reverse('api:o_auth2_token_list')
+    response = post(url, {'description': 'test token',
+                          'application': oauth_application.pk,
+                          }, admin)
+    assert response.data['scope'] == 'write'
+
+
 @pytest.mark.django_db
 def test_oauth2_application_create(admin, organization, post):
     response = post(