diff --git a/.env.example b/.env.example
index a4c83d29..889216c1 100644
--- a/.env.example
+++ b/.env.example
@@ -97,6 +97,6 @@ RABBITMQ_DEFAULT_PASS=aohohunuhouhuhhoahothonseuhaoensuthoaentsuhha
 
 # v5 stuff, does absolutely nothing on master (aka: you can delete this)
 EXTRA_CLAIMS='{"permissions": ["core.read"], "verified": false}'
-FIRST_USER_CLAIMS='{"permissions": ["user.read", "users.write", "users.delete", "core.read"], "verified": true}'
+FIRST_USER_CLAIMS='{"permissions": ["users.read", "users.write", "users.delete", "core.read"], "verified": true}'
 GUEST_CLAIMS='{"permissions": ["core.read"]}'
 PROTECTED_CLAIMS="permissions,verified"
diff --git a/auth/.env.example b/auth/.env.example
index 1e69fdee..c1ea11eb 100644
--- a/auth/.env.example
+++ b/auth/.env.example
@@ -11,7 +11,7 @@ RSA_PRIVATE_KEY_PATH=""
 EXTRA_CLAIMS='{}'
 # json object with the claims to add to every jwt of the FIRST user (this can be used to mark the first user as admin).
 # Those claims are merged with the `EXTRA_CLAIMS`.
-FIRST_USER_CLAIMS='{}'
+FIRST_USER_CLAIMS='{"permissions": ["users.read", "users.write", "users.delete"]}'
 # If this is not empty, calls to `/jwt` without an `Authorization` header will still create a jwt (with `null` in `sub`)
 GUEST_CLAIMS=""
 # Comma separated list of claims that users without the `user.write` permissions should NOT be able to edit
diff --git a/auth/config.go b/auth/config.go
index cc7ac656..b503ca30 100644
--- a/auth/config.go
+++ b/auth/config.go
@@ -47,14 +47,13 @@ func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
 			return nil, err
 		}
 	}
+	maps.Insert(ret.FirstUserClaims, maps.All(ret.DefaultClaims))
 	claims = os.Getenv("FIRST_USER_CLAIMS")
 	if claims != "" {
 		err := json.Unmarshal([]byte(claims), &ret.FirstUserClaims)
 		if err != nil {
 			return nil, err
 		}
-
-		maps.Insert(ret.FirstUserClaims, maps.All(ret.DefaultClaims))
 	} else {
 		ret.FirstUserClaims = ret.DefaultClaims
 	}