diff --git a/scanner/scanner/__init__.py b/scanner/scanner/__init__.py
index ad2d3b08..eaa412b2 100644
--- a/scanner/scanner/__init__.py
+++ b/scanner/scanner/__init__.py
@@ -77,7 +77,7 @@ app = FastAPI(
 )
 async def trigger_scan(
 	tasks: BackgroundTasks,
-	_: Annotated[None, Security(validate_bearer, scopes=["scanner."])],
+	_: Annotated[None, Security(validate_bearer, scopes=["scanner.trigger"])],
 ):
 	"""
 	Trigger a full scan of the filesystem, trying to find new videos & deleting old ones.
diff --git a/scanner/scanner/jwt.py b/scanner/scanner/jwt.py
index 7d070cf4..1f02b8cf 100644
--- a/scanner/scanner/jwt.py
+++ b/scanner/scanner/jwt.py
@@ -1,4 +1,5 @@
 import os
+from logging import getLogger
 from typing import Annotated
 
 import jwt
@@ -6,6 +7,8 @@ from fastapi import Depends, HTTPException
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer, SecurityScopes
 from jwt import PyJWKClient
 
+logger = getLogger(__name__)
+
 jwks_client = PyJWKClient(
 	os.environ.get("JWKS_URL", "http://auth:4568/.well-known/jwks.json")
 )
@@ -21,6 +24,7 @@ def validate_bearer(
 		payload = jwt.decode(
 			token.credentials,
 			jwks_client.get_signing_key_from_jwt(token.credentials).key,
+			algorithms=["RS256"],
 			issuer=os.environ.get("JWT_ISSUER"),
 		)
 		for scope in perms.scopes:
@@ -34,6 +38,7 @@ def validate_bearer(
 				)
 		return payload
 	except Exception as e:
+		logger.error("Failed to parse token", exc_info=e)
 		raise HTTPException(
 			status_code=403,
 			detail="Could not validate credentials",