diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index c37d458fee..508c99880d 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1148,24 +1148,24 @@ func Routes(ctx gocontext.Context) *web.Route {
 			}, reqToken(auth_model.AccessTokenScopeAdminOrgHook), reqOrgOwnership(), reqWebhooksEnabled())
 		}, orgAssignment(true))
 		m.Group("/teams/{teamid}", func() {
-			m.Combo("").Get(org.GetTeam).
-				Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).
-				Delete(reqOrgOwnership(), org.DeleteTeam)
+			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeam).
+				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).
+				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteTeam)
 			m.Group("/members", func() {
-				m.Get("", org.GetTeamMembers)
+				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMembers)
 				m.Combo("/{username}").
-					Get(org.GetTeamMember).
-					Put(reqOrgOwnership(), org.AddTeamMember).
-					Delete(reqOrgOwnership(), org.RemoveTeamMember)
+					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMember).
+					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.AddTeamMember).
+					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.RemoveTeamMember)
 			})
 			m.Group("/repos", func() {
-				m.Get("", org.GetTeamRepos)
+				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepos)
 				m.Combo("/{org}/{reponame}").
-					Put(org.AddTeamRepository).
-					Delete(org.RemoveTeamRepository).
-					Get(org.GetTeamRepo)
+					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), org.AddTeamRepository).
+					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), org.RemoveTeamRepository).
+					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepo)
 			})
-		}, orgAssignment(false, true), reqToken(""), reqTeamMembership())
+		}, orgAssignment(false, true), reqTeamMembership())
 
 		m.Group("/admin", func() {
 			m.Group("/cron", func() {
diff --git a/tests/integration/api_team_test.go b/tests/integration/api_team_test.go
index 76f39360f2..07bdfb4376 100644
--- a/tests/integration/api_team_test.go
+++ b/tests/integration/api_team_test.go
@@ -44,7 +44,7 @@ func TestAPITeam(t *testing.T) {
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: teamUser2.UID})
 
 	session = loginUser(t, user2.Name)
-	token = getTokenForLoggedInUser(t, session)
+	token = getTokenForLoggedInUser(t, session, "read_org")
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
 	_ = session.MakeRequest(t, req, http.StatusForbidden)
 
diff --git a/tests/integration/api_team_user_test.go b/tests/integration/api_team_user_test.go
index b999b97a2b..de66454822 100644
--- a/tests/integration/api_team_user_test.go
+++ b/tests/integration/api_team_user_test.go
@@ -23,7 +23,7 @@ func TestAPITeamUser(t *testing.T) {
 
 	normalUsername := "user2"
 	session := loginUser(t, normalUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getTokenForLoggedInUser(t, session, "read_org")
 	req := NewRequest(t, "GET", "/api/v1/teams/1/members/user1?token="+token)
 	session.MakeRequest(t, req, http.StatusNotFound)