diff --git a/app/blueprints/oauth/__init__.py b/app/blueprints/oauth/__init__.py
index 84f4d8b7..700e1cdf 100644
--- a/app/blueprints/oauth/__init__.py
+++ b/app/blueprints/oauth/__init__.py
@@ -27,8 +27,8 @@ from wtforms.validators import InputRequired, Length
 
 from app import csrf
 from app.blueprints.users.settings import get_setting_tabs
-from app.models import db, OAuthClient, User, Permission, APIToken
-from app.utils import random_string
+from app.models import db, OAuthClient, User, Permission, APIToken, AuditSeverity
+from app.utils import random_string, add_audit_log
 
 bp = Blueprint("oauth", __name__)
 
@@ -63,6 +63,10 @@ def oauth_start():
 	if client.redirect_url != redirect_uri:
 		return "redirect_uri does not match client", 400
 
+	scope = request.args.get("scope", "public")
+	if scope != "public":
+		return "Unsupported scope, only public is supported", 400
+
 	state = request.args.get("state")
 
 	token = APIToken.query.filter(APIToken.client == client, APIToken.owner == current_user).first()
@@ -86,6 +90,11 @@ def oauth_start():
 			assert client is not None
 			token.auth_code = random_string(32)
 			db.session.add(token)
+
+			add_audit_log(AuditSeverity.USER, current_user,
+					f"Granted \"{scope}\" to OAuth2 application \"{client.title}\" by {client.owner.username} [{client_id}] ",
+					url_for("users.profile", username=current_user.username))
+
 			db.session.commit()
 
 			return redirect(build_redirect_url(client.redirect_url, token.auth_code, state))
@@ -180,6 +189,12 @@ def create_edit_client(username, id_=None):
 			client.secret = random_string(32)
 
 		form.populate_obj(client)
+
+		verb = "Created" if is_new else "Edited"
+		add_audit_log(AuditSeverity.NORMAL, current_user,
+				f"{verb} OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
+				url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
+
 		db.session.commit()
 
 		return redirect(url_for("oauth.create_edit_client", username=username, id_=client.id))
@@ -200,6 +215,10 @@ def delete_client(username, id_):
 	elif client.owner != user:
 		abort(403)
 
+	add_audit_log(AuditSeverity.NORMAL, current_user,
+			f"Deleted OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
+			url_for("users.profile", username=current_user.username))
+
 	db.session.delete(client)
 	db.session.commit()
 
diff --git a/app/models/users.py b/app/models/users.py
index 91d43c9a..bb2d9dd6 100644
--- a/app/models/users.py
+++ b/app/models/users.py
@@ -193,6 +193,7 @@ class User(db.Model, UserMixin):
 	ban = db.relationship("UserBan", foreign_keys="UserBan.user_id", back_populates="user", uselist=False)
 
 	def get_dict(self):
+		from app.utils.flask import abs_url_for
 		return {
 			"username": self.username,
 			"display_name": self.display_name,
@@ -205,8 +206,8 @@ class User(db.Model, UserMixin):
 				"forums": self.forums_username,
 			},
 			"links": {
-				"api_packages": url_for("api.packages", author=self.username),
-				"profile": url_for("users.profile", username=self.username),
+				"api_packages": abs_url_for("api.packages", author=self.username),
+				"profile": abs_url_for("users.profile", username=self.username),
 			}
 		}