diff --git a/app/controllers/api/v1/application_controller.rb b/app/controllers/api/v1/application_controller.rb
index 1c67b040..8de44b67 100644
--- a/app/controllers/api/v1/application_controller.rb
+++ b/app/controllers/api/v1/application_controller.rb
@@ -12,7 +12,7 @@ def authenticated
       end
 
       def admin_authenticated
-        !!doorkeeper_token.id && doorkeeper_token.scopes.include?('admin')
+        !!doorkeeper_token.id && doorkeeper_token.scopes&.include?('admin')
       end
 
       def current_user
diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb
index 2ec95d9b..6f74a9a3 100644
--- a/app/graphql/types/query_type.rb
+++ b/app/graphql/types/query_type.rb
@@ -31,12 +31,6 @@ def item(full_identifier:)
       argument :full_identifier, ID
     end
     def item_bwf_xml(full_identifier:)
-      p 'MOO'
-      p 'MOO'
-      p 'MOO'
-      p 'MOO'
-      p 'MOO'
-      p context
       raise(GraphQL::ExecutionError, 'Not authorised') unless context[:admin_authenticated]
 
       collection_identifier, item_identifier = full_identifier.split('-')
diff --git a/app/views/items/show_bwf.xml.haml b/app/views/items/show_bwf.xml.haml
index fcf350d2..b5e11e11 100644
--- a/app/views/items/show_bwf.xml.haml
+++ b/app/views/items/show_bwf.xml.haml
@@ -1,6 +1,6 @@
 %Core
   %Description
-    = "# Notes
+    = "# Notes"
     = "Reference: https://catalog.paradisec.org.au/repository/#{@item.collection.identifier}/#{@item.identifier}"
     = ""
     = "Description: #{@item.description}."
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 36a3939c..a11b113c 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -230,8 +230,8 @@
   # For more information go to
   # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
   #
-  # default_scopes  :public
-  # optional_scopes :write, :update
+  default_scopes  :read
+  optional_scopes :write, :admin
 
   # Allows to restrict only certain scopes for grant_type.
   # By default, all the scopes will be available for all the grant types.
@@ -246,7 +246,7 @@
   # not in configuration, i.e. +default_scopes+ or +optional_scopes+.
   # (disabled by default)
   #
-  # enforce_configured_scopes
+  enforce_configured_scopes
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then