diff --git a/build/integration/features/auth.feature b/build/integration/features/auth.feature
index a3af28f25c..b9f423a9e9 100644
--- a/build/integration/features/auth.feature
+++ b/build/integration/features/auth.feature
@@ -2,11 +2,11 @@ Feature: auth
 
 	Background:
 		Given user "user0" exists
-		Given a new client token is used
-
+		Given a new restricted client token is added
+		Given a new unrestricted client token is added
+		Given the cookie jar is reset
 
 	# FILES APP
-
 	Scenario: access files app anonymously
 		When requesting "/index.php/apps/files" with "GET"
 		Then the HTTP status code should be "401"
@@ -15,12 +15,20 @@ Feature: auth
 		When requesting "/index.php/apps/files" with "GET" using basic auth
 		Then the HTTP status code should be "200"
 
-	Scenario: access files app with basic token auth
-		When requesting "/index.php/apps/files" with "GET" using basic token auth
+	Scenario: access files app with unrestricted basic token auth
+		When requesting "/index.php/apps/files" with "GET" using unrestricted basic token auth
+		Then the HTTP status code should be "200"
+		Then requesting "/remote.php/files/welcome.txt" with "GET" using browser session
 		Then the HTTP status code should be "200"
 
-	Scenario: access files app with a client token
-		When requesting "/index.php/apps/files" with "GET" using a client token
+	Scenario: access files app with restricted basic token auth
+		When requesting "/index.php/apps/files" with "GET" using restricted basic token auth
+		Then the HTTP status code should be "200"
+		Then requesting "/remote.php/files/welcome.txt" with "GET" using browser session
+		Then the HTTP status code should be "404"
+
+	Scenario: access files app with an unrestricted client token
+		When requesting "/index.php/apps/files" with "GET" using an unrestricted client token
 		Then the HTTP status code should be "200"
 
 	Scenario: access files app with browser session
@@ -28,9 +36,7 @@ Feature: auth
 		When requesting "/index.php/apps/files" with "GET" using browser session
 		Then the HTTP status code should be "200"
 
-
 	# WebDAV
-
 	Scenario: using WebDAV anonymously
 		When requesting "/remote.php/webdav" with "PROPFIND"
 		Then the HTTP status code should be "401"
@@ -39,23 +45,20 @@ Feature: auth
 		When requesting "/remote.php/webdav" with "PROPFIND" using basic auth
 		Then the HTTP status code should be "207"
 
-	Scenario: using WebDAV with token auth
-		When requesting "/remote.php/webdav" with "PROPFIND" using basic token auth
+	Scenario: using WebDAV with unrestricted basic token auth
+		When requesting "/remote.php/webdav" with "PROPFIND" using unrestricted basic token auth
 		Then the HTTP status code should be "207"
 
-	# DAV token auth is not possible yet
-	#Scenario: using WebDAV with a client token
-	#	When requesting "/remote.php/webdav" with "PROPFIND" using a client token
-	#	Then the HTTP status code should be "207"
+	Scenario: using WebDAV with restricted basic token auth
+		When requesting "/remote.php/webdav" with "PROPFIND" using restricted basic token auth
+		Then the HTTP status code should be "207"
 
 	Scenario: using WebDAV with browser session
 		Given a new browser session is started
 		When requesting "/remote.php/webdav" with "PROPFIND" using browser session
 		Then the HTTP status code should be "207"
 
-
 	# OCS
-
 	Scenario: using OCS anonymously
 		When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET"
 		Then the OCS status code should be "997"
@@ -65,11 +68,11 @@ Feature: auth
 		Then the OCS status code should be "100"
 
 	Scenario: using OCS with token auth
-		When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using basic token auth
+		When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using unrestricted basic token auth
 		Then the OCS status code should be "100"
 
-	Scenario: using OCS with client token
-		When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using a client token
+	Scenario: using OCS with an unrestricted client token
+		When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using an unrestricted client token
 		Then the OCS status code should be "100"
 
 	Scenario: using OCS with browser session
@@ -84,3 +87,19 @@ Feature: auth
 		And requesting "/index.php/apps/files" with "GET" using browser session
 		Then the HTTP status code should be "200"
 
+	# AUTH TOKENS
+	Scenario: Creating an auth token with regular auth token should not work
+		When requesting "/index.php/apps/files" with "GET" using restricted basic token auth
+		Then the HTTP status code should be "200"
+		When the CSRF token is extracted from the previous response
+		When a new unrestricted client token is added using restricted basic token auth
+		Then the HTTP status code should be "503"
+
+	Scenario: Creating a restricted auth token with regular login should work
+		When a new restricted client token is added
+		Then the HTTP status code should be "200"
+
+	Scenario: Creating an unrestricted auth token with regular login should work
+		When a new unrestricted client token is added
+		Then the HTTP status code should be "200"
+
diff --git a/build/integration/features/bootstrap/Auth.php b/build/integration/features/bootstrap/Auth.php
index 46bb94a2b2..fd1b2e05a8 100644
--- a/build/integration/features/bootstrap/Auth.php
+++ b/build/integration/features/bootstrap/Auth.php
@@ -1,7 +1,5 @@
 <?php
-
 /**
-
  *
  * @author Christoph Wurst <christoph@owncloud.com>
  *
@@ -21,19 +19,28 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  *
  */
+
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\ClientException;
+use GuzzleHttp\Cookie\CookieJar;
 
 require __DIR__ . '/../../vendor/autoload.php';
 
 trait Auth {
-
-	private $clientToken;
+	/** @var string */
+	private $unrestrictedClientToken;
+	/** @var string */
+	private $restrictedClientToken;
+	/** @var Client */
+	private $client;
+	/** @var string */
+	private $responseXml;
 
 	/** @BeforeScenario */
 	public function setUpScenario() {
 		$this->client = new Client();
 		$this->responseXml = '';
+		$this->cookieJar = new CookieJar();
 	}
 
 	/**
@@ -65,15 +72,28 @@ trait Auth {
 	}
 
 	/**
-	 * @Given a new client token is used
+	 * @When the CSRF token is extracted from the previous response
 	 */
-	public function aNewClientTokenIsUsed() {
-		$this->loggingInUsingWebAs('user0');
+	public function theCsrfTokenIsExtractedFromThePreviousResponse() {
+		$this->requestToken = substr(preg_replace('/(.*)data-requesttoken="(.*)">(.*)/sm', '\2', $this->response->getBody()->getContents()), 0, 89);
+	}
+
+	/**
+	 * @param bool $loginViaWeb
+	 * @return object
+	 */
+	private function createClientToken($loginViaWeb = true) {
+		if($loginViaWeb) {
+			$this->loggingInUsingWebAs('user0');
+		}
 
 		$fullUrl = substr($this->baseUrl, 0, -5) . '/index.php/settings/personal/authtokens';
 		$client = new Client();
 		$options = [
-			'auth' => ['user0', '123456'],
+			'auth' => [
+				'user0',
+				$loginViaWeb ? '123456' : $this->restrictedClientToken,
+			],
 			'body' => [
 				'requesttoken' => $this->requestToken,
 				'name' => md5(microtime()),
@@ -81,34 +101,107 @@ trait Auth {
 			'cookies' => $this->cookieJar,
 		];
 
-		$resp = $client->send($client->createRequest('POST', $fullUrl, $options));
+		try {
+			$this->response = $client->send($client->createRequest('POST', $fullUrl, $options));
+		} catch (\GuzzleHttp\Exception\ServerException $e) {
+			$this->response = $e->getResponse();
+		}
+		return json_decode($this->response->getBody()->getContents());
+	}
 
-		$this->clientToken = json_decode($resp->getBody()->getContents())->token;
+	/**
+	 * @Given a new restricted client token is added
+	 */
+	public function aNewRestrictedClientTokenIsAdded()  {
+		$tokenObj = $this->createClientToken();
+		$newCreatedTokenId = $tokenObj->deviceToken->id;
+		$fullUrl = substr($this->baseUrl, 0, -5) . '/index.php/settings/personal/authtokens/' . $newCreatedTokenId;
+		$client = new Client();
+		$options = [
+			'auth' => ['user0', '123456'],
+			'headers' => [
+				'requesttoken' => $this->requestToken,
+			],
+			'json' => [
+				'scope' => [
+					'filesystem' => false,
+				],
+			],
+			'cookies' => $this->cookieJar,
+		];
+		$this->response = $client->send($client->createRequest('PUT', $fullUrl, $options));
+		$this->restrictedClientToken = $tokenObj->token;
+	}
+
+	/**
+	 * @Given a new unrestricted client token is added
+	 */
+	public function aNewUnrestrictedClientTokenIsAdded() {
+		$this->unrestrictedClientToken = $this->createClientToken()->token;
+	}
+
+	/**
+	 * @When a new unrestricted client token is added using restricted basic token auth
+	 */
+	public function aNewUnrestrictedClientTokenIsAddedUsingRestrictedBasicTokenAuth() {
+		$this->createClientToken(false);
 	}
 
 	/**
 	 * @When requesting :url with :method using basic auth
+	 *
+	 * @param string $url
+	 * @param string $method
 	 */
 	public function requestingWithBasicAuth($url, $method) {
 		$this->sendRequest($url, $method, 'basic ' . base64_encode('user0:123456'));
 	}
 
 	/**
-	 * @When requesting :url with :method using basic token auth
+	 * @When requesting :url with :method using unrestricted basic token auth
+	 *
+	 * @param string $url
+	 * @param string $method
 	 */
-	public function requestingWithBasicTokenAuth($url, $method) {
-		$this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->clientToken));
+	public function requestingWithUnrestrictedBasicTokenAuth($url, $method) {
+		$this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->unrestrictedClientToken), true);
 	}
 
 	/**
-	 * @When requesting :url with :method using a client token
+	 * @When requesting :url with :method using restricted basic token auth
+	 *
+	 * @param string $url
+	 * @param string $method
 	 */
-	public function requestingWithUsingAClientToken($url, $method) {
-		$this->sendRequest($url, $method, 'token ' . $this->clientToken);
+	public function requestingWithRestrictedBasicTokenAuth($url, $method) {
+		$this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->restrictedClientToken), true);
+	}
+
+	/**
+	 * @When requesting :url with :method using an unrestricted client token
+	 *
+	 * @param string $url
+	 * @param string $method
+	 */
+	public function requestingWithUsingAnUnrestrictedClientToken($url, $method) {
+		$this->sendRequest($url, $method, 'token ' . $this->unrestrictedClientToken);
+	}
+
+	/**
+	 * @When requesting :url with :method using a restricted client token
+	 *
+	 * @param string $url
+	 * @param string $method
+	 */
+	public function requestingWithUsingARestrictedClientToken($url, $method) {
+		$this->sendRequest($url, $method, 'token ' . $this->restrictedClientToken);
 	}
 
 	/**
 	 * @When requesting :url with :method using browser session
+	 *
+	 * @param string $url
+	 * @param string $method
 	 */
 	public function requestingWithBrowserSession($url, $method) {
 		$this->sendRequest($url, $method, null, true);
@@ -116,6 +209,8 @@ trait Auth {
 
 	/**
 	 * @Given a new browser session is started
+	 *
+	 * @param bool $remember
 	 */
 	public function aNewBrowserSessionIsStarted($remember = false) {
 		$loginUrl = substr($this->baseUrl, 0, -5) . '/login';
@@ -149,6 +244,14 @@ trait Auth {
 		$this->aNewBrowserSessionIsStarted(true);
 	}
 
+
+	/**
+	 * @Given the cookie jar is reset
+	 */
+	public function theCookieJarIsReset() {
+		$this->cookieJar = new CookieJar();
+	}
+
 	/**
 	 * @When the session cookie expires
 	 */