diff --git a/app/models/api/openid_connect/scope.rb b/app/models/api/openid_connect/scope.rb
index 7b7d66ac1d362ada0229bbe60b747d4949043704..aaf4794bfc6e3130ab9f85b354dad46ee968b50f 100644
--- a/app/models/api/openid_connect/scope.rb
+++ b/app/models/api/openid_connect/scope.rb
@@ -4,8 +4,6 @@ module Api
       has_many :authorizations, through: :authorization_scopes
 
       validates :name, presence: true, uniqueness: true
-
-      # TODO: Add constants so scopes can be referenced as OpenidConnect::Scope::Read
     end
   end
 end
diff --git a/db/seeds.rb b/db/seeds.rb
new file mode 100644
index 0000000000000000000000000000000000000000..6ca70e3450f3454d19a886cf0ed84be5c2a29459
--- /dev/null
+++ b/db/seeds.rb
@@ -0,0 +1,3 @@
+Api::OpenidConnect::Scope.find_or_create_by!(name: "openid")
+Api::OpenidConnect::Scope.find_or_create_by!(name: "read")
+Api::OpenidConnect::Scope.find_or_create_by!(name: "write")
diff --git a/lib/api/openid_connect/token_endpoint.rb b/lib/api/openid_connect/token_endpoint.rb
index 1f592c03c34cc46d35549e6343bdb180fd1e8809..86d8fed0995526023b6e7e428d93e219ea1f4a8f 100644
--- a/lib/api/openid_connect/token_endpoint.rb
+++ b/lib/api/openid_connect/token_endpoint.rb
@@ -23,7 +23,7 @@ module Api
           auth = Api::OpenidConnect::Authorization.with_redirect_uri(req.redirect_uri).use_code(req.code)
           req.invalid_grant! if auth.blank?
           res.access_token = auth.create_access_token
-          if auth.accessible?(Api::OpenidConnect::Scope.find_by(name: "openid"))
+          if auth.accessible?(Api::OpenidConnect::Scope.find_by!(name: "openid"))
             id_token = auth.create_id_token
             res.id_token = id_token.to_jwt(access_token: res.access_token)
           end
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index 6663f281e090f12292f3e4ddfc29f58f5a721406..74aa1ed02896622042733af7d5fc1cbe013d48da 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -15,7 +15,6 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
   before do
     sign_in :user, alice
     allow(@controller).to receive(:current_user).and_return(alice)
-    Api::OpenidConnect::Scope.create!(name: "openid")
   end
 
   describe "#new" do
diff --git a/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
index 219cf1c40a3c0093d25dd7428615ddd7df8f6ade..7cf0ccd29343a280eacdb66b58ed6a5bda76be0e 100644
--- a/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
@@ -8,8 +8,8 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
   end
   let(:auth_with_read) do
     auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
-    auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "openid"),
-                    Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
+    auth.scopes << [Api::OpenidConnect::Scope.find_by!(name: "openid"),
+                    Api::OpenidConnect::Scope.find_by!(name: "read")]
     auth
   end
   let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
diff --git a/spec/lib/api/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
index d712327d088c1564e306fe339ed872e8a558534f..c0b06b5bea4b6c2b1d3d11fba1e17f5a3d3c6150 100644
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -1,20 +1,17 @@
 require "spec_helper"
-
 describe Api::OpenidConnect::TokenEndpoint, type: :request do
   let!(:client) do
     Api::OpenidConnect::OAuthApplication.create!(
       redirect_uris: ["http://localhost:3000/"], client_name: "diaspora client",
       ppid: true, sector_identifier_uri: "https://example.com/uri")
   end
-  let!(:auth) {
-    Api::OpenidConnect::Authorization.find_or_create_by(
+  let!(:auth) do
+    auth = Api::OpenidConnect::Authorization.find_or_create_by(
       o_auth_application: client, user: bob, redirect_uri: "http://localhost:3000/")
-  }
-  let!(:code) { auth.create_code }
-
-  before do
-    Api::OpenidConnect::Scope.find_or_create_by(name: "read")
+    auth.scopes << [Api::OpenidConnect::Scope.find_by!(name: "openid")]
+    auth
   end
+  let!(:code) { auth.create_code }
 
   describe "the authorization code grant type" do
     context "when the authorization code is valid" do
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index ca444256a3a63c150459e8bfba3b5f70f854307d..c0a67974de1bffd0d3f6ddda40738d678333f348 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -84,6 +84,7 @@ RSpec.configure do |config|
     $process_queue = false
     allow_any_instance_of(Postzord::Dispatcher::Public).to receive(:deliver_to_remote)
     allow_any_instance_of(Postzord::Dispatcher::Private).to receive(:deliver_to_remote)
+    load "#{Rails.root}/db/seeds.rb"
   end
 
   config.expect_with :rspec do |expect_config|