diff --git a/internal/setup/README.md b/internal/setup/README.md
index c9665f3..ac833d5 100644
--- a/internal/setup/README.md
+++ b/internal/setup/README.md
@@ -13,7 +13,7 @@ setup 放置資料庫的初始化 (seeding) 共用程式碼。
 
 - `admin` scopeset (`*`) 和 `admin` 群組
 - `student` scopeset (`me:*`, `question:read`, `database:read`, `ai`) 和 `student` 群組。
-- `unverified` scopeset (`me:read`) 和 `unverified` 群組
+- `unverified` scopeset (`unverified`, `me:read`) 和 `unverified` 群組
 
 > [!INFO]
 > Scope 的具體定義，請參考 [scope 文件](../../docs/scope.md)。Wildcard 的意涵請參考 [scope 套件的實作](../scope/README.md)
diff --git a/internal/setup/setup.go b/internal/setup/setup.go
index 307410e..31f7f1b 100644
--- a/internal/setup/setup.go
+++ b/internal/setup/setup.go
@@ -88,7 +88,7 @@ func Setup(ctx context.Context, entClient *ent.Client) (*SetupResult, error) {
 		unverifiedScopeSet, err = entClient.ScopeSet.Create().
 			SetSlug(useraccount.UnverifiedScopeSetSlug).
 			SetDescription("Unverified users can only read their own initial data, and must be manually verified by an administrator.").
-			SetScopes([]string{"me:read"}).
+			SetScopes([]string{"me:read", "unverified"}).
 			Save(ctx)
 		if err != nil {
 			return nil, err
diff --git a/internal/useraccount/register_flow_test.go b/internal/useraccount/register_flow_test.go
index 3dd1133..d57993e 100644
--- a/internal/useraccount/register_flow_test.go
+++ b/internal/useraccount/register_flow_test.go
@@ -37,11 +37,11 @@ func TestGetOrRegister_NewUser(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, useraccount.UnverifiedGroupSlug, group.Name)
 
-	// Verify user has me:read scope
+	// Verify user has unverified scope
 	scopeSets, err := user.QueryGroup().QueryScopeSets().All(context)
 	require.NoError(t, err)
 	require.Len(t, scopeSets, 1)
-	assert.Contains(t, scopeSets[0].Scopes, "me:read")
+	assert.Contains(t, scopeSets[0].Scopes, "unverified")
 }
 
 func TestGetOrRegister_ExistingUser(t *testing.T) {
@@ -353,7 +353,7 @@ func TestRegistrationFlow_Complete(t *testing.T) {
 
 	tokenInfo, err := authStorage.Get(context, token)
 	require.NoError(t, err)
-	assert.Contains(t, tokenInfo.Scopes, "me:read")
+	assert.Contains(t, tokenInfo.Scopes, "unverified")
 
 	// Step 3: Verify the user
 	err = ctx.Verify(context, user.ID)
diff --git a/internal/useraccount/token_test.go b/internal/useraccount/token_test.go
index 7013135..1e759cc 100644
--- a/internal/useraccount/token_test.go
+++ b/internal/useraccount/token_test.go
@@ -47,7 +47,7 @@ func TestGrantToken_Success(t *testing.T) {
 	assert.Equal(t, user.ID, tokenInfo.UserID)
 	assert.Equal(t, user.Email, tokenInfo.UserEmail)
 	assert.Equal(t, "test-machine", tokenInfo.Machine)
-	assert.Contains(t, tokenInfo.Scopes, "me:read")
+	assert.Contains(t, tokenInfo.Scopes, "unverified")
 	assert.Equal(t, "registration", tokenInfo.Meta[useraccount.MetaInitiateFromFlow])
 	assert.Empty(t, tokenInfo.Meta[useraccount.MetaImpersonation])
 }
@@ -82,7 +82,7 @@ func TestGrantToken_Impersonation(t *testing.T) {
 	assert.Equal(t, user.ID, tokenInfo.UserID)
 	assert.Equal(t, user.Email, tokenInfo.UserEmail)
 	assert.Equal(t, "test-machine", tokenInfo.Machine)
-	assert.Contains(t, tokenInfo.Scopes, "me:read")
+	assert.Contains(t, tokenInfo.Scopes, "unverified")
 	assert.Equal(t, "registration", tokenInfo.Meta[useraccount.MetaInitiateFromFlow])
 	assert.Equal(t, strconv.Itoa(user.ID), tokenInfo.Meta[useraccount.MetaImpersonation])
 }