diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 13003c6f2..c261f2684 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -182,7 +182,7 @@ class ApiController(RedditController, OAuth2ResourceController):
 
     POST_ad_inq = POST_feedback
 
-
+    @require_oauth2_scope("privatemessages")
     @validatedForm(VCaptcha(),
                    VUser(),
                    VModhash(),
@@ -905,6 +905,7 @@ class ApiController(RedditController, OAuth2ResourceController):
         Report.new(c.user, thing)
         admintools.report(thing)
 
+    @require_oauth2_scope("privatemessages")
     @noresponse(VUser(), VModhash(),
                 thing=VByName('id'))
     @api_doc(api_section.messages)
@@ -1823,6 +1824,7 @@ class ApiController(RedditController, OAuth2ResourceController):
             queries.set_unread(messages, c.user, unread)
 
 
+    @require_oauth2_scope("privatemessages")
     @noresponse(VUser(),
                 VModhash(),
                 things = VByName('id', multiple=True, limit=25))
@@ -1830,6 +1832,7 @@ class ApiController(RedditController, OAuth2ResourceController):
     def POST_unread_message(self, things):
         self.unread_handler(things, True)
 
+    @require_oauth2_scope("privatemessages")
     @noresponse(VUser(),
                 VModhash(),
                 things = VByName('id', multiple=True, limit=25))
diff --git a/r2/r2/controllers/listingcontroller.py b/r2/r2/controllers/listingcontroller.py
index d137ecb65..adf3f6ff7 100755
--- a/r2/r2/controllers/listingcontroller.py
+++ b/r2/r2/controllers/listingcontroller.py
@@ -692,7 +692,7 @@ class UserController(ListingController):
             dest += "?" + query_string
         return redirect_to(dest)
 
-class MessageController(ListingController):
+class MessageController(ListingController, OAuth2ResourceController):
     show_nums = False
     render_cls = MessagePage
     allow_stylesheets = False
@@ -700,6 +700,10 @@ class MessageController(ListingController):
     # conceptually fit for styling these pages.
     extra_page_classes = ['messages-page']
 
+    def pre(self):
+        self.check_for_bearer_token()
+        ListingController.pre(self)
+
     @property
     def show_sidebar(self):
         if c.default_sr and not isinstance(c.site, (ModSR, MultiReddit)):
@@ -848,6 +852,7 @@ class MessageController(ListingController):
 
         return q
 
+    @require_oauth2_scope("privatemessages")
     @validate(VUser(),
               message = VMessageID('mid'),
               mark = VOneOf('mark',('true','false')))
diff --git a/r2/r2/models/token.py b/r2/r2/models/token.py
index 31db6cd1d..c6a79d0e9 100644
--- a/r2/r2/models/token.py
+++ b/r2/r2/models/token.py
@@ -126,6 +126,12 @@ class OAuth2Scope:
                 "Access the list of subreddits I moderate, contribute to,"
                 " and subscribe to."),
         },
+        "privatemessages": {
+            "id": "privatemessages",
+            "name": _("Private Messages"),
+            "description": _(
+                "Access my inbox and send private messages to other users."),
+        },
         "read": {
             "id": "read",
             "name": _("Read Content"),