diff --git a/src/millipds/auth_oauth.py b/src/millipds/auth_oauth.py
index 37a62ad6..769e12e5 100644
--- a/src/millipds/auth_oauth.py
+++ b/src/millipds/auth_oauth.py
@@ -158,7 +158,7 @@ async def oauth_authorize_handle_login(request: web.Request):
 		now = int(time.time())
 		db.con.execute(
 			"""
-				INSERT INTO session_cookie (
+				INSERT INTO oauth_session_cookie (
 					token, user_id, value, created_at, expires_at
 				) VALUES (?, ?, ?, ?, ?)
 			""",
diff --git a/src/millipds/database.py b/src/millipds/database.py
index cc0b80c8..9396b9bb 100644
--- a/src/millipds/database.py
+++ b/src/millipds/database.py
@@ -248,6 +248,8 @@ def _init_tables(self):
 
 		# this is only for the tokens *we* issue, dpop jti will be tracked separately
 		# there's no point remembering that an expired token was revoked, and we'll garbage-collect these periodically
+		# note: I'm using did here instead of user_id, this is vaguely inconsistent
+		# with other tables but in practice it should reduce query complexity
 		self.con.execute(
 			"""
 			CREATE TABLE revoked_token(
@@ -262,7 +264,7 @@ def _init_tables(self):
 		# oauth stuff!
 		self.con.execute(
 			"""
-			CREATE TABLE session_cookie(
+			CREATE TABLE oauth_session_cookie(
 				token TEXT PRIMARY KEY NOT NULL,
 				user_id INTEGER NOT NULL,
 				value BLOB NOT NULL,
@@ -273,6 +275,19 @@ def _init_tables(self):
 			"""
 		)
 
+		# has user granted a particular scope to a particular app?
+		self.con.execute(
+			"""
+			CREATE TABLE oauth_grants(
+				user_id INTEGER NOT NULL,
+				client_id TEXT NOT NULL,
+				scope TEXT NOT NULL,
+				FOREIGN KEY (user_id) REFERENCES user(id),
+				PRIMARY KEY (user_id, client_id, scope)
+			) STRICT, WITHOUT ROWID
+			"""
+		)
+
 	def update_config(
 		self,
 		pds_pfx: Optional[str] = None,