diff --git a/packages/backend/src/server/api/call.ts b/packages/backend/src/server/api/call.ts
index 2132edd0f..1fc42d43c 100644
--- a/packages/backend/src/server/api/call.ts
+++ b/packages/backend/src/server/api/call.ts
@@ -130,6 +130,18 @@ export default async (
 		});
 	}
 
+	if (token && ep.meta.requireAdmin) {
+		throw new ApiError(accessDenied, {
+			reason: "Apps cannot use admin privileges.",
+		});
+	}
+
+	if (token && ep.meta.requireModerator) {
+		throw new ApiError(accessDenied, {
+			reason: "Apps cannot use moderator privileges.",
+		});
+	}
+
 	// Cast non JSON input
 	if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) {
 		for (const k of Object.keys(ep.params.properties)) {
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index e5972173c..c5a990c94 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -30,14 +30,14 @@ export const paramDef = {
 	required: ["username", "password"],
 } as const;
 
-export default define(meta, paramDef, async (ps, _me) => {
+export default define(meta, paramDef, async (ps, _me, token) => {
 	const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null;
 	const noUsers =
 		(await Users.countBy({
 			host: IsNull(),
-			isAdmin: true,
 		})) === 0;
-	if (!(noUsers || me?.isAdmin)) throw new Error("access denied");
+	if (!noUsers && !me?.isAdmin) throw new Error("access denied");
+	if (token) throw new Error("access denied");
 
 	const { account, secret } = await signup({
 		username: ps.username,