diff --git a/scopes/org/user.py b/scopes/org/user.py
index 4f853bf..4252ef7 100644
--- a/scopes/org/user.py
+++ b/scopes/org/user.py
@@ -2,6 +2,7 @@
 
 """Basic user account (principal) definitions + access to identity provider."""
 
+from dataclasses import dataclass, field
 from scopes.web import client
 from scopes import util
 
@@ -26,11 +27,12 @@ class ExtUser:
 
     provider = 'zitatel'
     endpoints = dict(
-            users='v2/users',
+            users='v2/users/human',
     )
 
-    def __init__(self, user, organization, userId=None, userIdPrefix=''):
+    def __init__(self, user, organization, userId=None, userIdPrefix='', grants=None):
         self.user = user
+        self.grants = grants or []
 
     def asDict(self):
         return dict(username=self.user.name)
@@ -40,4 +42,3 @@ class ExtUser:
         data = self.asDict()
         res = clt.post(config.oidc_provider_endpoints['users'], data)
 
-   grants: List[str]
diff --git a/scopes/tests/config.py b/scopes/tests/config.py
index ea11118..af75792 100644
--- a/scopes/tests/config.py
+++ b/scopes/tests/config.py
@@ -46,6 +46,7 @@ oidc_params = dict(
     op_config_url=oidc_provider + '/.well-known/openid-configuration',
     op_uris=None,
     op_keys=None,
+    op_project_scope='urn:zitadel:iam:org:project:id:zitadel:aud',
     callback_url=getenv('OIDC_CALLBACK_URL', base_url + '/auth/callback'),
     client_id=oidc_client_id,
     principal_prefix=getenv('OIDC_PRINCIPAL_PREFIX', 'loops.'),
diff --git a/scopes/tests/test_standard.py b/scopes/tests/test_standard.py
index 6b05915..6562ecd 100644
--- a/scopes/tests/test_standard.py
+++ b/scopes/tests/test_standard.py
@@ -33,6 +33,7 @@ class Test(unittest.TestCase):
     def test_013_web(self):
         tlib_web.test_app(self, config)
         tlib_web.test_auth(self, config)
+        tlib_web.test_user_data(self, config)
 
 
 def suite():
diff --git a/scopes/tests/tlib_web.py b/scopes/tests/tlib_web.py
index b556346..8ee0f3c 100644
--- a/scopes/tests/tlib_web.py
+++ b/scopes/tests/tlib_web.py
@@ -40,3 +40,6 @@ def test_auth(self, config):
     uri = config.oidc_params['op_uris']['jwks_uri']
     keys = oidc.loadOidcKeys(uri)
     logger.info('test_auth keys: %s', keys)
+
+def test_user_data(self, config):
+    from scopes.org import user
diff --git a/scopes/web/auth/oidc.py b/scopes/web/auth/oidc.py
index 5052c23..4123384 100644
--- a/scopes/web/auth/oidc.py
+++ b/scopes/web/auth/oidc.py
@@ -265,7 +265,7 @@ def authenticateClient(paramsName='oidc_params'):
                          headers=dict(alg='RS256', kid=keyId))
     data = dict(
             grant_type='urn:ietf:params:oauth:grant-type:jwt-bearer',
-            scope=' '.join(('openid', params['op_project_scope']))
+            scope=' '.join(('openid', params['op_project_scope'])),
             assertion=jwToken,
     )
     headers = {'Content-Type': 'application/x-www-form-urlencoded'}
diff --git a/scopes/web/client.py b/scopes/web/client.py
index 8c081a8..ef28d88 100644
--- a/scopes/web/client.py
+++ b/scopes/web/client.py
@@ -14,7 +14,7 @@ class ApiClient:
         self.authToken = None
 
     def authentication(self):
-        if self.authToken = None:
+        if self.authToken == None:
             self.authToken = oidc.authenticateClient()
         return dict(Authorization=f'Bearer {self.authToken}')