diff --git a/app/Transformers/Api/Application/BaseTransformer.php b/app/Transformers/Api/Application/BaseTransformer.php
index bb8f5ce9b..dce0b1442 100644
--- a/app/Transformers/Api/Application/BaseTransformer.php
+++ b/app/Transformers/Api/Application/BaseTransformer.php
@@ -67,11 +67,20 @@ abstract class BaseTransformer extends TransformerAbstract
      */
     protected function authorize(string $resource): bool
     {
+        $allowed = [ApiKey::TYPE_ACCOUNT, ApiKey::TYPE_APPLICATION];
+
         $token = $this->request->user()->currentAccessToken();
-        if (!$token instanceof ApiKey || $token->key_type !== ApiKey::TYPE_APPLICATION) {
+        if (!$token instanceof ApiKey || !in_array($token->key_type, $allowed)) {
             return false;
         }
 
+        // If this is not a deprecated application token type we can only check that
+        // the user is a root admin at the moment. In a future release we'll be rolling
+        // out more specific permissions for keys.
+        if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
+            return $this->request->user()->root_admin;
+        }
+
         return AdminAcl::check($token, $resource, AdminAcl::READ);
     }