diff --git a/src/gateway/server.auth.e2e.test.ts b/src/gateway/server.auth.e2e.test.ts
index 3f480f0dead..71acddfc3cf 100644
--- a/src/gateway/server.auth.e2e.test.ts
+++ b/src/gateway/server.auth.e2e.test.ts
@@ -687,6 +687,7 @@ describe("gateway server auth/connect", () => {
         };
         const res = await connectReq(ws, {
           token: "secret",
+          scopes: ["operator.read"],
           device,
           client: {
             id: GATEWAY_CLIENT_NAMES.CONTROL_UI,
@@ -697,6 +698,8 @@ describe("gateway server auth/connect", () => {
         });
         expect(res.ok).toBe(true);
         expect((res.payload as { auth?: unknown } | undefined)?.auth).toBeUndefined();
+        const health = await rpcReq(ws, "health");
+        expect(health.ok).toBe(true);
         ws.close();
       });
     } finally {
diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
index d533796ecd8..a49640652e9 100644
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -427,7 +427,7 @@ export function attachGatewayWsMessageHandler(params: {
           close(1008, truncateCloseReason(authMessage));
         };
         if (!device) {
-          if (scopes.length > 0) {
+          if (scopes.length > 0 && !allowControlUiBypass) {
             scopes = [];
             connectParams.scopes = scopes;
           }