diff --git a/aleksis/core/migrations/0028_oauth_allowed_groups.py b/aleksis/core/migrations/0028_oauth_allowed_groups.py
new file mode 100644
index 0000000000000000000000000000000000000000..1f4d51cff2bba8bb7e1a6936dbfc3d85a9df1397
--- /dev/null
+++ b/aleksis/core/migrations/0028_oauth_allowed_groups.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.9 on 2021-12-05 19:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0027_person_place_of_birth'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oauthapplication',
+            name='allowed_groups',
+            field=models.ManyToManyField(blank=True, related_name='oauth_apps', to='core.Group', verbose_name='Allowed groups'),
+        ),
+    ]
diff --git a/aleksis/core/models.py b/aleksis/core/models.py
index 3ce728b7c67d853fd4f7156beb4afa1ad207b50c..a636414c546fc74c40bf728c37d09d1b31d5c3b8 100644
--- a/aleksis/core/models.py
+++ b/aleksis/core/models.py
@@ -1129,6 +1129,13 @@ class OAuthApplication(AbstractApplication):
         blank=True,
     )
 
+    allowed_groups = models.ManyToManyField(
+        Group,
+        verbose_name=_("Allowed groups"),
+        related_name="oauth_apps",
+        blank=True,
+    )
+
     def allows_grant_type(self, *grant_types: set[str]) -> bool:
         allowed_grants = get_site_preferences()["auth__oauth_allowed_grants"]