diff --git a/cmd/auth.go b/cmd/auth.go
index d8144c56..73a8594c 100644
--- a/cmd/auth.go
+++ b/cmd/auth.go
@@ -102,7 +102,7 @@ func handleOIDCFinish(c echo.Context) error {
 	}
 
 	// Set the session.
-	if err := app.auth.SetSession(user, oidcToken, c); err != nil {
+	if err := app.auth.SaveSession(user, oidcToken, c); err != nil {
 		return renderLoginPage(c, err)
 	}
 
@@ -213,7 +213,7 @@ func doLogin(c echo.Context) error {
 	}
 
 	// Set the session.
-	if err := app.auth.SetSession(user, "", c); err != nil {
+	if err := app.auth.SaveSession(user, "", c); err != nil {
 		return err
 	}
 
diff --git a/cmd/init.go b/cmd/init.go
index 17500287..5f3dfb18 100644
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -47,6 +47,7 @@ import (
 	"github.com/labstack/echo/v4"
 	"github.com/lib/pq"
 	flag "github.com/spf13/pflag"
+	"gopkg.in/volatiletech/null.v6"
 )
 
 const (
@@ -974,5 +975,27 @@ func initAuth(db *sql.DB, ko *koanf.Koanf, co *core.Core) *auth.Auth {
 		lo.Fatalf("error initializing auth: %v", err)
 	}
 
+	// If the legacy username+password is set in the TOML file, use that as an API
+	// access token in the auth module to preserve backwards compatibility for existing
+	// API integrations. The presence of these values show a red banner on the admin UI
+	// prompting the creation of new API credentials and the removal of values from
+	// the TOML config.
+	var (
+		username = ko.String("app.admin_username")
+		password = ko.String("app.admin_password")
+	)
+	if len(username) > 2 && len(password) > 6 {
+		u := models.User{
+			Username:      username,
+			Password:      null.String{Valid: true, String: password},
+			PasswordLogin: true,
+			HasPassword:   true,
+			Status:        models.UserStatusEnabled,
+			Type:          models.UserTypeAPI,
+		}
+		u.Role.ID = auth.SuperAdminRoleID
+		a.SetToken(username, u)
+	}
+
 	return a
 }
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 3a9bbc97..ff3f7fb2 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -26,7 +26,7 @@ const (
 	UserKey    = "auth_user"
 	SessionKey = "auth_session"
 
-	SuperAdminRole = 1
+	SuperAdminRoleID = 1
 )
 
 const (
@@ -85,6 +85,8 @@ func New(cfg Config, db *sql.DB, cb *Callbacks, lo *log.Logger) (*Auth, error) {
 		cfg: cfg,
 		cb:  cb,
 		log: lo,
+
+		tokens: map[string]models.User{},
 	}
 
 	// Initialize OIDC.
@@ -136,15 +138,11 @@ func New(cfg Config, db *sql.DB, cb *Callbacks, lo *log.Logger) (*Auth, error) {
 	return a, nil
 }
 
-// SetTokens caches tokens for authenticating API client calls.
-func (o *Auth) SetTokens(tokens map[string]models.User) {
+// SetToken caches tokens for authenticating API client calls.
+func (o *Auth) SetToken(apiKey string, u models.User) {
 	o.Lock()
-	defer o.Unlock()
-
-	o.tokens = make(map[string]models.User, len(tokens))
-	for userID, u := range tokens {
-		o.tokens[userID] = u
-	}
+	o.tokens[apiKey] = u
+	o.Unlock()
 }
 
 // GetToken validates an API user+token.
@@ -256,8 +254,8 @@ func (o *Auth) Perm(next echo.HandlerFunc, perm string) echo.HandlerFunc {
 			return next(c)
 		}
 
-		// If there's no permission set on the handler or if the current user is a super admin, do no checks.
-		if perm == "" || u.RoleID == SuperAdminRole {
+		// If the current user is a Super Admin user, do no checks.
+		if u.Role.ID == SuperAdminRoleID {
 			return next(c)
 		}
 
@@ -270,8 +268,8 @@ func (o *Auth) Perm(next echo.HandlerFunc, perm string) echo.HandlerFunc {
 	}
 }
 
-// SetSession creates and sets a session (post successful login/auth).
-func (o *Auth) SetSession(u models.User, oidcToken string, c echo.Context) error {
+// SaveSession creates and sets a session (post successful login/auth).
+func (o *Auth) SaveSession(u models.User, oidcToken string, c echo.Context) error {
 	sess, err := o.sess.NewSession(c, c)
 	if err != nil {
 		o.log.Printf("error creating login session: %v", err)