diff --git a/src/pretix/api/auth/devicesecurity.py b/src/pretix/api/auth/devicesecurity.py
index e67b7c6efc..2d819c8823 100644
--- a/src/pretix/api/auth/devicesecurity.py
+++ b/src/pretix/api/auth/devicesecurity.py
@@ -42,6 +42,7 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
         ('GET', 'api-v1:revokedsecrets-list'),
         ('GET', 'api-v1:order-list'),
         ('GET', 'api-v1:event.settings'),
+        ('POST', 'api-v1:upload'),
     )
 
 
@@ -68,6 +69,7 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
         ('POST', 'api-v1:checkinlistpos-redeem'),
         ('GET', 'api-v1:revokedsecrets-list'),
         ('GET', 'api-v1:event.settings'),
+        ('POST', 'api-v1:upload'),
     )
 
 
@@ -113,6 +115,7 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
         ('GET', 'plugins:pretix_seating:event.event.subevent'),
         ('GET', 'plugins:pretix_seating:event.plan'),
         ('GET', 'plugins:pretix_seating:selection.simple'),
+        ('POST', 'api-v1:upload'),
     )
 
 
diff --git a/src/pretix/api/urls.py b/src/pretix/api/urls.py
index 5875323fed..ea6ba39037 100644
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -95,7 +95,7 @@ urlpatterns = [
     url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
     url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
     url(r"^device/eventselection$", device.EventSelectionView.as_view(), name="device.eventselection"),
-    url(r"^upload$", upload.UploadView.as_view(), name="user.me"),
+    url(r"^upload$", upload.UploadView.as_view(), name="upload"),
     url(r"^me$", user.MeView.as_view(), name="user.me"),
     url(r"^version$", version.VersionView.as_view(), name="version"),
 ]