diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
index c4ad3ac57..e1e810cf3 100644
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -44,7 +44,7 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False)
+    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
 
     meta_icon = ReadOnlyField(source="get_meta_icon")
 
diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index 005ed9399..4bf748252 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -26,7 +26,7 @@ from authentik.managed.api import ManagedSerializer
 class TokenSerializer(ManagedSerializer, ModelSerializer):
     """Token Serializer"""
 
-    user_obj = UserSerializer(required=False, source="user")
+    user_obj = UserSerializer(required=False, source="user", read_only=True)
 
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
diff --git a/schema.yml b/schema.yml
index f2944eef3..4d9490689 100644
--- a/schema.yml
+++ b/schema.yml
@@ -19090,7 +19090,9 @@ components:
           type: integer
           nullable: true
         provider_obj:
-          $ref: '#/components/schemas/Provider'
+          allOf:
+          - $ref: '#/components/schemas/Provider'
+          readOnly: true
         launch_url:
           type: string
           nullable: true
@@ -19115,6 +19117,7 @@ components:
       - meta_icon
       - name
       - pk
+      - provider_obj
       - slug
     ApplicationRequest:
       type: object
@@ -19133,8 +19136,6 @@ components:
         provider:
           type: integer
           nullable: true
-        provider_obj:
-          $ref: '#/components/schemas/ProviderRequest'
         meta_launch_url:
           type: string
           format: uri
@@ -26591,8 +26592,6 @@ components:
         provider:
           type: integer
           nullable: true
-        provider_obj:
-          $ref: '#/components/schemas/ProviderRequest'
         meta_launch_url:
           type: string
           format: uri
@@ -28252,8 +28251,6 @@ components:
           $ref: '#/components/schemas/IntentEnum'
         user:
           type: integer
-        user_obj:
-          $ref: '#/components/schemas/UserRequest'
         description:
           type: string
         expires:
@@ -30756,7 +30753,9 @@ components:
         user:
           type: integer
         user_obj:
-          $ref: '#/components/schemas/User'
+          allOf:
+          - $ref: '#/components/schemas/User'
+          readOnly: true
         description:
           type: string
         expires:
@@ -30767,6 +30766,7 @@ components:
       required:
       - identifier
       - pk
+      - user_obj
     TokenRequest:
       type: object
       description: Token Serializer
@@ -30789,8 +30789,6 @@ components:
           $ref: '#/components/schemas/IntentEnum'
         user:
           type: integer
-        user_obj:
-          $ref: '#/components/schemas/UserRequest'
         description:
           type: string
         expires: