diff --git a/api/auth/center.go b/api/auth/center.go
index 1b572a86..72ca7677 100644
--- a/api/auth/center.go
+++ b/api/auth/center.go
@@ -14,7 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
 	"github.com/nspcc-dev/neofs-api-go/pkg/object"
-	"github.com/nspcc-dev/neofs-api-go/pkg/token"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
 	"github.com/nspcc-dev/neofs-sdk-go/pkg/pool"
 	"go.uber.org/zap"
@@ -25,7 +25,7 @@ var authorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(
 type (
 	// Center is a user authentication interface.
 	Center interface {
-		Authenticate(request *http.Request) (*token.BearerToken, error)
+		Authenticate(request *http.Request) (*accessbox.GateData, error)
 	}
 
 	center struct {
@@ -63,7 +63,7 @@ func New(conns pool.Pool, key *ecdsa.PrivateKey) Center {
 	}
 }
 
-func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
+func (c *center) Authenticate(r *http.Request) (*accessbox.GateData, error) {
 	queryValues := r.URL.Query()
 	if queryValues.Get("X-Amz-Algorithm") == "AWS4-HMAC-SHA256" {
 		return nil, errors.New("pre-signed form of request is not supported")
@@ -127,5 +127,5 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
 		return nil, errors.New("failed to pass authentication procedure")
 	}
 
-	return tkns.BearerToken, nil
+	return tkns, nil
 }
diff --git a/api/layer/layer.go b/api/layer/layer.go
index 4f81afb4..d5d55050 100644
--- a/api/layer/layer.go
+++ b/api/layer/layer.go
@@ -13,8 +13,8 @@ import (
 	cid "github.com/nspcc-dev/neofs-api-go/pkg/container/id"
 	"github.com/nspcc-dev/neofs-api-go/pkg/object"
 	"github.com/nspcc-dev/neofs-api-go/pkg/owner"
-	"github.com/nspcc-dev/neofs-api-go/pkg/token"
 	"github.com/nspcc-dev/neofs-s3-gw/api"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
 	"github.com/nspcc-dev/neofs-sdk-go/pkg/pool"
 	"go.uber.org/zap"
 	"google.golang.org/grpc/codes"
@@ -106,8 +106,8 @@ func NewLayer(log *zap.Logger, conns pool.Pool) Client {
 
 // Owner returns owner id from BearerToken (context) or from client owner.
 func (n *layer) Owner(ctx context.Context) *owner.ID {
-	if tkn, ok := ctx.Value(api.BearerTokenKey).(*token.BearerToken); ok && tkn != nil {
-		return tkn.Issuer()
+	if data, ok := ctx.Value(api.GateData).(*accessbox.GateData); ok && data != nil {
+		return data.BearerToken.Issuer()
 	}
 
 	return n.pool.OwnerID()
@@ -115,13 +115,22 @@ func (n *layer) Owner(ctx context.Context) *owner.ID {
 
 // BearerOpt returns client.WithBearer call option with token from context or with nil token.
 func (n *layer) BearerOpt(ctx context.Context) client.CallOption {
-	if tkn, ok := ctx.Value(api.BearerTokenKey).(*token.BearerToken); ok && tkn != nil {
-		return client.WithBearer(tkn)
+	if data, ok := ctx.Value(api.GateData).(*accessbox.GateData); ok && data != nil {
+		return client.WithBearer(data.BearerToken)
 	}
 
 	return client.WithBearer(nil)
 }
 
+// SessionOpt returns client.WithSession call option with token from context or with nil token.
+func (n *layer) SessionOpt(ctx context.Context) client.CallOption {
+	if data, ok := ctx.Value(api.GateData).(*accessbox.GateData); ok && data != nil {
+		return client.WithSession(data.SessionToken)
+	}
+
+	return client.WithSession(nil)
+}
+
 // Get NeoFS Object by refs.Address (should be used by auth.Center).
 func (n *layer) Get(ctx context.Context, address *object.Address) (*object.Object, error) {
 	ops := new(client.GetObjectParams).WithAddress(address)
diff --git a/api/user-auth.go b/api/user-auth.go
index df150a49..6b4d5437 100644
--- a/api/user-auth.go
+++ b/api/user-auth.go
@@ -12,15 +12,15 @@ import (
 // KeyWrapper is wrapper for context keys.
 type KeyWrapper string
 
-// BearerTokenKey is an ID used to store bearer token in a context.
-var BearerTokenKey = KeyWrapper("__context_bearer_token_key")
+// GateData is an ID used to store GateData in a context.
+var GateData = KeyWrapper("__context_gate_data_key")
 
 // AttachUserAuth adds user authentication via center to router using log for logging.
 func AttachUserAuth(router *mux.Router, center auth.Center, log *zap.Logger) {
 	router.Use(func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			var ctx context.Context
-			token, err := center.Authenticate(r)
+			tokens, err := center.Authenticate(r)
 			if err != nil {
 				if err == auth.ErrNoAuthorizationHeader {
 					log.Debug("couldn't receive bearer token, using neofs-key")
@@ -31,7 +31,7 @@ func AttachUserAuth(router *mux.Router, center auth.Center, log *zap.Logger) {
 					return
 				}
 			} else {
-				ctx = context.WithValue(r.Context(), BearerTokenKey, token)
+				ctx = context.WithValue(r.Context(), GateData, tokens)
 			}
 
 			h.ServeHTTP(w, r.WithContext(ctx))