diff --git a/acl/convert.go b/acl/convert.go
index 342c110..0cf455c 100644
--- a/acl/convert.go
+++ b/acl/convert.go
@@ -2,6 +2,8 @@ package acl
 
 import (
 	acl "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl/grpc"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape"
+	apeGRPC "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/grpc"
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
 	refsGRPC "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs/grpc"
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/grpc"
@@ -418,6 +420,54 @@ func (l *TokenLifetime) FromGRPCMessage(m grpc.Message) error {
 	return nil
 }
 
+func (c *APEOverride) ToGRPCMessage() grpc.Message {
+	var m *acl.BearerToken_Body_APEOverride
+
+	if c != nil {
+		m = new(acl.BearerToken_Body_APEOverride)
+
+		m.SetTarget(c.target.ToGRPCMessage().(*apeGRPC.ChainTarget))
+
+		if len(c.chains) > 0 {
+			apeChains := make([]*apeGRPC.Chain, len(c.chains))
+			for i := range c.chains {
+				apeChains[i] = c.chains[i].ToGRPCMessage().(*apeGRPC.Chain)
+			}
+			m.SetChains(apeChains)
+		}
+	}
+
+	return m
+}
+
+func (c *APEOverride) FromGRPCMessage(m grpc.Message) error {
+	v, ok := m.(*acl.BearerToken_Body_APEOverride)
+	if !ok {
+		return message.NewUnexpectedMessageType(m, v)
+	}
+
+	if targetGRPC := v.GetTarget(); targetGRPC != nil {
+		if c.target == nil {
+			c.target = new(ape.ChainTarget)
+		}
+		if err := c.target.FromGRPCMessage(v.GetTarget()); err != nil {
+			return err
+		}
+	}
+
+	if apeChains := v.GetChains(); len(apeChains) > 0 {
+		c.chains = make([]*ape.Chain, len(apeChains))
+		for i := range apeChains {
+			c.chains[i] = new(ape.Chain)
+			if err := c.chains[i].FromGRPCMessage(apeChains[i]); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func (bt *BearerTokenBody) ToGRPCMessage() grpc.Message {
 	var m *acl.BearerToken_Body
 
@@ -428,6 +478,7 @@ func (bt *BearerTokenBody) ToGRPCMessage() grpc.Message {
 		m.SetLifetime(bt.lifetime.ToGRPCMessage().(*acl.BearerToken_Body_TokenLifetime))
 		m.SetEaclTable(bt.eacl.ToGRPCMessage().(*acl.EACLTable))
 		m.SetAllowImpersonate(bt.impersonate)
+		m.SetAPEOverride(bt.apeOverride.ToGRPCMessage().(*acl.BearerToken_Body_APEOverride))
 	}
 
 	return m
@@ -477,7 +528,19 @@ func (bt *BearerTokenBody) FromGRPCMessage(m grpc.Message) error {
 			bt.eacl = new(Table)
 		}
 
-		err = bt.eacl.FromGRPCMessage(eacl)
+		if err = bt.eacl.FromGRPCMessage(eacl); err != nil {
+			return err
+		}
+	}
+
+	if apeOverrideGRPC := v.GetApeOverride(); apeOverrideGRPC != nil {
+		if bt.apeOverride == nil {
+			bt.apeOverride = new(APEOverride)
+		}
+		err = bt.apeOverride.FromGRPCMessage(apeOverrideGRPC)
+		if err != nil {
+			return err
+		}
 	}
 
 	bt.impersonate = v.GetAllowImpersonate()
diff --git a/acl/grpc/types.go b/acl/grpc/types.go
index ce50e2f..fbcbb91 100644
--- a/acl/grpc/types.go
+++ b/acl/grpc/types.go
@@ -1,6 +1,7 @@
 package acl
 
 import (
+	ape "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/grpc"
 	refs "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs/grpc"
 )
 
@@ -74,6 +75,18 @@ func (m *BearerToken_Body) SetEaclTable(v *EACLTable) {
 	m.EaclTable = v
 }
 
+func (m *BearerToken_Body) SetAPEOverride(v *BearerToken_Body_APEOverride) {
+	m.ApeOverride = v
+}
+
+func (m *BearerToken_Body_APEOverride) SetChains(v []*ape.Chain) {
+	m.Chains = v
+}
+
+func (m *BearerToken_Body_APEOverride) SetTarget(v *ape.ChainTarget) {
+	m.Target = v
+}
+
 // SetOwnerId sets identifier of the bearer token owner.
 func (m *BearerToken_Body) SetOwnerId(v *refs.OwnerID) {
 	m.OwnerId = v
diff --git a/acl/grpc/types.pb.go b/acl/grpc/types.pb.go
index 1b57b1a..aec449c 100644
Binary files a/acl/grpc/types.pb.go and b/acl/grpc/types.pb.go differ
diff --git a/acl/json.go b/acl/json.go
index 0e2078b..9046555 100644
--- a/acl/json.go
+++ b/acl/json.go
@@ -21,6 +21,14 @@ func (t *Target) UnmarshalJSON(data []byte) error {
 	return message.UnmarshalJSON(t, data, new(acl.EACLRecord_Target))
 }
 
+func (a *APEOverride) MarshalJSON() ([]byte, error) {
+	return message.MarshalJSON(a)
+}
+
+func (a *APEOverride) UnmarshalJSON(data []byte) error {
+	return message.UnmarshalJSON(a, data, new(acl.BearerToken_Body_APEOverride))
+}
+
 func (r *Record) MarshalJSON() ([]byte, error) {
 	return message.MarshalJSON(r)
 }
diff --git a/acl/marshal.go b/acl/marshal.go
index cd6c6dd..2e59304 100644
--- a/acl/marshal.go
+++ b/acl/marshal.go
@@ -28,10 +28,14 @@ const (
 	lifetimeNotValidBeforeField = 2
 	lifetimeIssuedAtField       = 3
 
-	bearerTokenBodyACLField      = 1
-	bearerTokenBodyOwnerField    = 2
-	bearerTokenBodyLifetimeField = 3
-	bearerTokenBodyImpersonate   = 4
+	tokenAPEChainsTargetField = 1
+	tokenAPEChainsChainsField = 2
+
+	bearerTokenBodyACLField        = 1
+	bearerTokenBodyOwnerField      = 2
+	bearerTokenBodyLifetimeField   = 3
+	bearerTokenBodyImpersonate     = 4
+	bearerTokenTokenAPEChainsField = 5
 
 	bearerTokenBodyField      = 1
 	bearerTokenSignatureField = 2
@@ -239,6 +243,42 @@ func (l *TokenLifetime) Unmarshal(data []byte) error {
 	return message.Unmarshal(l, data, new(acl.BearerToken_Body_TokenLifetime))
 }
 
+func (c *APEOverride) StableMarshal(buf []byte) []byte {
+	if c == nil {
+		return []byte{}
+	}
+
+	if buf == nil {
+		buf = make([]byte, c.StableSize())
+	}
+
+	var offset int
+
+	offset += protoutil.NestedStructureMarshal(tokenAPEChainsTargetField, buf[offset:], c.target)
+	for i := range c.chains {
+		offset += protoutil.NestedStructureMarshal(tokenAPEChainsChainsField, buf[offset:], c.chains[i])
+	}
+
+	return buf
+}
+
+func (c *APEOverride) StableSize() (size int) {
+	if c == nil {
+		return 0
+	}
+
+	size += protoutil.NestedStructureSize(tokenAPEChainsTargetField, c.target)
+	for i := range c.chains {
+		size += protoutil.NestedStructureSize(tokenAPEChainsChainsField, c.chains[i])
+	}
+
+	return size
+}
+
+func (c *APEOverride) Unmarshal(data []byte) error {
+	return message.Unmarshal(c, data, new(acl.BearerToken_Body_APEOverride))
+}
+
 func (bt *BearerTokenBody) StableMarshal(buf []byte) []byte {
 	if bt == nil {
 		return []byte{}
@@ -253,7 +293,8 @@ func (bt *BearerTokenBody) StableMarshal(buf []byte) []byte {
 	offset += protoutil.NestedStructureMarshal(bearerTokenBodyACLField, buf[offset:], bt.eacl)
 	offset += protoutil.NestedStructureMarshal(bearerTokenBodyOwnerField, buf[offset:], bt.ownerID)
 	offset += protoutil.NestedStructureMarshal(bearerTokenBodyLifetimeField, buf[offset:], bt.lifetime)
-	protoutil.BoolMarshal(bearerTokenBodyImpersonate, buf[offset:], bt.impersonate)
+	offset += protoutil.BoolMarshal(bearerTokenBodyImpersonate, buf[offset:], bt.impersonate)
+	protoutil.NestedStructureMarshal(bearerTokenTokenAPEChainsField, buf[offset:], bt.apeOverride)
 
 	return buf
 }
@@ -267,6 +308,7 @@ func (bt *BearerTokenBody) StableSize() (size int) {
 	size += protoutil.NestedStructureSize(bearerTokenBodyOwnerField, bt.ownerID)
 	size += protoutil.NestedStructureSize(bearerTokenBodyLifetimeField, bt.lifetime)
 	size += protoutil.BoolSize(bearerTokenBodyImpersonate, bt.impersonate)
+	size += protoutil.NestedStructureSize(bearerTokenTokenAPEChainsField, bt.apeOverride)
 
 	return size
 }
diff --git a/acl/test/generate.go b/acl/test/generate.go
index 3151c52..30a960a 100644
--- a/acl/test/generate.go
+++ b/acl/test/generate.go
@@ -2,6 +2,7 @@ package acltest
 
 import (
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
+	apetest "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/test"
 	accountingtest "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs/test"
 )
 
@@ -22,8 +23,20 @@ func GenerateBearerTokenBody(empty bool) *acl.BearerTokenBody {
 
 	if !empty {
 		m.SetOwnerID(accountingtest.GenerateOwnerID(false))
-		m.SetEACL(GenerateTable(false))
 		m.SetLifetime(GenerateTokenLifetime(false))
+		m.SetAPEOverride(GenerateAPEOverride(empty))
+	}
+
+	return m
+}
+
+func GenerateAPEOverride(empty bool) *acl.APEOverride {
+	var m *acl.APEOverride
+
+	if !empty {
+		m = new(acl.APEOverride)
+		m.SetTarget(apetest.GenerateChainTarget(empty))
+		m.SetChains(apetest.GenerateRawChains(false, 3))
 	}
 
 	return m
diff --git a/acl/types.go b/acl/types.go
index 1524e7b..b42528b 100644
--- a/acl/types.go
+++ b/acl/types.go
@@ -1,6 +1,9 @@
 package acl
 
-import "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
+)
 
 // HeaderFilter is a unified structure of FilterInfo
 // message from proto definition.
@@ -46,6 +49,12 @@ type TokenLifetime struct {
 	exp, nbf, iat uint64
 }
 
+type APEOverride struct {
+	target *ape.ChainTarget
+
+	chains []*ape.Chain
+}
+
 type BearerTokenBody struct {
 	eacl *Table
 
@@ -53,6 +62,8 @@ type BearerTokenBody struct {
 
 	lifetime *TokenLifetime
 
+	apeOverride *APEOverride
+
 	impersonate bool
 }
 
@@ -318,6 +329,34 @@ func (bt *BearerTokenBody) SetEACL(v *Table) {
 	bt.eacl = v
 }
 
+func (t *APEOverride) GetTarget() *ape.ChainTarget {
+	return t.target
+}
+
+func (t *APEOverride) GetChains() []*ape.Chain {
+	return t.chains
+}
+
+func (t *APEOverride) SetTarget(v *ape.ChainTarget) {
+	t.target = v
+}
+
+func (t *APEOverride) SetChains(v []*ape.Chain) {
+	t.chains = v
+}
+
+func (bt *BearerTokenBody) GetAPEOverride() *APEOverride {
+	if bt != nil {
+		return bt.apeOverride
+	}
+
+	return nil
+}
+
+func (bt *BearerTokenBody) SetAPEOverride(v *APEOverride) {
+	bt.apeOverride = v
+}
+
 func (bt *BearerTokenBody) GetOwnerID() *refs.OwnerID {
 	if bt != nil {
 		return bt.ownerID