diff --git a/pkg/services/common/ape/checker.go b/pkg/services/common/ape/checker.go
index fcd3efa44..ac15dd107 100644
--- a/pkg/services/common/ape/checker.go
+++ b/pkg/services/common/ape/checker.go
@@ -148,6 +148,11 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 		}
 	}
 
+	// Ignore verification checks if token is impersonated.
+	if token.Impersonate() {
+		return nil
+	}
+
 	// Then check if container owner signed this token.
 	if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
 		return errBearerNotSignedByOwner
diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go
index 13a5c1395..ca1e438cc 100644
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@@ -297,7 +297,7 @@ func TestMessageSign(t *testing.T) {
 			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 
-		t.Run("impersonate but invalid signer", func(t *testing.T) {
+		t.Run("impersonate but different signer", func(t *testing.T) {
 			var bt bearer.Token
 			bt.SetExp(10)
 			bt.SetImpersonate(true)
@@ -312,8 +312,33 @@ func TestMessageSign(t *testing.T) {
 			req.Body.BearerToken = bt.Marshal()
 
 			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+		})
+
+		t.Run("impersonate but different issuer", func(t *testing.T) {
+			var bt bearer.Token
+			bt.SetExp(10)
+			bt.SetImpersonate(true)
+
+			differentUserPrivKey, err := keys.NewPrivateKey()
+			require.NoError(t, err)
+
+			var reqSigner user.ID
+			user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*differentUserPrivKey.PublicKey()))
+
+			bt.ForUser(reqSigner)
+			bt.SetAPEOverride(bearer.APEOverride{
+				Target: ape.ChainTarget{
+					TargetType: ape.TargetTypeContainer,
+					Name:       cid1.EncodeToString(),
+				},
+				Chains: []ape.Chain{},
+			})
+			require.NoError(t, bt.Sign(privs[0].PrivateKey))
+			req.Body.BearerToken = bt.Marshal()
+
+			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})
 
 		bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())