diff --git a/docs/authentication.md b/docs/authentication.md
index 4efb03f93..544839b2c 100644
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -35,7 +35,18 @@ The hash algorithm used is SHA-256
 ECDSA public key corresponding to the private key being used to sign a message.
 It is the primary user identity and is used to determine the request originator.
 
-## Session token
+## Tokens
+
+Generally, the request owner, i.e. an account all access control checks are applied to
+is taken from the request signature.
+However, session and bearer tokens can alter authentication process by making "effective" request owner differ from the actual one.
+The general scheme is given by the following picture:
+
+![Token processing](images/authentication/impersonate.svg)
+
+It is important to note, that the token is only valid when the request signature corresponds to the actor token is issued to.
+
+### Session token
 
 Session token can override the rules of determining request owner.
 It is defined in the [frostfs-api](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/branch/master/session/types.proto#L89).
@@ -50,7 +61,9 @@ Session token may have some restrictions:
 2. Set of operations it applies to.
 3. The entity it is given to. This is provided in `session_key` field containing the public key.
 
-## Bearer token
+### Bearer token
+
+Bearer token is generally used for access control but can also affect authentication if `allow_impersonate` flag is set. With this flag it behaves similarly to session token.
 
 ## FrostFS ID
 
diff --git a/docs/images/authentication/impersonate.puml b/docs/images/authentication/impersonate.puml
new file mode 100644
index 000000000..e9feae6e5
--- /dev/null
+++ b/docs/images/authentication/impersonate.puml
@@ -0,0 +1,15 @@
+@startuml impersonate
+start
+
+if (The request has bearer token with allow_impersonate=true?) then (yes)
+	:Treat bearer token issuer as the request owner.;
+	end
+(no) elseif (The request has session token?) then (yes)
+	:Treat session token issuer as the request owner.;
+	end
+else (no)
+	:Determine request owner from the request signature.;
+	end
+endif
+
+@enduml
\ No newline at end of file
diff --git a/docs/images/authentication/impersonate.svg b/docs/images/authentication/impersonate.svg
new file mode 100644
index 000000000..add2c5439
--- /dev/null
+++ b/docs/images/authentication/impersonate.svg
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="us-ascii" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentStyleType="text/css" height="200px" preserveAspectRatio="none" style="width:1000px;height:200px;background:#FFFFFF;" version="1.1" viewBox="0 0 1000 200" width="1000px" zoomAndPan="magnify"><defs/><g><ellipse cx="497.5" cy="20" fill="#222222" rx="10" ry="10" style="stroke:#222222;stroke-width:1.0;"/><polygon fill="#F1F1F1" points="32,50,347,50,359,62,347,74,32,74,20,62,32,50" style="stroke:#181818;stroke-width:0.5;"/><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="17" x="193.5" y="85.7589">yes</text><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="315" x="32" y="66.268">The request has bearer token with allow_impersonate=true?</text><rect fill="#F1F1F1" height="36.3441" rx="12.5" ry="12.5" style="stroke:#181818;stroke-width:0.5;" width="286" x="46.5" y="108.9819"/><text fill="#000000" font-family="sans-serif" font-size="12" lengthAdjust="spacing" textLength="266" x="56.5" y="131.81">Treat bearer token issuer as the request owner.</text><ellipse cx="189.5" cy="179.8169" fill="none" rx="10" ry="10" style="stroke:#222222;stroke-width:1.5;"/><line style="stroke:#222222;stroke-width:2.5;" x1="183.3128" x2="195.6872" y1="173.6298" y2="186.0041"/><line style="stroke:#222222;stroke-width:2.5;" x1="195.6872" x2="183.3128" y1="173.6298" y2="186.0041"/><polygon fill="#F1F1F1" points="433,50,595,50,607,62,595,74,433,74,421,62,433,50" style="stroke:#181818;stroke-width:0.5;"/><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="17" x="518" y="85.7589">yes</text><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="162" x="433" y="66.268">The request has session token?</text><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="14" x="407" y="58.777">no</text><text fill="#000000" font-family="sans-serif" font-size="11" lengthAdjust="spacing" textLength="14" x="607" y="58.777">no</text><rect fill="#F1F1F1" height="36.3441" rx="12.5" ry="12.5" style="stroke:#181818;stroke-width:0.5;" width="290" x="369" y="108.9819"/><text fill="#000000" font-family="sans-serif" font-size="12" lengthAdjust="spacing" textLength="270" x="379" y="131.81">Treat session token issuer as the request owner.</text><ellipse cx="514" cy="179.8169" fill="none" rx="10" ry="10" style="stroke:#222222;stroke-width:1.5;"/><line style="stroke:#222222;stroke-width:2.5;" x1="507.8128" x2="520.1872" y1="173.6298" y2="186.0041"/><line style="stroke:#222222;stroke-width:2.5;" x1="520.1872" x2="507.8128" y1="173.6298" y2="186.0041"/><rect fill="#F1F1F1" height="36.3441" rx="12.5" ry="12.5" style="stroke:#181818;stroke-width:0.5;" width="320" x="669" y="104.4909"/><text fill="#000000" font-family="sans-serif" font-size="12" lengthAdjust="spacing" textLength="300" x="679" y="127.319">Determine request owner from the request signature.</text><ellipse cx="829" cy="175.326" fill="none" rx="10" ry="10" style="stroke:#222222;stroke-width:1.5;"/><line style="stroke:#222222;stroke-width:2.5;" x1="822.8128" x2="835.1872" y1="169.1388" y2="181.5132"/><line style="stroke:#222222;stroke-width:2.5;" x1="835.1872" x2="822.8128" y1="169.1388" y2="181.5132"/><line style="stroke:#181818;stroke-width:1.0;" x1="189.5" x2="189.5" y1="145.326" y2="169.8169"/><polygon fill="#181818" points="185.5,159.8169,189.5,169.8169,193.5,159.8169,189.5,163.8169" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="514" x2="514" y1="145.326" y2="169.8169"/><polygon fill="#181818" points="510,159.8169,514,169.8169,518,159.8169,514,163.8169" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="829" x2="829" y1="140.8351" y2="165.326"/><polygon fill="#181818" points="825,155.326,829,165.326,833,155.326,829,159.326" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="189.5" x2="189.5" y1="74" y2="108.9819"/><polygon fill="#181818" points="185.5,98.9819,189.5,108.9819,193.5,98.9819,189.5,102.9819" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="514" x2="514" y1="74" y2="108.9819"/><polygon fill="#181818" points="510,98.9819,514,108.9819,518,98.9819,514,102.9819" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="359" x2="421" y1="62" y2="62"/><polygon fill="#181818" points="411,58,421,62,411,66,415,62" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="497.5" x2="497.5" y1="30" y2="35"/><line style="stroke:#181818;stroke-width:1.0;" x1="497.5" x2="189.5" y1="35" y2="35"/><line style="stroke:#181818;stroke-width:1.0;" x1="189.5" x2="189.5" y1="35" y2="50"/><polygon fill="#181818" points="185.5,40,189.5,50,193.5,40,189.5,44" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="607" x2="829" y1="62" y2="62"/><line style="stroke:#181818;stroke-width:1.0;" x1="829" x2="829" y1="62" y2="104.4909"/><polygon fill="#181818" points="825,94.4909,829,104.4909,833,94.4909,829,98.4909" style="stroke:#181818;stroke-width:1.0;"/><!--SRC=[ZOz12i9034NNpYcoR3SUG14t7g5x6Ucl4smpcgGKR-yKGQnquJBmybvY7jL3u8wg9e4KZn7cbABH1L6XvFa6eOazKUpxF9rvk4CjItGSN4SSQ_9KaEe9gyDcroYYBxVPR2n3aVfN94y2tUx31jA6Id9Dw0rhfnZCEClRjjvR8Fy4vnRDrQ8umQ43omzAdUPXOJ2-bhz7nSSYBNVX1G00]--></g></svg>
\ No newline at end of file