diff --git a/pool/cache.go b/pool/cache.go
index 80a61e7..c566f32 100644
--- a/pool/cache.go
+++ b/pool/cache.go
@@ -26,6 +26,9 @@ func newCache() (*sessionCache, error) {
 	return &sessionCache{cache: cache}, nil
 }
 
+// Get returns a copy of the session token from the cache without signature
+// and context related fields. Returns nil if token is missing in the cache.
+// It is safe to modify and re-sign returned session token.
 func (c *sessionCache) Get(key string) *session.Token {
 	valueRaw, ok := c.cache.Get(key)
 	if !ok {
@@ -35,7 +38,13 @@ func (c *sessionCache) Get(key string) *session.Token {
 	value := valueRaw.(*cacheValue)
 	value.atime = time.Now()
 
-	return value.token
+	if value.token == nil {
+		return nil
+	}
+
+	res := copySessionTokenWithoutSignatureAndContext(*value.token)
+
+	return &res
 }
 
 func (c *sessionCache) GetAccessTime(key string) (time.Time, bool) {
diff --git a/pool/pool.go b/pool/pool.go
index f53b706..e39d251 100644
--- a/pool/pool.go
+++ b/pool/pool.go
@@ -1582,3 +1582,30 @@ func newAddressFromCnrID(cnrID *cid.ID) *address.Address {
 	addr.SetContainerID(cnrID)
 	return addr
 }
+
+func copySessionTokenWithoutSignatureAndContext(from session.Token) (to session.Token) {
+	to.SetIat(from.Iat())
+	to.SetExp(from.Exp())
+	to.SetNbf(from.Nbf())
+
+	sessionTokenID := make([]byte, len(from.ID()))
+	copy(sessionTokenID, from.ID())
+	to.SetID(sessionTokenID)
+
+	sessionTokenKey := make([]byte, len(from.SessionKey()))
+	copy(sessionTokenKey, from.SessionKey())
+	to.SetSessionKey(sessionTokenKey)
+
+	var sessionTokenOwner owner.ID
+	buf, err := from.OwnerID().Marshal()
+	if err != nil {
+		panic(err) // should never happen
+	}
+	err = sessionTokenOwner.Unmarshal(buf)
+	if err != nil {
+		panic(err) // should never happen
+	}
+	to.SetOwnerID(&sessionTokenOwner)
+
+	return to
+}
diff --git a/pool/pool_test.go b/pool/pool_test.go
index 9f53aee..56d4a1f 100644
--- a/pool/pool_test.go
+++ b/pool/pool_test.go
@@ -19,6 +19,7 @@ import (
 	"github.com/nspcc-dev/neofs-sdk-go/object/address"
 	"github.com/nspcc-dev/neofs-sdk-go/owner"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
+	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap"
 )
@@ -639,3 +640,32 @@ func TestWaitPresence(t *testing.T) {
 		require.NoError(t, err)
 	})
 }
+
+func TestCopySessionTokenWithoutSignatureAndContext(t *testing.T) {
+	from := sessiontest.SignedToken()
+	to := copySessionTokenWithoutSignatureAndContext(*from)
+
+	require.Equal(t, from.Nbf(), to.Nbf())
+	require.Equal(t, from.Exp(), to.Exp())
+	require.Equal(t, from.Iat(), to.Iat())
+	require.Equal(t, from.ID(), to.ID())
+	require.Equal(t, from.OwnerID().String(), to.OwnerID().String())
+	require.Equal(t, from.SessionKey(), to.SessionKey())
+
+	require.Empty(t, to.Signature().Sign())
+	require.Empty(t, to.Signature().Key())
+
+	t.Run("empty object context", func(t *testing.T) {
+		octx := sessiontest.ObjectContext()
+		from.SetContext(octx)
+		to = copySessionTokenWithoutSignatureAndContext(*from)
+		require.Nil(t, to.Context())
+	})
+
+	t.Run("empty container context", func(t *testing.T) {
+		cctx := sessiontest.ContainerContext()
+		from.SetContext(cctx)
+		to = copySessionTokenWithoutSignatureAndContext(*from)
+		require.Nil(t, to.Context())
+	})
+}