diff --git a/cmd/neofs-node/session.go b/cmd/neofs-node/session.go
index dfda3e5c9..39c4bb681 100644
--- a/cmd/neofs-node/session.go
+++ b/cmd/neofs-node/session.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	sessionGRPC "github.com/nspcc-dev/neofs-api-go/v2/session/grpc"
+	"github.com/nspcc-dev/neofs-node/pkg/morph/event"
+	"github.com/nspcc-dev/neofs-node/pkg/morph/event/netmap"
 	sessionTransportGRPC "github.com/nspcc-dev/neofs-node/pkg/network/transport/session/grpc"
 	sessionSvc "github.com/nspcc-dev/neofs-node/pkg/services/session"
 	"github.com/nspcc-dev/neofs-node/pkg/services/session/storage"
@@ -9,6 +11,9 @@ import (
 
 func initSessionService(c *cfg) {
 	c.privateTokenStore = storage.New()
+	addNewEpochNotificationHandler(c, func(ev event.Event) {
+		c.privateTokenStore.RemoveOld(ev.(netmap.NewEpoch).EpochNumber())
+	})
 
 	server := sessionTransportGRPC.New(
 		sessionSvc.NewSignService(
diff --git a/pkg/services/session/storage/storage.go b/pkg/services/session/storage/storage.go
index 3d514aab0..13c33c0d9 100644
--- a/pkg/services/session/storage/storage.go
+++ b/pkg/services/session/storage/storage.go
@@ -49,3 +49,15 @@ func (s *TokenStore) Get(ownerID *owner.ID, tokenID []byte) *PrivateToken {
 
 	return t
 }
+
+// RemoveOld removes all tokens expired since provided epoch.
+func (s *TokenStore) RemoveOld(epoch uint64) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+
+	for k, tok := range s.tokens {
+		if tok.ExpiredAt() <= epoch {
+			delete(s.tokens, k)
+		}
+	}
+}