From 364257c5fdf7445067114bf8926b070c0e9a5c9d Mon Sep 17 00:00:00 2001
From: Angira Kekteeva <kira@nspcc.ru>
Date: Mon, 14 Jun 2021 16:20:49 +0300
Subject: [PATCH 1/2] [#48] creda: Add accessbox in protobuf format

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
---
 Makefile                        |   9 ++
 creds/accessbox/accessbox.pb.go | 250 ++++++++++++++++++++++++++++++++
 creds/accessbox/accessbox.proto |  19 +++
 go.mod                          |   2 +
 4 files changed, 280 insertions(+)
 create mode 100644 creds/accessbox/accessbox.pb.go
 create mode 100644 creds/accessbox/accessbox.proto

diff --git a/Makefile b/Makefile
index 6609e48..ed43e58 100644
--- a/Makefile
+++ b/Makefile
@@ -109,3 +109,12 @@ help:
 # Clean up
 clean:
 	rm -rf $(BINDIR)
+
+protoc:
+	# Protoc generate
+	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
+		echo "⇒ Processing $$f "; \
+		protoc \
+			--go_out=paths=source_relative:. $$f; \
+	done
+	rm -rf vendor
diff --git a/creds/accessbox/accessbox.pb.go b/creds/accessbox/accessbox.pb.go
new file mode 100644
index 0000000..b457d8e
--- /dev/null
+++ b/creds/accessbox/accessbox.pb.go
@@ -0,0 +1,250 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.15.8
+// source: creds/accessbox/accessbox.proto
+
+package accessbox
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type AccessBox struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	OwnerPublicKey []byte             `protobuf:"bytes,1,opt,name=ownerPublicKey,json=oownerPublicKey,proto3" json:"ownerPublicKey,omitempty"`
+	BearerTokens   []*AccessBox_Token `protobuf:"bytes,2,rep,name=bearerTokens,proto3" json:"bearerTokens,omitempty"`
+	SessionTokens  []*AccessBox_Token `protobuf:"bytes,3,rep,name=sessionTokens,proto3" json:"sessionTokens,omitempty"`
+}
+
+func (x *AccessBox) Reset() {
+	*x = AccessBox{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_creds_accessbox_accessbox_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *AccessBox) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AccessBox) ProtoMessage() {}
+
+func (x *AccessBox) ProtoReflect() protoreflect.Message {
+	mi := &file_creds_accessbox_accessbox_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AccessBox.ProtoReflect.Descriptor instead.
+func (*AccessBox) Descriptor() ([]byte, []int) {
+	return file_creds_accessbox_accessbox_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *AccessBox) GetOwnerPublicKey() []byte {
+	if x != nil {
+		return x.OwnerPublicKey
+	}
+	return nil
+}
+
+func (x *AccessBox) GetBearerTokens() []*AccessBox_Token {
+	if x != nil {
+		return x.BearerTokens
+	}
+	return nil
+}
+
+func (x *AccessBox) GetSessionTokens() []*AccessBox_Token {
+	if x != nil {
+		return x.SessionTokens
+	}
+	return nil
+}
+
+type AccessBox_Token struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Token         []byte `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	GatePublicKey []byte `protobuf:"bytes,2,opt,name=gatePublicKey,proto3" json:"gatePublicKey,omitempty"`
+}
+
+func (x *AccessBox_Token) Reset() {
+	*x = AccessBox_Token{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_creds_accessbox_accessbox_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *AccessBox_Token) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AccessBox_Token) ProtoMessage() {}
+
+func (x *AccessBox_Token) ProtoReflect() protoreflect.Message {
+	mi := &file_creds_accessbox_accessbox_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AccessBox_Token.ProtoReflect.Descriptor instead.
+func (*AccessBox_Token) Descriptor() ([]byte, []int) {
+	return file_creds_accessbox_accessbox_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *AccessBox_Token) GetToken() []byte {
+	if x != nil {
+		return x.Token
+	}
+	return nil
+}
+
+func (x *AccessBox_Token) GetGatePublicKey() []byte {
+	if x != nil {
+		return x.GatePublicKey
+	}
+	return nil
+}
+
+var File_creds_accessbox_accessbox_proto protoreflect.FileDescriptor
+
+var file_creds_accessbox_accessbox_proto_rawDesc = []byte{
+	0x0a, 0x1f, 0x63, 0x72, 0x65, 0x64, 0x73, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f,
+	0x78, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x09, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x22, 0xfb, 0x01, 0x0a,
+	0x09, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x42, 0x6f, 0x78, 0x12, 0x27, 0x0a, 0x0e, 0x6f, 0x77,
+	0x6e, 0x65, 0x72, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x0f, 0x6f, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x4b, 0x65, 0x79, 0x12, 0x3e, 0x0a, 0x0c, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x42, 0x6f, 0x78, 0x2e,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x0c, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x73, 0x12, 0x40, 0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x42, 0x6f, 0x78,
+	0x2e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x1a, 0x43, 0x0a, 0x05, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x14,
+	0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x24, 0x0a, 0x0d, 0x67, 0x61, 0x74, 0x65, 0x50, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x67, 0x61, 0x74,
+	0x65, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x3b, 0x5a, 0x39, 0x67, 0x69,
+	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6e, 0x73, 0x70, 0x63, 0x63, 0x2d, 0x64,
+	0x65, 0x76, 0x2f, 0x6e, 0x65, 0x6f, 0x66, 0x73, 0x2d, 0x73, 0x33, 0x2d, 0x67, 0x77, 0x2f, 0x63,
+	0x72, 0x65, 0x64, 0x73, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x62, 0x6f, 0x78, 0x3b, 0x61, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_creds_accessbox_accessbox_proto_rawDescOnce sync.Once
+	file_creds_accessbox_accessbox_proto_rawDescData = file_creds_accessbox_accessbox_proto_rawDesc
+)
+
+func file_creds_accessbox_accessbox_proto_rawDescGZIP() []byte {
+	file_creds_accessbox_accessbox_proto_rawDescOnce.Do(func() {
+		file_creds_accessbox_accessbox_proto_rawDescData = protoimpl.X.CompressGZIP(file_creds_accessbox_accessbox_proto_rawDescData)
+	})
+	return file_creds_accessbox_accessbox_proto_rawDescData
+}
+
+var file_creds_accessbox_accessbox_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_creds_accessbox_accessbox_proto_goTypes = []interface{}{
+	(*AccessBox)(nil),       // 0: accessbox.AccessBox
+	(*AccessBox_Token)(nil), // 1: accessbox.AccessBox.Token
+}
+var file_creds_accessbox_accessbox_proto_depIdxs = []int32{
+	1, // 0: accessbox.AccessBox.bearerTokens:type_name -> accessbox.AccessBox.Token
+	1, // 1: accessbox.AccessBox.sessionTokens:type_name -> accessbox.AccessBox.Token
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_creds_accessbox_accessbox_proto_init() }
+func file_creds_accessbox_accessbox_proto_init() {
+	if File_creds_accessbox_accessbox_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_creds_accessbox_accessbox_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AccessBox); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_creds_accessbox_accessbox_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AccessBox_Token); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_creds_accessbox_accessbox_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_creds_accessbox_accessbox_proto_goTypes,
+		DependencyIndexes: file_creds_accessbox_accessbox_proto_depIdxs,
+		MessageInfos:      file_creds_accessbox_accessbox_proto_msgTypes,
+	}.Build()
+	File_creds_accessbox_accessbox_proto = out.File
+	file_creds_accessbox_accessbox_proto_rawDesc = nil
+	file_creds_accessbox_accessbox_proto_goTypes = nil
+	file_creds_accessbox_accessbox_proto_depIdxs = nil
+}
diff --git a/creds/accessbox/accessbox.proto b/creds/accessbox/accessbox.proto
new file mode 100644
index 0000000..8906c92
--- /dev/null
+++ b/creds/accessbox/accessbox.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package accessbox;
+
+option go_package = "github.com/nspcc-dev/neofs-s3-gw/creds/tokenbox;accessbox";
+
+
+
+message AccessBox {
+    message Token {
+        bytes token = 1 [json_name = "token"];
+        bytes gatePublicKey = 2 [json_name = "gatePublicKey"];
+    }
+
+    bytes ownerPublicKey = 1 [json_name = "oownerPublicKey"];
+    repeated Token bearerTokens = 2 [json_name = "bearerTokens"];
+    repeated Token sessionTokens = 3 [json_name = "sessionTokens"];
+}
+
diff --git a/go.mod b/go.mod
index 2f1ee8e..7896b05 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,7 @@ go 1.16
 
 require (
 	github.com/aws/aws-sdk-go v1.37.9
+	github.com/golang/protobuf v1.4.3
 	github.com/google/uuid v1.2.0
 	github.com/gorilla/mux v1.8.0
 	github.com/nspcc-dev/neofs-api-go v1.27.0
@@ -21,4 +22,5 @@ require (
 	golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 // indirect
 	golang.org/x/text v0.3.5 // indirect
 	google.golang.org/grpc v1.36.1
+	google.golang.org/protobuf v1.25.0
 )

From fe2d507121fe56f70c2f0b680920e41946d2134a Mon Sep 17 00:00:00 2001
From: Angira Kekteeva <kira@nspcc.ru>
Date: Mon, 14 Jun 2021 16:39:25 +0300
Subject: [PATCH 2/2] [#48] creds,authmate:Replace old accessbox by new

Removed encoder, decoder wraps.
Made changes in api, authmate and creds via new accessbox.
Updated bearer_token_tests via new accessbox.

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
---
 api/auth/center.go                      |   8 +-
 authmate/authmate.go                    |  18 ++-
 creds/accessbox/accessbox.go            | 205 +++++++++++++++++++++---
 creds/accessbox/bearer_token.go         |  43 -----
 creds/accessbox/bearer_token_test.go    | 176 +++++++++-----------
 creds/accessbox/decoder.go              |  88 ----------
 creds/accessbox/encoder.go              |  85 ----------
 creds/hcs/public.go                     |   9 +-
 creds/{bearer => tokens}/credentials.go |  68 +++++---
 9 files changed, 324 insertions(+), 376 deletions(-)
 delete mode 100644 creds/accessbox/bearer_token.go
 delete mode 100644 creds/accessbox/decoder.go
 delete mode 100644 creds/accessbox/encoder.go
 rename creds/{bearer => tokens}/credentials.go (64%)

diff --git a/api/auth/center.go b/api/auth/center.go
index 565f11f..eda6481 100644
--- a/api/auth/center.go
+++ b/api/auth/center.go
@@ -15,8 +15,8 @@ import (
 	"github.com/nspcc-dev/neofs-api-go/pkg/object"
 	"github.com/nspcc-dev/neofs-api-go/pkg/token"
 	"github.com/nspcc-dev/neofs-s3-gw/authmate"
-	"github.com/nspcc-dev/neofs-s3-gw/creds/bearer"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
 	"github.com/nspcc-dev/neofs-sdk-go/pkg/pool"
 	"go.uber.org/zap"
 )
@@ -31,7 +31,7 @@ type (
 
 	center struct {
 		reg *regexpSubmatcher
-		cli bearer.Credentials
+		cli tokens.Credentials
 	}
 
 	// Params stores node connection parameters.
@@ -57,7 +57,7 @@ var _ io.ReadSeeker = prs(0)
 // New creates an instance of AuthCenter.
 func New(conns pool.Pool, key hcs.PrivateKey) Center {
 	return &center{
-		cli: bearer.New(conns, key),
+		cli: tokens.New(conns, key),
 		reg: &regexpSubmatcher{re: authorizationFieldRegexp},
 	}
 }
@@ -96,7 +96,7 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
 		return nil, fmt.Errorf("could not parse AccessBox address: %s : %w", accessKeyID, err)
 	}
 
-	tkn, err := c.cli.Get(r.Context(), address)
+	tkn, err := c.cli.GetBearerToken(r.Context(), address)
 	if err != nil {
 		return nil, err
 	}
diff --git a/authmate/authmate.go b/authmate/authmate.go
index b994c3f..dd90c31 100644
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@@ -20,8 +20,9 @@ import (
 	"github.com/nspcc-dev/neofs-api-go/pkg/owner"
 	"github.com/nspcc-dev/neofs-api-go/pkg/token"
 	"github.com/nspcc-dev/neofs-node/pkg/policy"
-	"github.com/nspcc-dev/neofs-s3-gw/creds/bearer"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
 	"github.com/nspcc-dev/neofs-sdk-go/pkg/pool"
 	"go.uber.org/zap"
 )
@@ -129,6 +130,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 	var (
 		err error
 		cid *cid.ID
+		box accessbox.AccessBox
 	)
 
 	a.log.Info("check container", zap.Stringer("cid", options.ContainerID))
@@ -148,12 +150,18 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 		return fmt.Errorf("failed to build bearer token: %w", err)
 	}
 
+	box.SetOwnerPublicKey(options.OwnerPrivateKey.PublicKey())
+	err = box.AddBearerToken(tkn, options.OwnerPrivateKey, options.GatesPublicKeys...)
+	if err != nil {
+		return fmt.Errorf("failed to add token to accessbox: %w", err)
+	}
+
 	a.log.Info("store bearer token into NeoFS",
 		zap.Stringer("owner_tkn", tkn.Issuer()))
 
-	address, err := bearer.
+	address, err := tokens.
 		New(a.pool, options.OwnerPrivateKey).
-		Put(ctx, cid, tkn, options.GatesPublicKeys...)
+		Put(ctx, cid, tkn.Issuer(), &box, options.GatesPublicKeys...)
 	if err != nil {
 		return fmt.Errorf("failed to put bearer token: %w", err)
 	}
@@ -179,13 +187,13 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 // ObtainSecret receives an existing secret access key from NeoFS and
 // writes to io.Writer the secret access key.
 func (a *Agent) ObtainSecret(ctx context.Context, w io.Writer, options *ObtainSecretOptions) error {
-	bearerCreds := bearer.New(a.pool, options.GatePrivateKey)
+	bearerCreds := tokens.New(a.pool, options.GatePrivateKey)
 	address := object.NewAddress()
 	if err := address.Parse(options.SecretAddress); err != nil {
 		return fmt.Errorf("failed to parse secret address: %w", err)
 	}
 
-	tkn, err := bearerCreds.Get(ctx, address)
+	tkn, err := bearerCreds.GetBearerToken(ctx, address)
 	if err != nil {
 		return fmt.Errorf("failed to get bearer token: %w", err)
 	}
diff --git a/creds/accessbox/accessbox.go b/creds/accessbox/accessbox.go
index 66bcd36..0fc2b7d 100644
--- a/creds/accessbox/accessbox.go
+++ b/creds/accessbox/accessbox.go
@@ -1,29 +1,184 @@
 package accessbox
 
-import "github.com/nspcc-dev/neofs-api-go/pkg/token"
+import (
+	"bytes"
+	"crypto/rand"
+	"fmt"
 
-type (
-	// Box provides marshalling/unmarshalling for the token.
-	Box interface {
-		Marshal() ([]byte, error)
-		Unmarshal([]byte) error
-	}
-
-	// Encoder provides encoding method.
-	Encoder interface {
-		Encode(Box) error
-	}
-
-	// Decoder provides decoding method.
-	Decoder interface {
-		Decode(Box) error
-	}
-
-	// BearerTokenBox is a marshalling/unmarshalling bearer token wrapper.
-	BearerTokenBox interface {
-		Box
-
-		Token() *token.BearerToken
-		SetToken(*token.BearerToken)
-	}
+	"github.com/nspcc-dev/neofs-api-go/pkg/session"
+	"github.com/nspcc-dev/neofs-api-go/pkg/token"
+	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/curve25519"
+	"google.golang.org/protobuf/proto"
 )
+
+type tokenInterface interface {
+	Marshal(bs ...[]byte) ([]byte, error)
+	Unmarshal([]byte) error
+}
+
+// Marshal returns the wire-format of AccessBox.
+func (x *AccessBox) Marshal() ([]byte, error) {
+	return proto.Marshal(x)
+}
+
+// Unmarshal parses the wire-format message and put data to x.
+func (x *AccessBox) Unmarshal(data []byte) error {
+	return proto.Unmarshal(data, x)
+}
+
+// AddBearerToken adds a bearer token to BearerTokens list.
+func (x *AccessBox) AddBearerToken(tkn *token.BearerToken, owner hcs.PrivateKey, keys ...hcs.PublicKey) error {
+	if x.OwnerPublicKey == nil {
+		return fmt.Errorf("owner's public key is nil")
+	}
+	// restriction to rewrite token for the second time
+	if len(x.BearerTokens) > 0 {
+		return fmt.Errorf("bearer token is already set")
+	}
+	return x.addToken(tkn, &x.BearerTokens, owner, keys...)
+}
+
+// AddSessionToken adds a session token to SessionTokens list.
+func (x *AccessBox) AddSessionToken(tkn *session.Token, owner hcs.PrivateKey, keys ...hcs.PublicKey) error {
+	if x.OwnerPublicKey == nil {
+		return fmt.Errorf("owner's public key is nil")
+	}
+	//restriction to rewrite token for the second time
+	if len(x.SessionTokens) > 0 {
+		return fmt.Errorf("bearer token is already set")
+	}
+	return x.addToken(tkn, &x.SessionTokens, owner, keys...)
+}
+
+// SetOwnerPublicKey sets a public key of an issuer.
+func (x *AccessBox) SetOwnerPublicKey(key hcs.PublicKey) {
+	x.OwnerPublicKey = key.Bytes()
+}
+
+// GetBearerToken returns bearer token from AccessBox.
+func (x *AccessBox) GetBearerToken(owner hcs.PrivateKey) (*token.BearerToken, error) {
+	sender, err := hcs.PublicKeyFromBytes(x.OwnerPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load owner public key from AccessBox: %w", err)
+	}
+	for _, data := range x.BearerTokens {
+		if !bytes.Equal(data.GatePublicKey, owner.PublicKey().Bytes()) {
+			continue
+		}
+		tkn := token.NewBearerToken()
+		if err := decodeToken(data.Token, tkn, owner, sender); err != nil {
+			return nil, fmt.Errorf("failed to decode bearer token: %w", err)
+		}
+		return tkn, nil
+	}
+
+	return nil, fmt.Errorf("no bearer token for key  %s was found", owner.String())
+}
+
+// GetSessionToken returns session token from AccessBox.
+func (x *AccessBox) GetSessionToken(owner hcs.PrivateKey) (*session.Token, error) {
+	sender, err := hcs.PublicKeyFromBytes(x.OwnerPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load owner public key from AccessBox: %w", err)
+	}
+	for _, data := range x.SessionTokens {
+		if !bytes.Equal(data.GatePublicKey, owner.PublicKey().Bytes()) {
+			continue
+		}
+		tkn := session.NewToken()
+
+		if err := decodeToken(data.Token, tkn, owner, sender); err != nil {
+			return nil, fmt.Errorf("failed to decode session token: %w", err)
+		}
+		return tkn, nil
+	}
+
+	return nil, fmt.Errorf("no session token for key  %s was found", owner.String())
+}
+
+func (x *AccessBox) addToken(tkn tokenInterface, list *[]*AccessBox_Token, owner hcs.PrivateKey, keys ...hcs.PublicKey) error {
+	for i, sender := range keys {
+		data, err := encodeToken(tkn, owner, sender)
+		if err != nil {
+			return fmt.Errorf("%w, sender = %d", err, i)
+		}
+		*list = append(*list, newToken(data, sender.Bytes()))
+	}
+	return nil
+}
+
+func newToken(data []byte, key []byte) *AccessBox_Token {
+	res := new(AccessBox_Token)
+	res.Token = data
+	res.GatePublicKey = key
+	return res
+}
+
+func encodeToken(tkn tokenInterface, owner hcs.PrivateKey, sender hcs.PublicKey) ([]byte, error) {
+	data, err := tkn.Marshal()
+	if err != nil {
+		return nil, err
+	}
+
+	encrypted, err := encrypt(owner, sender, data)
+	if err != nil {
+		return nil, err
+	}
+	return encrypted, nil
+}
+
+func decodeToken(data []byte, tkn tokenInterface, owner hcs.PrivateKey, sender hcs.PublicKey) error {
+	decoded, err := decrypt(owner, sender, data)
+	if err != nil {
+		return err
+	}
+
+	err = tkn.Unmarshal(decoded)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func encrypt(owner hcs.PrivateKey, sender hcs.PublicKey, data []byte) ([]byte, error) {
+	key, err := curve25519.X25519(owner.Bytes(), sender.Bytes())
+	if err != nil {
+		return nil, err
+	}
+
+	enc, err := chacha20poly1305.NewX(key)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, enc.NonceSize(), enc.NonceSize()+len(data)+enc.Overhead())
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, err
+	}
+
+	return enc.Seal(nonce, nonce, data, nil), nil
+}
+
+func decrypt(owner hcs.PrivateKey, sender hcs.PublicKey, data []byte) ([]byte, error) {
+	sb := sender.Bytes()
+
+	key, err := curve25519.X25519(owner.Bytes(), sb)
+	if err != nil {
+		return nil, err
+	}
+
+	dec, err := chacha20poly1305.NewX(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if ld, ns := len(data), dec.NonceSize(); ld < ns {
+		return nil, fmt.Errorf("wrong data size (%d), should be greater than %d", ld, ns)
+	}
+
+	nonce, cypher := data[:dec.NonceSize()], data[dec.NonceSize():]
+	return dec.Open(nil, nonce, cypher, nil)
+}
diff --git a/creds/accessbox/bearer_token.go b/creds/accessbox/bearer_token.go
deleted file mode 100644
index 8551a52..0000000
--- a/creds/accessbox/bearer_token.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package accessbox
-
-import (
-	"github.com/nspcc-dev/neofs-api-go/pkg/token"
-)
-
-type bearerBox struct {
-	tkn *token.BearerToken
-}
-
-// NewBearerBox wraps given bearer token into BearerTokenBox.
-func NewBearerBox(token *token.BearerToken) BearerTokenBox {
-	return &bearerBox{tkn: token}
-}
-
-// Marshal serializes bearer token.
-func (b *bearerBox) Marshal() ([]byte, error) {
-	return b.tkn.Marshal(nil)
-}
-
-// Marshal initializes bearer box from its serialized representation.
-func (b *bearerBox) Unmarshal(data []byte) error {
-	tkn := token.NewBearerToken()
-
-	err := tkn.Unmarshal(data)
-	if err != nil {
-		return err
-	}
-
-	b.SetToken(tkn)
-
-	return nil
-}
-
-// Token unwraps bearer token from the box.
-func (b *bearerBox) Token() *token.BearerToken {
-	return b.tkn
-}
-
-// SetToken sets new token in the box.
-func (b *bearerBox) SetToken(tkn *token.BearerToken) {
-	b.tkn = tkn
-}
diff --git a/creds/accessbox/bearer_token_test.go b/creds/accessbox/bearer_token_test.go
index bcaba33..51f30b8 100644
--- a/creds/accessbox/bearer_token_test.go
+++ b/creds/accessbox/bearer_token_test.go
@@ -1,12 +1,9 @@
 package accessbox
 
 import (
-	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"encoding/binary"
-	"strconv"
 	"testing"
 
 	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
@@ -15,9 +12,34 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func Test_encrypt_decrypt(t *testing.T) {
-	tkn := token.NewBearerToken()
-	box := NewBearerBox(tkn)
+func Test_tokens_encode_decode(t *testing.T) {
+	var (
+		tkn  = token.NewBearerToken()
+		tkn2 = token.NewBearerToken()
+	)
+	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	cred, err := hcs.Generate(rand.Reader)
+	require.NoError(t, err)
+
+	tkn.SetEACLTable(eacl.NewTable())
+	require.NoError(t, tkn.SignToken(sec))
+
+	data, err := encodeToken(tkn, cred.PrivateKey(), cred.PublicKey())
+	require.NoError(t, err)
+
+	err = decodeToken(data, tkn2, cred.PrivateKey(), cred.PublicKey())
+	require.NoError(t, err)
+
+	require.Equal(t, tkn, tkn2)
+}
+
+func Test_bearer_token_in_access_box(t *testing.T) {
+	var (
+		box, box2 AccessBox
+		tkn       = token.NewBearerToken()
+	)
 
 	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
@@ -28,21 +50,28 @@ func Test_encrypt_decrypt(t *testing.T) {
 	tkn.SetEACLTable(eacl.NewTable())
 	require.NoError(t, tkn.SignToken(sec))
 
+	box.SetOwnerPublicKey(cred.PublicKey())
+
+	err = box.AddBearerToken(tkn, cred.PrivateKey(), cred.PublicKey())
+	require.NoError(t, err)
+
 	data, err := box.Marshal()
 	require.NoError(t, err)
 
-	encrypted, err := encrypt(cred.PrivateKey(), cred.PublicKey(), data)
+	err = box2.Unmarshal(data)
 	require.NoError(t, err)
 
-	decrypted, err := decrypt(cred.PrivateKey(), cred.PublicKey(), encrypted)
+	tkn2, err := box2.GetBearerToken(cred.PrivateKey())
 	require.NoError(t, err)
 
-	require.Equal(t, data, decrypted)
+	require.Equal(t, tkn, tkn2)
 }
 
-func Test_encrypt_decrypt_step_by_step(t *testing.T) {
-	tkn := token.NewBearerToken()
-	box := NewBearerBox(tkn)
+func Test_accessbox_multiple_keys(t *testing.T) {
+	var (
+		box AccessBox
+		tkn = token.NewBearerToken()
+	)
 
 	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
@@ -53,75 +82,6 @@ func Test_encrypt_decrypt_step_by_step(t *testing.T) {
 	tkn.SetEACLTable(eacl.NewTable())
 	require.NoError(t, tkn.SignToken(sec))
 
-	data, err := box.Marshal()
-	require.NoError(t, err)
-
-	buf := new(bytes.Buffer)
-	_, err = cred.PublicKey().WriteTo(buf)
-	require.NoError(t, err)
-
-	encrypted, err := encrypt(cred.PrivateKey(), cred.PublicKey(), data)
-	require.NoError(t, err)
-
-	length := len(encrypted)
-	temp := make([]byte, length+binary.MaxVarintLen64)
-	size := binary.PutVarint(temp, int64(length))
-	copy(temp[size:], encrypted)
-	buf.Write(temp[:length+size])
-
-	sender, err := hcs.NewPublicKeyFromReader(buf)
-	require.NoError(t, err)
-
-	require.Equal(t, cred.PublicKey(), sender)
-
-	ln, err := binary.ReadVarint(buf)
-	require.NoError(t, err)
-	require.Equal(t, int64(length), ln)
-
-	enc := make([]byte, ln)
-	n, err := buf.Read(enc)
-	require.NoError(t, err)
-	require.Equal(t, length, n)
-	require.Equal(t, encrypted, enc)
-
-	decrypted, err := decrypt(cred.PrivateKey(), sender, enc)
-	require.NoError(t, err)
-	require.Equal(t, data, decrypted)
-}
-
-func TestSingleKey_AccessBox(t *testing.T) {
-	tkn := token.NewBearerToken()
-	expect := NewBearerBox(tkn)
-	actual := NewBearerBox(nil)
-
-	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-
-	cred, err := hcs.Generate(rand.Reader)
-	require.NoError(t, err)
-
-	tkn.SetEACLTable(eacl.NewTable())
-	require.NoError(t, tkn.SignToken(sec))
-
-	data, err := Encode(expect, cred.PrivateKey(), cred.PublicKey())
-	require.NoError(t, err)
-
-	require.NoError(t, Decode(data, actual, cred.PrivateKey()))
-	require.Equal(t, expect, actual)
-}
-
-func TestBearerToken_AccessBox(t *testing.T) {
-	tkn := token.NewBearerToken()
-	box := NewBearerBox(tkn)
-	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-
-	cred, err := hcs.Generate(rand.Reader)
-	require.NoError(t, err)
-
-	tkn.SetEACLTable(eacl.NewTable())
-	require.NoError(t, tkn.SignToken(sec))
-
 	count := 10
 	pubs := make([]hcs.PublicKey, 0, count)
 	keys := make([]hcs.PrivateKey, 0, count)
@@ -135,27 +95,41 @@ func TestBearerToken_AccessBox(t *testing.T) {
 		}
 	}
 
-	buf := new(bytes.Buffer)
-	require.NoError(t, NewEncoder(buf, cred.PrivateKey(), pubs...).Encode(box))
+	box.SetOwnerPublicKey(cred.PublicKey())
 
-	data := buf.Bytes()
+	err = box.AddBearerToken(tkn, cred.PrivateKey(), pubs...)
+	require.NoError(t, err)
 
-	for i := range keys {
-		key := keys[i]
-		t.Run("try with key "+strconv.Itoa(i), func(t *testing.T) {
-			r := bytes.NewReader(data)
-			nbx := NewBearerBox(nil)
-			require.NoError(t, NewDecoder(r, key).Decode(nbx))
-			require.Equal(t, tkn, nbx.Token())
-		})
+	for i, k := range keys {
+		tkn2, err := box.GetBearerToken(k)
+		require.NoError(t, err, "key #%d: %s failed", i, k)
+		require.Equal(t, tkn2, tkn)
 	}
-
-	t.Run("should fail for unknown key", func(t *testing.T) {
-		cred, err = hcs.Generate(rand.Reader)
-		require.NoError(t, err)
-
-		r := bytes.NewReader(data)
-		nbx := NewBearerBox(nil)
-		require.EqualError(t, NewDecoder(r, cred.PrivateKey()).Decode(nbx), "chacha20poly1305: message authentication failed")
-	})
+}
+
+func Test_unknown_key(t *testing.T) {
+	var (
+		box AccessBox
+		tkn = token.NewBearerToken()
+	)
+
+	sec, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	cred, err := hcs.Generate(rand.Reader)
+	require.NoError(t, err)
+
+	wrongCred, err := hcs.Generate(rand.Reader)
+	require.NoError(t, err)
+
+	tkn.SetEACLTable(eacl.NewTable())
+	require.NoError(t, tkn.SignToken(sec))
+
+	box.SetOwnerPublicKey(cred.PublicKey())
+
+	err = box.AddBearerToken(tkn, cred.PrivateKey(), cred.PublicKey())
+	require.NoError(t, err)
+
+	_, err = box.GetBearerToken(wrongCred.PrivateKey())
+	require.Error(t, err)
 }
diff --git a/creds/accessbox/decoder.go b/creds/accessbox/decoder.go
deleted file mode 100644
index 059a297..0000000
--- a/creds/accessbox/decoder.go
+++ /dev/null
@@ -1,88 +0,0 @@
-package accessbox
-
-import (
-	"bufio"
-	"bytes"
-	"encoding/binary"
-	"fmt"
-	"io"
-
-	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
-	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/curve25519"
-)
-
-type decoder struct {
-	*bufio.Reader
-
-	key hcs.PrivateKey
-}
-
-// NewDecoder returns new private key decoder.
-func NewDecoder(r io.Reader, key hcs.PrivateKey) Decoder {
-	return &decoder{Reader: bufio.NewReader(r), key: key}
-}
-
-func decrypt(owner hcs.PrivateKey, sender hcs.PublicKey, data []byte) ([]byte, error) {
-	sb := sender.Bytes()
-
-	key, err := curve25519.X25519(owner.Bytes(), sb)
-	if err != nil {
-		return nil, err
-	}
-
-	dec, err := chacha20poly1305.NewX(key)
-	if err != nil {
-		return nil, err
-	}
-
-	if ld, ns := len(data), dec.NonceSize(); ld < ns {
-		return nil, fmt.Errorf("wrong data size (%d), should be greater than %d", ld, ns)
-	}
-
-	nonce, cypher := data[:dec.NonceSize()], data[dec.NonceSize():]
-	return dec.Open(nil, nonce, cypher, nil)
-}
-
-func (d *decoder) Decode(box Box) error {
-	sender, err := hcs.NewPublicKeyFromReader(d)
-	if err != nil {
-		return err
-	}
-
-	var lastErr error
-
-	for {
-		size, err := binary.ReadVarint(d)
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			return err
-		}
-
-		data := make([]byte, size)
-
-		if ln, err := d.Read(data); err != nil {
-			lastErr = err
-			continue
-		} else if ln != int(size) {
-			lastErr = fmt.Errorf("expect %d bytes, but read only %d bytes", size, ln)
-			continue
-		} else if decoded, err := decrypt(d.key, sender, data); err != nil {
-			lastErr = err
-			continue
-		} else if err = box.Unmarshal(decoded); err != nil {
-			lastErr = err
-			continue
-		}
-
-		return nil
-	}
-
-	return lastErr
-}
-
-// Decode unwraps serialized bearer token from data into box using owner key.
-func Decode(data []byte, box Box, owner hcs.PrivateKey) error {
-	return NewDecoder(bytes.NewBuffer(data), owner).Decode(box)
-}
diff --git a/creds/accessbox/encoder.go b/creds/accessbox/encoder.go
deleted file mode 100644
index d46b875..0000000
--- a/creds/accessbox/encoder.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package accessbox
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"io"
-
-	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
-	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/curve25519"
-)
-
-type encoder struct {
-	io.Writer
-
-	owner hcs.PrivateKey
-	keys  []hcs.PublicKey
-}
-
-// NewEncoder creates encoder.
-func NewEncoder(w io.Writer, owner hcs.PrivateKey, keys ...hcs.PublicKey) Encoder {
-	return &encoder{
-		Writer: w,
-		owner:  owner,
-		keys:   keys,
-	}
-}
-
-func encrypt(owner hcs.PrivateKey, sender hcs.PublicKey, data []byte) ([]byte, error) {
-	key, err := curve25519.X25519(owner.Bytes(), sender.Bytes())
-	if err != nil {
-		return nil, err
-	}
-
-	enc, err := chacha20poly1305.NewX(key)
-	if err != nil {
-		return nil, err
-	}
-
-	nonce := make([]byte, enc.NonceSize(), enc.NonceSize()+len(data)+enc.Overhead())
-	if _, err := rand.Read(nonce); err != nil {
-		return nil, err
-	}
-
-	return enc.Seal(nonce, nonce, data, nil), nil
-}
-
-// Encode and encrypt box through owner private key and public keys.
-func (e *encoder) Encode(box Box) error {
-	data, err := box.Marshal()
-	if err != nil {
-		return err
-	}
-
-	// write owner public key
-	if _, err = e.owner.PublicKey().WriteTo(e); err != nil {
-		return err
-	}
-
-	for i, sender := range e.keys {
-		encrypted, err := encrypt(e.owner, sender, data)
-		if err != nil {
-			return fmt.Errorf("%w, sender = %d", err, i)
-		}
-
-		ln := len(encrypted)
-		temp := make([]byte, ln+binary.MaxVarintLen64)
-		size := binary.PutVarint(temp, int64(ln))
-		copy(temp[size:], encrypted)
-		if _, err := e.Write(temp[:size+ln]); err != nil {
-			return fmt.Errorf("%w, sender = %d", err, i)
-		}
-	}
-
-	return nil
-}
-
-// Encode and encrypt box through owner private key and public keys.
-func Encode(box Box, owner hcs.PrivateKey, keys ...hcs.PublicKey) ([]byte, error) {
-	buf := new(bytes.Buffer)
-	err := NewEncoder(buf, owner, keys...).Encode(box)
-	return buf.Bytes(), err
-}
diff --git a/creds/hcs/public.go b/creds/hcs/public.go
index 9a72551..2ef2c4f 100644
--- a/creds/hcs/public.go
+++ b/creds/hcs/public.go
@@ -26,7 +26,8 @@ func (p *public) WriteTo(w io.Writer) (int64, error) {
 	return int64(pl), err
 }
 
-func publicKeyFromBytes(v []byte) (PublicKey, error) {
+// PublicKeyFromBytes reads a public key from given bytes.
+func PublicKeyFromBytes(v []byte) (PublicKey, error) {
 	pub := public(v)
 	return &pub, nil
 }
@@ -37,7 +38,7 @@ func publicKeyFromString(val string) (PublicKey, error) {
 		return nil, err
 	}
 
-	return publicKeyFromBytes(v)
+	return PublicKeyFromBytes(v)
 }
 
 // NewPublicKeyFromReader reads new public key from given reader.
@@ -47,7 +48,7 @@ func NewPublicKeyFromReader(r io.Reader) (PublicKey, error) {
 		return nil, err
 	}
 
-	return publicKeyFromBytes(data)
+	return PublicKeyFromBytes(data)
 }
 
 // LoadPublicKey loads public key from given file or (serialized) string.
@@ -61,5 +62,5 @@ func LoadPublicKey(val string) (PublicKey, error) {
 		return nil, err
 	}
 
-	return publicKeyFromBytes(data)
+	return PublicKeyFromBytes(data)
 }
diff --git a/creds/bearer/credentials.go b/creds/tokens/credentials.go
similarity index 64%
rename from creds/bearer/credentials.go
rename to creds/tokens/credentials.go
index ffaf550..2d39667 100644
--- a/creds/bearer/credentials.go
+++ b/creds/tokens/credentials.go
@@ -1,4 +1,4 @@
-package bearer
+package tokens
 
 import (
 	"bytes"
@@ -11,6 +11,8 @@ import (
 	"github.com/nspcc-dev/neofs-api-go/pkg/client"
 	cid "github.com/nspcc-dev/neofs-api-go/pkg/container/id"
 	"github.com/nspcc-dev/neofs-api-go/pkg/object"
+	"github.com/nspcc-dev/neofs-api-go/pkg/owner"
+	"github.com/nspcc-dev/neofs-api-go/pkg/session"
 	"github.com/nspcc-dev/neofs-api-go/pkg/token"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/hcs"
@@ -20,8 +22,9 @@ import (
 type (
 	// Credentials is a bearer token get/put interface.
 	Credentials interface {
-		Get(context.Context, *object.Address) (*token.BearerToken, error)
-		Put(context.Context, *cid.ID, *token.BearerToken, ...hcs.PublicKey) (*object.Address, error)
+		GetBearerToken(context.Context, *object.Address) (*token.BearerToken, error)
+		GetSessionToken(context.Context, *object.Address) (*session.Token, error)
+		Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, ...hcs.PublicKey) (*object.Address, error)
 	}
 
 	cred struct {
@@ -59,11 +62,39 @@ func (c *cred) releaseBuffer(buf *bytes.Buffer) {
 	bufferPool.Put(buf)
 }
 
-func (c *cred) Get(ctx context.Context, address *object.Address) (*token.BearerToken, error) {
-	buf := c.acquireBuffer()
-	defer c.releaseBuffer(buf)
+func (c *cred) GetBearerToken(ctx context.Context, address *object.Address) (*token.BearerToken, error) {
+	box, err := c.getAccessBox(ctx, address)
+	if err != nil {
+		return nil, err
+	}
 
-	box := accessbox.NewBearerBox(nil)
+	tkn, err := box.GetBearerToken(c.key)
+	if err != nil {
+		return nil, err
+	}
+	return tkn, nil
+}
+
+func (c *cred) GetSessionToken(ctx context.Context, address *object.Address) (*session.Token, error) {
+	box, err := c.getAccessBox(ctx, address)
+	if err != nil {
+		return nil, err
+	}
+
+	tkn, err := box.GetSessionToken(c.key)
+	if err != nil {
+		return nil, err
+	}
+
+	return tkn, nil
+}
+
+func (c *cred) getAccessBox(ctx context.Context, address *object.Address) (*accessbox.AccessBox, error) {
+	var (
+		box accessbox.AccessBox
+		buf = c.acquireBuffer()
+	)
+	defer c.releaseBuffer(buf)
 
 	conn, tok, err := c.pool.Connection()
 	if err != nil {
@@ -80,30 +111,25 @@ func (c *cred) Get(ctx context.Context, address *object.Address) (*token.BearerT
 		return nil, err
 	}
 
-	err = accessbox.NewDecoder(buf, c.key).Decode(box)
-	if err != nil {
+	if err = box.Unmarshal(buf.Bytes()); err != nil {
 		return nil, err
 	}
-
-	return box.Token(), nil
+	return &box, nil
 }
 
-func (c *cred) Put(ctx context.Context, cid *cid.ID, tkn *token.BearerToken, keys ...hcs.PublicKey) (*object.Address, error) {
+func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, keys ...hcs.PublicKey) (*object.Address, error) {
 	var (
 		err error
-		buf = c.acquireBuffer()
-		box = accessbox.NewBearerBox(tkn)
-
 		created = strconv.FormatInt(time.Now().Unix(), 10)
 	)
 
-	defer c.releaseBuffer(buf)
-
 	if len(keys) == 0 {
 		return nil, ErrEmptyPublicKeys
-	} else if tkn == nil {
+	} else if box == nil {
 		return nil, ErrEmptyBearerToken
-	} else if err = accessbox.NewEncoder(buf, c.key, keys...).Encode(box); err != nil {
+	}
+	data, err := box.Marshal()
+	if err != nil {
 		return nil, err
 	}
 
@@ -121,10 +147,10 @@ func (c *cred) Put(ctx context.Context, cid *cid.ID, tkn *token.BearerToken, key
 
 	raw := object.NewRaw()
 	raw.SetContainerID(cid)
-	raw.SetOwnerID(tkn.Issuer())
+	raw.SetOwnerID(issuer)
 	raw.SetAttributes(filename, timestamp)
 
-	ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(buf)
+	ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(bytes.NewBuffer(data))
 	oid, err := conn.PutObject(
 		ctx,
 		ops,