diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index 5ed6f8c22..5f0e1ee43 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -618,7 +618,12 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return true
 	}
 
-	// 1. First check if bearer token is signed correctly.
+	// 1. First check token lifetime. Simplest verification.
+	if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
+		return false
+	}
+
+	// 2. Then check if bearer token is signed correctly.
 	signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()}
 	if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) {
 		tokenSignature := token.GetSignature()
@@ -627,7 +632,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return false // invalid signature
 	}
 
-	// 2. Then check if container owner signed this token.
+	// 3. Then check if container owner signed this token.
 	tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey())
 	tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey)
 	if err != nil {
@@ -642,7 +647,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return false
 	}
 
-	// 3. Then check if request sender has rights to use this token.
+	// 4. Then check if request sender has rights to use this token.
 	tokenOwnerField := token.GetBody().GetOwnerID()
 	if tokenOwnerField != nil { // see bearer token owner field description
 		requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey)
@@ -656,11 +661,6 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		}
 	}
 
-	// 4. Then check token lifetime.
-	if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
-		return false
-	}
-
 	return true
 }