diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index c1b78b98..9f834206 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -149,7 +149,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -197,7 +197,7 @@ func (b Service) Head(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -236,7 +236,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   request.GetMetaHeader().GetSessionToken(),
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -273,7 +273,7 @@ func (b Service) Delete(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -305,7 +305,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -343,7 +343,7 @@ func (b Service) GetRangeHash(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -387,7 +387,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 		req := metaWithToken{
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
-			bearer:  request.GetMetaHeader().GetBearerToken(),
+			bearer:  originalBearerToken(request.GetMetaHeader()),
 			src:     request,
 		}
 
@@ -771,3 +771,13 @@ func isOwnerFromKey(id *owner.ID, key *ecdsa.PublicKey) bool {
 	// binary comparison is better but MarshalBinary is more expensive
 	return bytes.Equal(id.ToV2().GetValue(), wallet.Bytes())
 }
+
+// originalBearerToken goes down to original request meta header and fetches
+// bearer token from there.
+func originalBearerToken(header *session.RequestMetaHeader) *bearer.BearerToken {
+	for header.GetOrigin() != nil {
+		header = header.GetOrigin()
+	}
+
+	return header.GetBearerToken()
+}