diff --git a/bearer/bearer.go b/bearer/bearer.go
index 6eb4a7a..a28ea01 100644
--- a/bearer/bearer.go
+++ b/bearer/bearer.go
@@ -45,12 +45,6 @@ func (b Token) WriteToV2(m *acl.BearerToken) {
 	*m = (acl.BearerToken)(b)
 }
 
-// IsEmpty returns true if bearer token has no fields set.
-func (b Token) IsEmpty() bool {
-	v2token := (acl.BearerToken)(b)
-	return v2token.GetBody() == nil && v2token.GetSignature() == nil
-}
-
 // SetExpiration sets "exp" (expiration time) claim which identifies the
 // expiration time (in NeoFS epochs) on or after which the Token MUST NOT be
 // accepted for processing. The processing of the "exp" claim requires that the
@@ -231,7 +225,7 @@ func (b *Token) Sign(key ecdsa.PrivateKey) error {
 
 // VerifySignature returns nil if bearer token contains correct signature.
 func (b Token) VerifySignature() error {
-	if b.IsEmpty() {
+	if b.isEmpty() {
 		return nil
 	}
 
@@ -245,18 +239,18 @@ func (b Token) VerifySignature() error {
 // Issuer returns owner.ID associated with the key that signed bearer token.
 // To pass node validation it should be owner of requested container.
 //
-// If token is not signed, issuer returns empty owner ID.
+// If token is not signed, Issuer returns empty owner ID and false `ok` flag.
 //
 // See also Sign.
-func (b Token) Issuer() (id owner.ID) {
+func (b Token) Issuer() (id owner.ID, ok bool) {
 	v2 := (acl.BearerToken)(b)
 
 	pub, _ := keys.NewPublicKeyFromBytes(v2.GetSignature().GetKey(), elliptic.P256())
 	if pub == nil {
-		return id
+		return id, false
 	}
 
-	return *owner.NewIDFromPublicKey((*ecdsa.PublicKey)(pub))
+	return *owner.NewIDFromPublicKey((*ecdsa.PublicKey)(pub)), true
 }
 
 // sanityCheck if bearer token is ready to be issued.
@@ -314,3 +308,8 @@ func (b *Token) UnmarshalJSON(data []byte) error {
 	v2 := (*acl.BearerToken)(b)
 	return v2.UnmarshalJSON(data)
 }
+
+func (b Token) isEmpty() bool {
+	v2token := (acl.BearerToken)(b)
+	return v2token.GetBody() == nil && v2token.GetSignature() == nil
+}
diff --git a/bearer/bearer_test.go b/bearer/bearer_test.go
index 0316187..a131389 100644
--- a/bearer/bearer_test.go
+++ b/bearer/bearer_test.go
@@ -16,8 +16,8 @@ func TestBearerToken_Issuer(t *testing.T) {
 	var bearerToken bearer.Token
 
 	t.Run("non signed token", func(t *testing.T) {
-		id := bearerToken.Issuer()
-		require.Equal(t, owner.ID{}, id)
+		_, ok := bearerToken.Issuer()
+		require.False(t, ok)
 	})
 
 	t.Run("signed token", func(t *testing.T) {
@@ -28,7 +28,8 @@ func TestBearerToken_Issuer(t *testing.T) {
 
 		bearerToken.SetEACLTable(*eacl.NewTable())
 		require.NoError(t, bearerToken.Sign(p.PrivateKey))
-		issuer := bearerToken.Issuer()
+		issuer, ok := bearerToken.Issuer()
+		require.True(t, ok)
 		require.True(t, ownerID.Equal(&issuer))
 	})
 }