diff --git a/authorizer/src/asapo_authorizer/authorization/authorization.go b/authorizer/src/asapo_authorizer/authorization/authorization.go
index 768350e943f75b429406effb5b3a53ea1d551af6..ba8e0811453dd42f6affe9ae3be6e17657592747 100644
--- a/authorizer/src/asapo_authorizer/authorization/authorization.go
+++ b/authorizer/src/asapo_authorizer/authorization/authorization.go
@@ -8,9 +8,9 @@ import (
 )
 
 type Auth struct {
-	authHMAC utils.Auth
-	authHMACAdmin utils.Auth
-	authJWT utils.Auth
+	authHMAC  utils.Auth
+	authAdmin utils.Auth
+	authJWT   utils.Auth
 }
 
 func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
@@ -18,7 +18,7 @@ func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
 }
 
 func (auth *Auth) AdminAuth() utils.Auth {
-	return auth.authHMACAdmin
+	return auth.authAdmin
 }
 
 func (auth *Auth) HmacAuth() utils.Auth {
@@ -43,7 +43,7 @@ func subjectFromRequest(request TokenRequest) string {
 	return ""
 }
 
-func (auth *Auth) PrepareUserJWTToken(request TokenRequest) (string, error) {
+func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
 	var claims utils.CustomClaims
 	var extraClaim utils.AccessTokenExtraClaim
 
@@ -55,7 +55,7 @@ func (auth *Auth) PrepareUserJWTToken(request TokenRequest) (string, error) {
 	uid := xid.New()
 	claims.Id = uid.String()
 
-	return auth.authJWT.GenerateToken(&claims)
+	return auth.authAdmin.GenerateToken(&claims)
 
 }
 
diff --git a/authorizer/src/asapo_authorizer/cli/command_test.go b/authorizer/src/asapo_authorizer/cli/command_test.go
index e21893139209e7d79677f2d3074fbb49c2d55f54..5fb4e423a6ab73297bb0b1c962c2e19c9d59dbf7 100644
--- a/authorizer/src/asapo_authorizer/cli/command_test.go
+++ b/authorizer/src/asapo_authorizer/cli/command_test.go
@@ -20,7 +20,7 @@ var CommandTests = []struct {
 
 func TestCommand(t *testing.T) {
 	outBuf = new(bytes.Buffer)
-	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret"))
+	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
 
 	for _, test := range CommandTests {
 		outBuf.(*bytes.Buffer).Reset()
diff --git a/authorizer/src/asapo_authorizer/cli/create_token.go b/authorizer/src/asapo_authorizer/cli/create_token.go
index c4f8b02359efbef7de522d0c16d8b51b8ffd9b8a..1c8025b5bf86cd27f4cc7e22c22413b144943a1b 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token.go
@@ -72,7 +72,7 @@ func (cmd *command) CommandCreate_token() (err error) {
 		return err
 	}
 
-	token, err := server.Auth.PrepareUserJWTToken(request)
+	token, err := server.Auth.PrepareAccessToken(request)
 	if err != nil {
 		return err
 	}
diff --git a/authorizer/src/asapo_authorizer/cli/create_token_test.go b/authorizer/src/asapo_authorizer/cli/create_token_test.go
index e39701147763cdf4ed2ae6a553cfb81f5dd31258..e1210201719098fefafd482bf8723d2324717678 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token_test.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token_test.go
@@ -38,7 +38,7 @@ var tokenTests = []struct {
 }
 
 func TestGenerateToken(t *testing.T) {
-	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret"))
+	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
 	for _, test := range tokenTests {
 		outBuf = new(bytes.Buffer)
 		err := test.cmd.CommandCreate_token()
diff --git a/authorizer/src/asapo_authorizer/server/authorize_test.go b/authorizer/src/asapo_authorizer/server/authorize_test.go
index 8fdf09e583f0ec95aeaf007e04ae23933cf02397..c813c38dc80020172f413aa548825851d88351ea 100644
--- a/authorizer/src/asapo_authorizer/server/authorize_test.go
+++ b/authorizer/src/asapo_authorizer/server/authorize_test.go
@@ -22,8 +22,14 @@ func prepareToken(payload string) string{
 }
 
 func prepareAdminToken(payload string) string{
-	Auth = authorization.NewAuth(nil,utils.NewHMACAuth("secret_admin"),nil)
-	token, _ := Auth.AdminAuth().GenerateToken(&payload)
+	Auth = authorization.NewAuth(nil,utils.NewJWTAuth("secret_admin"),nil)
+
+	var claims utils.CustomClaims
+	var extraClaim utils.AccessTokenExtraClaim
+	claims.Subject = payload
+	extraClaim.AccessType = "create"
+	claims.ExtraClaims = &extraClaim
+	token, _ := Auth.AdminAuth().GenerateToken(&claims)
 	return token
 }
 
diff --git a/authorizer/src/asapo_authorizer/server/issue_token.go b/authorizer/src/asapo_authorizer/server/issue_token.go
index aa863eb3a85bdb00d705959b411baa293f2c7839..a8d0db40a7fda9b88671813c5b551fece85a5114 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token.go
@@ -32,7 +32,36 @@ func extractUserTokenrequest(r *http.Request) (request authorization.TokenReques
 
 
 func routeAuthorisedTokenIssue(w http.ResponseWriter, r *http.Request) {
-	Auth.AdminAuth().ProcessAuth(issueUserToken, "admin")(w, r)
+	Auth.AdminAuth().ProcessAuth(checkAccessToken, "admin")(w, r)
+}
+func checkAccessToken(w http.ResponseWriter, r *http.Request) {
+
+	c := r.Context().Value("TokenClaims")
+	if c == nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte("Empty context"))
+	}
+
+	claim := c.(*utils.CustomClaims)
+	if claim.Subject != "admin" {
+		err_txt := "wrong token subject type "+claim.Subject
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err_txt))
+
+	}
+
+	var extraClaim utils.AccessTokenExtraClaim
+	if err := utils.JobClaimFromContext(r, &extraClaim); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(err.Error()))
+	}
+	if extraClaim.AccessType!="create" {
+		err_txt := "wrong access type "+extraClaim.AccessType
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err_txt))
+	}
+
+	issueUserToken(w, r)
 }
 
 func issueUserToken(w http.ResponseWriter, r *http.Request) {
@@ -42,7 +71,7 @@ func issueUserToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := Auth.PrepareUserJWTToken(request)
+	token, err := Auth.PrepareAccessToken(request)
 	if err != nil {
 		utils.WriteServerError(w, err, http.StatusInternalServerError)
 		return
diff --git a/authorizer/src/asapo_authorizer/server/issue_token_test.go b/authorizer/src/asapo_authorizer/server/issue_token_test.go
index 26de51a2e4397b4b0e44827252d83da00e6b3555..b74fb5b10a2971825d044a5029f157d7161be15c 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token_test.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token_test.go
@@ -32,16 +32,16 @@ var  IssueTokenTests = [] struct {
 
 func TestIssueToken(t *testing.T) {
 	authJWT := utils.NewJWTAuth("secret")
-	authHMACAdmin := utils.NewHMACAuth("secret_admin")
-	Auth = authorization.NewAuth(nil,authHMACAdmin,authJWT)
+	authAdmin := utils.NewJWTAuth("secret_admin")
+	Auth = authorization.NewAuth(nil,authAdmin,authJWT)
 	for _, test := range IssueTokenTests {
 		request :=  makeRequest(authorization.TokenRequest{test.requestSubject,test.validDays,test.role})
-		w := doPostRequest("/admin/issue",request,authHMACAdmin.Name()+" "+test.adminToken)
+		w := doPostRequest("/admin/issue",request,authAdmin.Name()+" "+test.adminToken)
 		if w.Code == http.StatusOK {
 			body, _ := ioutil.ReadAll(w.Body)
 			var token authorization.TokenResponce
 			json.Unmarshal(body,&token)
-			claims,_ := utils.CheckJWTToken(token.Token,"secret")
+			claims,_ := utils.CheckJWTToken(token.Token,"secret_admin")
 			cclaims,_:= claims.(*utils.CustomClaims)
 			var extra_claim utils.AccessTokenExtraClaim
 			utils.MapToStruct(claims.(*utils.CustomClaims).ExtraClaims.(map[string]interface{}), &extra_claim)
diff --git a/authorizer/src/asapo_authorizer/server/server_nottested.go b/authorizer/src/asapo_authorizer/server/server_nottested.go
index 01de58ec8778d6aecd74413a38057a64f0cf5156..20b5da29809048dfa23db28e59e60ea17cd3a1c0 100644
--- a/authorizer/src/asapo_authorizer/server/server_nottested.go
+++ b/authorizer/src/asapo_authorizer/server/server_nottested.go
@@ -30,8 +30,7 @@ func createAuth() (*authorization.Auth,error) {
 	if err != nil {
 		return nil, err
 	}
-
-	return authorization.NewAuth(utils.NewHMACAuth(adminSecret), utils.NewHMACAuth(secret), utils.NewJWTAuth(secret)),nil
+	return authorization.NewAuth(utils.NewHMACAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
 }
 
 func ReadConfig(fname string) (log.Level, error) {
diff --git a/common/go/src/asapo_common/utils/authorization.go b/common/go/src/asapo_common/utils/authorization.go
index b149ee8fe9883ecbb3fc6c8a4bb5d9b9080aa92c..53c84f3ee17f8c35c78a729ae974405563c6e205 100644
--- a/common/go/src/asapo_common/utils/authorization.go
+++ b/common/go/src/asapo_common/utils/authorization.go
@@ -139,7 +139,7 @@ func ProcessJWTAuth(fn http.HandlerFunc, key string) http.HandlerFunc {
 
 		if authType == "Bearer" {
 			if claims, ok := CheckJWTToken(token, key); !ok {
-				http.Error(w, "Authorization error - tocken does not match", http.StatusUnauthorized)
+				http.Error(w, "Authorization error - token does not match", http.StatusUnauthorized)
 				return
 			} else {
 				ctx = context.WithValue(ctx, "TokenClaims", claims)
diff --git a/tests/automatic/authorizer/check_authorize/check_linux.sh b/tests/automatic/authorizer/check_authorize/check_linux.sh
index 7df6b759e47dc7a5f27a4937d1ad0de5abeb3e97..7b73b09678def62486ce9d5633752c68f13895ca 100644
--- a/tests/automatic/authorizer/check_authorize/check_linux.sh
+++ b/tests/automatic/authorizer/check_authorize/check_linux.sh
@@ -20,9 +20,9 @@ mkdir -p beamline/p07/current
 cp beamtime-metadata* beamline/p07/current/
 
 #tokens
-AdminToken=C5cwHN2hjWGo6A2Ca3YuumCwwm_SVqC962oqVa0y09k=
-curl -v --silent -H "Authorization: HMAC-SHA-256 $AdminToken" --data '{"BeamtimeId":"12345678","DaysValid":123,"Role":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "HTTP/1.1 200 OK"
-curl -v --silent -H "Authorization: HMAC-SHA-256 blabla" --data '{"BeamtimeId":"12345678","DaysValid":123,"Role":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "token does not match"
+AdminToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTNvcGpyaXB0MzNlb2ZjbWJuZyIsInN1YiI6ImFkbWluIiwiRXh0cmFDbGFpbXMiOnsiQWNjZXNzVHlwZSI6ImNyZWF0ZSJ9fQ.uRjtGPaRpOlOfKroijHRgMDNaZHnXsVPf0JaJ1XMg7o
+curl -v --silent -H "Authorization: Bearer $AdminToken" --data '{"Subject": {"beamtimeId":"12345678"},"DaysValid":123,"AccessType":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "bt_12345678"
+curl -v --silent -H "Authorization: Bearer blabla" --data '{"Subject": {"beamtimeId":"12345678"},"DaysValid":123,"AccessType":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "token does not match"
 
 curl -v --silent --data '{"SourceCredentials":"processed%c20180508-000-COM20181%%detector%","OriginHost":"127.0.0.1:5555"}' 127.0.0.1:5007/authorize --stderr -  | tee /dev/stderr  | grep c20180508-000-COM20181
 curl -v --silent --data '{"SourceCredentials":"processed%c20180508-000-COM20181%%detector%","OriginHost":"127.0.0.1:5555"}' 127.0.0.1:5007/authorize --stderr -  | tee /dev/stderr  | grep p00
diff --git a/tests/automatic/settings/auth_secret_admin.key b/tests/automatic/settings/auth_secret_admin.key
index 3eb59062c67f44eb713096536762d82300c1dee5..b3d4b1d78eaeee6e7da466f6e9f483c74c5cb4c1 100644
--- a/tests/automatic/settings/auth_secret_admin.key
+++ b/tests/automatic/settings/auth_secret_admin.key
@@ -1 +1 @@
-12c2ljwewezgnea
\ No newline at end of file
+12c2ljwewezgnea