diff --git a/src/c3nav/api/newauth.py b/src/c3nav/api/newauth.py
index c2f8ddb1..3d5606b5 100644
--- a/src/c3nav/api/newauth.py
+++ b/src/c3nav/api/newauth.py
@@ -38,8 +38,7 @@ class BearerAuth(HttpBearer):
                 ).select_related("user").get()
             except UserPermissions.DoesNotExist:
                 raise APITokenInvalid
-            session = self.SessionStore(token.removeprefix("secret:"))
-            return session.user
+            return user_perms.user
         # todo: implement token (app) auth
         raise APITokenInvalid