diff --git a/rhodecode/apps/login/tests/test_login.py b/rhodecode/apps/login/tests/test_login.py
--- a/rhodecode/apps/login/tests/test_login.py
+++ b/rhodecode/apps/login/tests/test_login.py
@@ -492,6 +492,31 @@ class TestLoginController(object):
                                params=dict(api_key=auth_token)),
                     status=code)
 
+    @pytest.mark.parametrize("test_name, auth_token, code", [
+        ('proper_auth_token', None, 200),
+        ('wrong_auth_token', '123456', 302),
+    ])
+    def test_access_whitelisted_page_via_auth_token_bound_to_token(
+            self, test_name, auth_token, code, user_admin):
+
+        expected_token = auth_token
+        if test_name == 'proper_auth_token':
+            auth_token = user_admin.api_key
+            expected_token = auth_token
+            assert auth_token
+
+        whitelist = self._get_api_whitelist([
+            'RepoCommitsView:repo_commit_raw@{}'.format(expected_token)])
+
+        with mock.patch.dict('rhodecode.CONFIG', whitelist):
+
+            with fixture.anon_access(False):
+                self.app.get(
+                    route_path('repo_commit_raw',
+                               repo_name=HG_REPO, commit_id='tip',
+                               params=dict(api_key=auth_token)),
+                    status=code)
+
     def test_access_page_via_extra_auth_token(self):
         whitelist = self._get_api_whitelist(whitelist_view)
         with mock.patch.dict('rhodecode.CONFIG', whitelist):
diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py
--- a/rhodecode/lib/auth.py
+++ b/rhodecode/lib/auth.py
@@ -754,7 +754,7 @@ class PermissionCalculator(object):
         }
 
 
-def allowed_auth_token_access(view_name, whitelist=None, auth_token=None):
+def allowed_auth_token_access(view_name, auth_token, whitelist=None):
     """
     Check if given controller_name is in whitelist of auth token access
     """
@@ -762,12 +762,19 @@ def allowed_auth_token_access(view_name,
         from rhodecode import CONFIG
         whitelist = aslist(
             CONFIG.get('api_access_controllers_whitelist'), sep=',')
-        log.debug(
-            'Allowed controllers for AUTH TOKEN access: %s' % (whitelist,))
+
+    log.debug(
+        'Allowed views for AUTH TOKEN access: %s' % (whitelist,))
+    auth_token_access_valid = False
 
-    auth_token_access_valid = False
     for entry in whitelist:
-        if fnmatch.fnmatch(view_name, entry):
+        token_match = True
+        if '@' in entry:
+            # specific AuthToken
+            entry, allowed_token = entry.split('@', 1)
+            token_match = auth_token == allowed_token
+
+        if fnmatch.fnmatch(view_name, entry) and token_match:
             auth_token_access_valid = True
             break