diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -459,9 +459,14 @@ def get_auth_user(request):
     session = request.session
 
     ip_addr = get_ip_addr(environ)
+
     # make sure that we update permissions each time we call controller
-    _auth_token = (request.GET.get('auth_token', '') or
-                   request.GET.get('api_key', ''))
+    _auth_token = (request.GET.get('auth_token', '') or request.GET.get('api_key', ''))
+    if not _auth_token:
+        url_auth_token = request.matchdict.get('_auth_token')
+        _auth_token = url_auth_token
+        if _auth_token:
+            log.debug('Using URL extracted auth token `...%s`', _auth_token[-4:])
 
     if _auth_token:
         # when using API_KEY we assume user exists, and
@@ -495,7 +500,7 @@ def get_auth_user(request):
         # user is not authenticated and not empty
         auth_user.set_authenticated(authenticated)
 
-    return auth_user
+    return auth_user, _auth_token
 
 
 def h_filter(s):
diff --git a/rhodecode/subscribers.py b/rhodecode/subscribers.py
--- a/rhodecode/subscribers.py
+++ b/rhodecode/subscribers.py
@@ -95,8 +95,9 @@ def add_request_user_context(event):
         # skip api calls
         return
 
-    auth_user = get_auth_user(request)
+    auth_user, auth_token = get_auth_user(request)
     request.user = auth_user
+    request.user_auth_token = auth_token
     request.environ['rc_auth_user'] = auth_user
     request.environ['rc_auth_user_id'] = auth_user.user_id
     request.environ['rc_req_id'] = req_id