diff --git a/CHANGELOG.md b/CHANGELOG.md
index b76c77e9..dc0bb817 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,23 @@
 # Changelog
 This is the changelog for NeoFS Proto
 
+## [0.2.9] - 2020-01-17
+
+### Added
+- Docs for container ACL field
+- Public key header in the object with docs
+- Public key field in the session token with docs
+
+### Changed
+- Routine to verify correct object checks if integrity header is last and
+may use public key header if verification header is not present
+- Routine to verify correct session token checks if keys in the token 
+associated with owner id
+- Updated neofs-crypto to v0.2.3
+
+### Removed
+- Timestamp in object tombstone header
+
 ## [0.2.8] - 2019-12-21
 
 ### Added
@@ -88,3 +105,4 @@ Initial public release
 [0.2.6]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.5...v0.2.6
 [0.2.7]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.6...v0.2.7
 [0.2.8]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.7...v0.2.8
+[0.2.9]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.8...v0.2.9
diff --git a/docs/container.md b/docs/container.md
index ef2ba19a..6693980d 100644
--- a/docs/container.md
+++ b/docs/container.md
@@ -21,6 +21,8 @@
 - [container/types.proto](#container/types.proto)
 
   - Messages
+    - [AccessControlList](#container.AccessControlList)
+    - [AccessGroup](#container.AccessGroup)
     - [Container](#container.Container)
     
 
@@ -164,6 +166,7 @@ via consensus in inner ring nodes
 | Capacity | [uint64](#uint64) |  | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
 | OwnerID | [bytes](#bytes) |  | OwnerID is a wallet address |
 | rules | [netmap.PlacementRule](#netmap.PlacementRule) |  | Rules define storage policy for the object inside the container. |
+| Group | [AccessGroup](#container.AccessGroup) |  | Container ACL. |
 | Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
 | Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
 
@@ -193,6 +196,29 @@ via consensus in inner ring nodes
  <!-- end services -->
 
 
+<a name="container.AccessControlList"></a>
+
+### Message AccessControlList
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| List | [AccessGroup](#container.AccessGroup) | repeated | List of access groups. |
+
+
+<a name="container.AccessGroup"></a>
+
+### Message AccessGroup
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| AccessMode | [uint32](#uint32) |  | Group access mode. |
+| UserGroup | [bytes](#bytes) | repeated | Group members. |
+
+
 <a name="container.Container"></a>
 
 ### Message Container
@@ -205,6 +231,7 @@ The Container service definition.
 | Salt | [bytes](#bytes) |  | Salt is a nonce for unique container id calculation. |
 | Capacity | [uint64](#uint64) |  | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
 | Rules | [netmap.PlacementRule](#netmap.PlacementRule) |  | Rules define storage policy for the object inside the container. |
+| List | [AccessControlList](#container.AccessControlList) |  | Container ACL. |
 
  <!-- end messages -->
 
diff --git a/docs/object.md b/docs/object.md
index 9e7efe61..7e863253 100644
--- a/docs/object.md
+++ b/docs/object.md
@@ -33,6 +33,7 @@
     - [IntegrityHeader](#object.IntegrityHeader)
     - [Link](#object.Link)
     - [Object](#object.Object)
+    - [PublicKey](#object.PublicKey)
     - [Range](#object.Range)
     - [SystemHeader](#object.SystemHeader)
     - [Tombstone](#object.Tombstone)
@@ -368,6 +369,7 @@ in distributed system.
 | PayloadChecksum | [bytes](#bytes) |  | PayloadChecksum of actual object's payload |
 | Integrity | [IntegrityHeader](#object.IntegrityHeader) |  | Integrity header with checksum of all above headers in the object |
 | StorageGroup | [storagegroup.StorageGroup](#storagegroup.StorageGroup) |  | StorageGroup contains meta information for the data audit |
+| PublicKey | [PublicKey](#object.PublicKey) |  | PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert. |
 
 
 <a name="object.IntegrityHeader"></a>
@@ -407,6 +409,17 @@ in distributed system.
 | Payload | [bytes](#bytes) |  | Payload is an object's payload |
 
 
+<a name="object.PublicKey"></a>
+
+### Message PublicKey
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Value | [bytes](#bytes) |  | Value contains marshaled ecdsa public key |
+
+
 <a name="object.Range"></a>
 
 ### Message Range
@@ -441,10 +454,6 @@ in distributed system.
 
 
 
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| Epoch | [uint64](#uint64) |  | Epoch when tombstone was created |
-
 
 <a name="object.Transform"></a>
 
diff --git a/docs/session.md b/docs/session.md
index e8633d39..ba615c36 100644
--- a/docs/session.md
+++ b/docs/session.md
@@ -115,6 +115,7 @@ User token granting rights for object manipulation
 | ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
 | Signature | [bytes](#bytes) |  | Signature is a token signature, signed by owner of manipulation object |
 | ID | [bytes](#bytes) |  | ID is a token identifier. valid UUIDv4 represented in bytes |
+| PublicKeys | [bytes](#bytes) | repeated | PublicKeys associated with owner |
 
 
 <a name="session.VerificationHeader"></a>
diff --git a/go.mod b/go.mod
index bb8c4ffa..688905e0 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/golang/protobuf v1.3.2
 	github.com/google/uuid v1.1.1
 	github.com/mr-tron/base58 v1.1.3
-	github.com/nspcc-dev/neofs-crypto v0.2.2
+	github.com/nspcc-dev/neofs-crypto v0.2.3
 	github.com/nspcc-dev/netmap v1.6.1
 	github.com/nspcc-dev/tzhash v1.3.0
 	github.com/pkg/errors v0.8.1
diff --git a/go.sum b/go.sum
index db7763e0..531a6826 100644
--- a/go.sum
+++ b/go.sum
@@ -106,12 +106,12 @@ github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjW
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nspcc-dev/hrw v1.0.8 h1:vwRuJXZXgkMvf473vFzeWGCfY1WBVeSHAEHvR4u3/Cg=
 github.com/nspcc-dev/hrw v1.0.8/go.mod h1:l/W2vx83vMQo6aStyx2AuZrJ+07lGv2JQGlVkPG06MU=
-github.com/nspcc-dev/neofs-crypto v0.2.2 h1:jLc5O+Wdpaq7L4lNYFX7li+OP4I1FsvvcPW1NXm3erY=
-github.com/nspcc-dev/neofs-crypto v0.2.2/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
+github.com/nspcc-dev/neofs-crypto v0.2.3 h1:aca3X2aly92ENRbFK+kH6Hd+J9EQ4Eu6XMVoITSIKtc=
+github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
 github.com/nspcc-dev/netmap v1.6.1 h1:Pigqpqi6QSdRiusbq5XlO20A18k6Eyu7j9MzOfAE3CM=
 github.com/nspcc-dev/netmap v1.6.1/go.mod h1:mhV3UOg9ljQmu0teQShD6+JYX09XY5gu2I4hIByCH9M=
-github.com/nspcc-dev/rfc6979 v0.1.0 h1:Lwg7esRRoyK1Up/IN1vAef1EmvrBeMHeeEkek2fAJ6c=
-github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
+github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
+github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
 github.com/nspcc-dev/tzhash v1.3.0 h1:n6FTHsfPYbMi5Jmo6SwGVVRQD8i2w1P2ScCaW6rz69Q=
 github.com/nspcc-dev/tzhash v1.3.0/go.mod h1:Lc4DersKS8MNIrunTmsAzANO56qnG+LZ4GOE/WYGVzU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
diff --git a/object/extensions.go b/object/extensions.go
index 7427079b..f6b10ab7 100644
--- a/object/extensions.go
+++ b/object/extensions.go
@@ -1,4 +1,5 @@
 package object
+// todo: all extensions must be transferred to the separate util library
 
 import "github.com/nspcc-dev/neofs-proto/storagegroup"
 
diff --git a/object/types.go b/object/types.go
index f433b9c9..79cef655 100644
--- a/object/types.go
+++ b/object/types.go
@@ -67,6 +67,8 @@ const (
 	IntegrityHdr
 	// StorageGroupHdr is a storage group header type.
 	StorageGroupHdr
+	// PublicKeyHdr is a public key header type.
+	PublicKeyHdr
 )
 
 var (
@@ -140,6 +142,8 @@ func (m Header) typeOf(t isHeader_Value) (ok bool) {
 		_, ok = m.Value.(*Header_Integrity)
 	case *Header_StorageGroup:
 		_, ok = m.Value.(*Header_StorageGroup)
+	case *Header_PublicKey:
+		_, ok = m.Value.(*Header_PublicKey)
 	}
 	return
 }
@@ -168,6 +172,8 @@ func HeaderType(t headerType) Pred {
 		return func(h *Header) bool { _, ok := h.Value.(*Header_Integrity); return ok }
 	case StorageGroupHdr:
 		return func(h *Header) bool { _, ok := h.Value.(*Header_StorageGroup); return ok }
+	case PublicKeyHdr:
+		return func(h *Header) bool { _, ok := h.Value.(*Header_PublicKey); return ok }
 	default:
 		return nil
 	}
diff --git a/object/types.pb.go b/object/types.pb.go
index 459e124b..525b39b3 100644
--- a/object/types.pb.go
+++ b/object/types.pb.go
@@ -220,6 +220,7 @@ type Header struct {
 	//	*Header_PayloadChecksum
 	//	*Header_Integrity
 	//	*Header_StorageGroup
+	//	*Header_PublicKey
 	Value                isHeader_Value `protobuf_oneof:"Value"`
 	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
 	XXX_unrecognized     []byte         `json:"-"`
@@ -291,6 +292,9 @@ type Header_Integrity struct {
 type Header_StorageGroup struct {
 	StorageGroup *storagegroup.StorageGroup `protobuf:"bytes,10,opt,name=StorageGroup,proto3,oneof" json:"StorageGroup,omitempty"`
 }
+type Header_PublicKey struct {
+	PublicKey *PublicKey `protobuf:"bytes,11,opt,name=PublicKey,proto3,oneof" json:"PublicKey,omitempty"`
+}
 
 func (*Header_Link) isHeader_Value()            {}
 func (*Header_Redirect) isHeader_Value()        {}
@@ -302,6 +306,7 @@ func (*Header_HomoHash) isHeader_Value()        {}
 func (*Header_PayloadChecksum) isHeader_Value() {}
 func (*Header_Integrity) isHeader_Value()       {}
 func (*Header_StorageGroup) isHeader_Value()    {}
+func (*Header_PublicKey) isHeader_Value()       {}
 
 func (m *Header) GetValue() isHeader_Value {
 	if m != nil {
@@ -373,6 +378,13 @@ func (m *Header) GetStorageGroup() *storagegroup.StorageGroup {
 	return nil
 }
 
+func (m *Header) GetPublicKey() *PublicKey {
+	if x, ok := m.GetValue().(*Header_PublicKey); ok {
+		return x.PublicKey
+	}
+	return nil
+}
+
 // XXX_OneofWrappers is for the internal use of the proto package.
 func (*Header) XXX_OneofWrappers() []interface{} {
 	return []interface{}{
@@ -386,12 +398,11 @@ func (*Header) XXX_OneofWrappers() []interface{} {
 		(*Header_PayloadChecksum)(nil),
 		(*Header_Integrity)(nil),
 		(*Header_StorageGroup)(nil),
+		(*Header_PublicKey)(nil),
 	}
 }
 
 type Tombstone struct {
-	// Epoch when tombstone was created
-	Epoch                uint64   `protobuf:"varint,1,opt,name=Epoch,proto3" json:"Epoch,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -426,13 +437,6 @@ func (m *Tombstone) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_Tombstone proto.InternalMessageInfo
 
-func (m *Tombstone) GetEpoch() uint64 {
-	if m != nil {
-		return m.Epoch
-	}
-	return 0
-}
-
 type SystemHeader struct {
 	// Version of the object structure
 	Version uint64 `protobuf:"varint,1,opt,name=Version,proto3" json:"Version,omitempty"`
@@ -759,6 +763,50 @@ func (m *Object) GetPayload() []byte {
 	return nil
 }
 
+type PublicKey struct {
+	// Value contains marshaled ecdsa public key
+	Value                []byte   `protobuf:"bytes,1,opt,name=Value,proto3" json:"Value,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *PublicKey) Reset()         { *m = PublicKey{} }
+func (m *PublicKey) String() string { return proto.CompactTextString(m) }
+func (*PublicKey) ProtoMessage()    {}
+func (*PublicKey) Descriptor() ([]byte, []int) {
+	return fileDescriptor_02021a1d39b1aee0, []int{10}
+}
+func (m *PublicKey) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *PublicKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *PublicKey) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_PublicKey.Merge(m, src)
+}
+func (m *PublicKey) XXX_Size() int {
+	return m.Size()
+}
+func (m *PublicKey) XXX_DiscardUnknown() {
+	xxx_messageInfo_PublicKey.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_PublicKey proto.InternalMessageInfo
+
+func (m *PublicKey) GetValue() []byte {
+	if m != nil {
+		return m.Value
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterEnum("object.Link_Type", Link_Type_name, Link_Type_value)
 	proto.RegisterEnum("object.Transform_Type", Transform_Type_name, Transform_Type_value)
@@ -772,67 +820,69 @@ func init() {
 	proto.RegisterType((*Link)(nil), "object.Link")
 	proto.RegisterType((*Transform)(nil), "object.Transform")
 	proto.RegisterType((*Object)(nil), "object.Object")
+	proto.RegisterType((*PublicKey)(nil), "object.PublicKey")
 }
 
 func init() { proto.RegisterFile("object/types.proto", fileDescriptor_02021a1d39b1aee0) }
 
 var fileDescriptor_02021a1d39b1aee0 = []byte{
-	// 867 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x55, 0x4d, 0x73, 0xdb, 0x44,
-	0x18, 0x96, 0x64, 0xf9, 0xeb, 0xb5, 0xd2, 0xa8, 0x4b, 0x29, 0x1a, 0x33, 0x38, 0x41, 0xc3, 0x47,
-	0x28, 0x44, 0x19, 0x52, 0x98, 0x0e, 0x07, 0x18, 0xe2, 0x98, 0x41, 0x1e, 0x0a, 0xc9, 0x6c, 0x3e,
-	0x0e, 0xdc, 0x64, 0x6b, 0x2d, 0x8b, 0xd8, 0xbb, 0x9e, 0xdd, 0x75, 0x5b, 0xdf, 0xf9, 0x05, 0x9c,
-	0xb8, 0xf1, 0x77, 0x7a, 0xe4, 0xc8, 0xf4, 0x90, 0x61, 0xc2, 0x0f, 0xe0, 0x2f, 0x74, 0x76, 0x25,
-	0xd9, 0x92, 0xdb, 0x8b, 0x67, 0xdf, 0xe7, 0x63, 0xfd, 0xea, 0xdd, 0x67, 0x25, 0x40, 0x6c, 0xf4,
-	0x1b, 0x19, 0xcb, 0x23, 0xb9, 0x5a, 0x10, 0x11, 0x2c, 0x38, 0x93, 0x0c, 0x35, 0x32, 0xac, 0xeb,
-	0x72, 0x32, 0x11, 0x65, 0xa6, 0xfb, 0x8e, 0x20, 0x42, 0xa4, 0x8c, 0x56, 0x40, 0x4f, 0x48, 0xc6,
-	0xa3, 0x84, 0x24, 0x9c, 0x2d, 0x17, 0x15, 0xe6, 0x30, 0x49, 0xe5, 0x74, 0x39, 0x0a, 0xc6, 0x6c,
-	0x7e, 0x94, 0xb0, 0x84, 0x1d, 0x69, 0x78, 0xb4, 0x9c, 0xe8, 0x4a, 0x17, 0x7a, 0x95, 0xc9, 0xfd,
-	0x27, 0x50, 0xc7, 0x11, 0x4d, 0x08, 0x7a, 0x08, 0x8d, 0xb3, 0xc9, 0x44, 0x10, 0xe9, 0x99, 0xfb,
-	0xe6, 0x81, 0x8d, 0xf3, 0x4a, 0xe1, 0x4f, 0x09, 0x4d, 0xe4, 0xd4, 0xb3, 0x32, 0x3c, 0xab, 0xfc,
-	0xaf, 0x00, 0xae, 0x04, 0xe1, 0x21, 0x89, 0x62, 0xc2, 0x91, 0x0b, 0xb5, 0x9f, 0xc8, 0x4a, 0x5b,
-	0xdb, 0x58, 0x2d, 0xd1, 0x03, 0xa8, 0x5f, 0x47, 0xb3, 0x25, 0xd1, 0xb6, 0x36, 0xce, 0x0a, 0xff,
-	0x77, 0x1b, 0x1a, 0xb9, 0xc5, 0x07, 0xfb, 0x69, 0x4a, 0x6f, 0xb4, 0xa7, 0x73, 0xec, 0x04, 0xd9,
-	0x00, 0x02, 0x85, 0x85, 0x06, 0xd6, 0x1c, 0xfa, 0x1c, 0x5a, 0x98, 0xc4, 0x29, 0x27, 0x63, 0xa9,
-	0xf7, 0xe9, 0x1c, 0xef, 0x04, 0x6a, 0x40, 0xc1, 0x49, 0x1c, 0x73, 0x22, 0x44, 0x68, 0xe0, 0xb5,
-	0x00, 0x55, 0x3a, 0xf2, 0x6a, 0x5a, 0x8e, 0x8a, 0x6d, 0x37, 0x4c, 0x68, 0xe0, 0x72, 0xe7, 0x5f,
-	0x42, 0xfb, 0x92, 0x47, 0x54, 0x4c, 0x18, 0x9f, 0x7b, 0xb6, 0x36, 0xdd, 0x2f, 0x4c, 0x6b, 0x22,
-	0x34, 0xf0, 0x46, 0xa5, 0x2d, 0x6c, 0x3e, 0x12, 0x92, 0x51, 0xe2, 0xd5, 0xb7, 0x2c, 0x05, 0xa1,
-	0x2d, 0x45, 0x81, 0xbe, 0x86, 0xc6, 0x35, 0xe1, 0xe9, 0x64, 0xe5, 0x35, 0xb4, 0xfe, 0xfd, 0x20,
-	0x3f, 0xd5, 0x40, 0xc3, 0xe9, 0x38, 0x92, 0x29, 0xa3, 0xeb, 0x06, 0x73, 0x31, 0xfa, 0x04, 0x5a,
-	0x21, 0x9b, 0xb3, 0x30, 0x12, 0x53, 0xaf, 0xb9, 0x6f, 0x1e, 0x38, 0xfd, 0xd6, 0xab, 0xdb, 0x3d,
-	0x5b, 0xd5, 0xea, 0xd1, 0x0b, 0x0e, 0x3d, 0x82, 0xdd, 0xf3, 0x68, 0x35, 0x63, 0x51, 0x7c, 0x3a,
-	0x25, 0xe3, 0x1b, 0xb1, 0x9c, 0x7b, 0x2d, 0x25, 0x0f, 0x0d, 0xbc, 0x4d, 0xa0, 0x27, 0xd0, 0x1e,
-	0x52, 0x49, 0x12, 0x9e, 0xca, 0x95, 0xd7, 0xd6, 0xdd, 0xbc, 0x57, 0x74, 0xbf, 0x26, 0xd6, 0x9d,
-	0x6c, 0xb4, 0xe8, 0x7b, 0x70, 0x2e, 0xb2, 0xd4, 0xfd, 0xa8, 0x52, 0xe7, 0x81, 0xf6, 0x76, 0x83,
-	0x72, 0x14, 0x83, 0xb2, 0x22, 0x34, 0x70, 0xc5, 0xd1, 0x6f, 0xe6, 0x99, 0xf0, 0x3f, 0x2c, 0x4d,
-	0x50, 0x25, 0xe5, 0x87, 0x05, 0x1b, 0x4f, 0xf3, 0xe0, 0x65, 0x85, 0xff, 0xbf, 0x09, 0xce, 0xc5,
-	0x4a, 0x48, 0x32, 0xcf, 0x0f, 0xca, 0x83, 0xe6, 0x35, 0xe1, 0x6a, 0x66, 0xb9, 0xb0, 0x28, 0xd1,
-	0x47, 0xb0, 0x93, 0x3f, 0x64, 0x25, 0xa9, 0x55, 0x10, 0x75, 0xc1, 0x1a, 0x0e, 0x74, 0x2c, 0x9c,
-	0x3e, 0xbc, 0xbc, 0xdd, 0x33, 0x5e, 0xdd, 0xee, 0x59, 0xc3, 0x01, 0xb6, 0x86, 0x03, 0xf4, 0x19,
-	0x34, 0xcf, 0x9e, 0x53, 0xc2, 0x87, 0x03, 0x1d, 0x01, 0xa7, 0xbf, 0x9b, 0x0b, 0x0a, 0x18, 0x17,
-	0x0b, 0xf4, 0x01, 0xd4, 0x4e, 0x87, 0x03, 0x7d, 0xec, 0x4e, 0xbf, 0x93, 0xcb, 0x14, 0x84, 0xd5,
-	0x0f, 0xfa, 0x06, 0xda, 0xa7, 0x9c, 0x44, 0x92, 0xc4, 0x27, 0x32, 0x3f, 0xeb, 0x77, 0x8b, 0xe9,
-	0x6a, 0x22, 0x65, 0xf4, 0x9c, 0xa5, 0x54, 0xf6, 0x6d, 0xe5, 0xc5, 0x1b, 0xb5, 0x7f, 0x02, 0x3b,
-	0x15, 0x05, 0xea, 0x42, 0xeb, 0x8a, 0xa6, 0x2f, 0x2e, 0xd3, 0x39, 0xd1, 0x8f, 0x5c, 0xc3, 0xeb,
-	0x7a, 0x33, 0x34, 0xab, 0x3c, 0xb4, 0x14, 0x76, 0xb7, 0x8e, 0x10, 0x1d, 0xc0, 0x6e, 0xb6, 0x12,
-	0xeb, 0x68, 0xa8, 0xbd, 0x1c, 0xbc, 0x0d, 0xa3, 0x2f, 0xe0, 0x7e, 0xb1, 0xbe, 0x48, 0x13, 0x1a,
-	0xc9, 0x25, 0xcf, 0x6e, 0xaf, 0x83, 0xdf, 0x24, 0xfc, 0xbf, 0xcc, 0xec, 0xfe, 0xa2, 0x8f, 0xc1,
-	0x56, 0xef, 0x1f, 0xbd, 0xeb, 0xbd, 0xcd, 0x45, 0x50, 0x5c, 0x70, 0xb9, 0x5a, 0x10, 0xac, 0xe9,
-	0x7c, 0xfc, 0xd6, 0xdb, 0xc6, 0xef, 0x5f, 0x82, 0xad, 0x94, 0xa8, 0x03, 0xcd, 0x2b, 0x7a, 0x43,
-	0xd9, 0x73, 0xea, 0x1a, 0x08, 0xa0, 0x71, 0x1e, 0x71, 0x42, 0xa5, 0x6b, 0x22, 0x07, 0x5a, 0xe7,
-	0x9c, 0x3c, 0x4b, 0xd9, 0x52, 0xb8, 0x16, 0x6a, 0x81, 0xfd, 0x0b, 0x79, 0x21, 0xdd, 0x1a, 0x6a,
-	0x43, 0xfd, 0x74, 0x9a, 0xce, 0x62, 0xd7, 0x46, 0x6e, 0x35, 0x9d, 0x6e, 0xdd, 0x9f, 0x95, 0x6e,
-	0x36, 0x7a, 0x54, 0xe9, 0xf2, 0xe1, 0x1b, 0x37, 0xbc, 0xd4, 0xaa, 0xff, 0xf8, 0x6d, 0xed, 0xb4,
-	0xa1, 0x7e, 0xb1, 0x98, 0xa5, 0xaa, 0x9b, 0x16, 0xd8, 0x6a, 0x0e, 0xae, 0xa5, 0xc0, 0x9f, 0xd9,
-	0x72, 0x16, 0xbb, 0x35, 0xff, 0x0f, 0x13, 0x1a, 0x67, 0x7a, 0x53, 0xf4, 0x5d, 0x35, 0xb9, 0xf9,
-	0x1b, 0xee, 0x41, 0xf1, 0x9f, 0x65, 0x2e, 0x4f, 0x41, 0x35, 0xe9, 0x01, 0x34, 0xf3, 0xb3, 0xf1,
-	0xac, 0xfd, 0xda, 0x41, 0xe7, 0xf8, 0x5e, 0x61, 0xad, 0x98, 0x0a, 0x91, 0xba, 0x19, 0x79, 0xd4,
-	0xb3, 0x78, 0xe3, 0xa2, 0xec, 0x7f, 0xfb, 0xf2, 0xae, 0x67, 0xfe, 0x7d, 0xd7, 0x33, 0xff, 0xb9,
-	0xeb, 0x99, 0xff, 0xde, 0xf5, 0xcc, 0x3f, 0xff, 0xeb, 0x19, 0xbf, 0x7e, 0x5a, 0xfa, 0x44, 0x50,
-	0xb1, 0x18, 0x8f, 0x0f, 0x63, 0xf2, 0xec, 0x88, 0x12, 0x36, 0x11, 0x87, 0xd9, 0x07, 0x22, 0xfb,
-	0xbb, 0x51, 0x43, 0x57, 0x8f, 0x5f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x40, 0x7d, 0xa2, 0x84, 0xb1,
-	0x06, 0x00, 0x00,
+	// 892 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x55, 0xcb, 0x72, 0x1b, 0x45,
+	0x14, 0xd5, 0x48, 0xa3, 0xd7, 0xd5, 0x38, 0x9e, 0x34, 0x21, 0x4c, 0x89, 0x42, 0x36, 0x53, 0x3c,
+	0x4c, 0xc0, 0xe3, 0xc2, 0x81, 0x4a, 0xb1, 0x80, 0xc2, 0xb2, 0x28, 0xa4, 0x22, 0x60, 0x55, 0xfb,
+	0xb1, 0x60, 0x37, 0x92, 0x5a, 0xa3, 0xc6, 0x52, 0xb7, 0xaa, 0xbb, 0x27, 0x89, 0x7e, 0x83, 0x15,
+	0x3b, 0x3e, 0x83, 0x5f, 0xc8, 0x92, 0x25, 0x95, 0x85, 0x8b, 0x32, 0x1f, 0xc0, 0x2f, 0xa4, 0xba,
+	0xe7, 0xa1, 0x19, 0x27, 0x1b, 0x55, 0x9f, 0x7b, 0xce, 0x69, 0xdd, 0xb9, 0x7d, 0x7a, 0x06, 0x10,
+	0x9f, 0xfc, 0x46, 0xa6, 0xea, 0x48, 0x6d, 0xd6, 0x44, 0x06, 0x6b, 0xc1, 0x15, 0x47, 0x8d, 0xa4,
+	0xd6, 0x75, 0x05, 0x99, 0xcb, 0x22, 0xd3, 0x7d, 0x47, 0x12, 0x29, 0x29, 0x67, 0xa5, 0xa2, 0x27,
+	0x15, 0x17, 0x61, 0x44, 0x22, 0xc1, 0xe3, 0x75, 0x89, 0x39, 0x8c, 0xa8, 0x5a, 0xc4, 0x93, 0x60,
+	0xca, 0x57, 0x47, 0x11, 0x8f, 0xf8, 0x91, 0x29, 0x4f, 0xe2, 0xb9, 0x41, 0x06, 0x98, 0x55, 0x22,
+	0xf7, 0x9f, 0x40, 0x1d, 0x87, 0x2c, 0x22, 0xe8, 0x21, 0x34, 0xce, 0xe6, 0x73, 0x49, 0x94, 0x67,
+	0xed, 0x5b, 0x07, 0x36, 0x4e, 0x91, 0xae, 0x3f, 0x25, 0x2c, 0x52, 0x0b, 0xaf, 0x9a, 0xd4, 0x13,
+	0xe4, 0x7f, 0x05, 0x70, 0x29, 0x89, 0x18, 0x92, 0x70, 0x46, 0x04, 0x72, 0xa1, 0xf6, 0x13, 0xd9,
+	0x18, 0x6b, 0x1b, 0xeb, 0x25, 0x7a, 0x00, 0xf5, 0xab, 0x70, 0x19, 0x13, 0x63, 0x6b, 0xe3, 0x04,
+	0xf8, 0x7f, 0xd9, 0xd0, 0x48, 0x2d, 0x3e, 0xd8, 0x4f, 0x29, 0xbb, 0x36, 0x9e, 0xce, 0xb1, 0x13,
+	0x24, 0x03, 0x08, 0x74, 0x6d, 0x58, 0xc1, 0x86, 0x43, 0x9f, 0x43, 0x0b, 0x93, 0x19, 0x15, 0x64,
+	0xaa, 0xcc, 0x3e, 0x9d, 0xe3, 0x9d, 0x40, 0x0f, 0x28, 0x38, 0x99, 0xcd, 0x04, 0x91, 0x72, 0x58,
+	0xc1, 0xb9, 0x00, 0x95, 0x3a, 0xf2, 0x6a, 0x46, 0x8e, 0xb2, 0x6d, 0xb7, 0xcc, 0xb0, 0x82, 0x8b,
+	0x9d, 0x7f, 0x09, 0xed, 0x0b, 0x11, 0x32, 0x39, 0xe7, 0x62, 0xe5, 0xd9, 0xc6, 0x74, 0x3f, 0x33,
+	0xe5, 0xc4, 0xb0, 0x82, 0xb7, 0x2a, 0x63, 0xe1, 0xab, 0x89, 0x54, 0x9c, 0x11, 0xaf, 0x7e, 0xc7,
+	0x92, 0x11, 0xc6, 0x92, 0x01, 0xf4, 0x35, 0x34, 0xae, 0x88, 0xa0, 0xf3, 0x8d, 0xd7, 0x30, 0xfa,
+	0xf7, 0x83, 0xf4, 0x54, 0x03, 0x53, 0xa6, 0xd3, 0x50, 0x51, 0xce, 0xf2, 0x06, 0x53, 0x31, 0xfa,
+	0x04, 0x5a, 0x43, 0xbe, 0xe2, 0xc3, 0x50, 0x2e, 0xbc, 0xe6, 0xbe, 0x75, 0xe0, 0xf4, 0x5b, 0xaf,
+	0x6e, 0xf6, 0x6c, 0x8d, 0xf5, 0xa3, 0x67, 0x1c, 0x7a, 0x04, 0xbb, 0xe3, 0x70, 0xb3, 0xe4, 0xe1,
+	0xec, 0x74, 0x41, 0xa6, 0xd7, 0x32, 0x5e, 0x79, 0x2d, 0x2d, 0x1f, 0x56, 0xf0, 0x5d, 0x02, 0x3d,
+	0x81, 0xf6, 0x88, 0x29, 0x12, 0x09, 0xaa, 0x36, 0x5e, 0xdb, 0x74, 0xf3, 0x5e, 0xd6, 0x7d, 0x4e,
+	0xe4, 0x9d, 0x6c, 0xb5, 0xe8, 0x7b, 0x70, 0xce, 0x93, 0xd4, 0xfd, 0xa8, 0x53, 0xe7, 0x81, 0xf1,
+	0x76, 0x83, 0x62, 0x14, 0x83, 0xa2, 0x62, 0x58, 0xc1, 0x25, 0x87, 0x1e, 0xdc, 0x38, 0x9e, 0x2c,
+	0xe9, 0x54, 0x67, 0xa5, 0x53, 0x1e, 0x5c, 0x4e, 0xe8, 0x3f, 0xcd, 0x41, 0xbf, 0x99, 0xc6, 0xc8,
+	0xef, 0x14, 0x86, 0xee, 0xff, 0x6f, 0x81, 0x73, 0xbe, 0x91, 0x8a, 0xac, 0xd2, 0x53, 0xf4, 0xa0,
+	0x79, 0x45, 0x84, 0x1e, 0x68, 0x1a, 0xdf, 0x0c, 0xa2, 0x8f, 0x60, 0x27, 0x9d, 0x40, 0x29, 0xc6,
+	0xe5, 0x22, 0xea, 0x42, 0x75, 0x34, 0x30, 0x99, 0x71, 0xfa, 0xf0, 0xf2, 0x66, 0xaf, 0xf2, 0xea,
+	0x66, 0xaf, 0x3a, 0x1a, 0xe0, 0xea, 0x68, 0x80, 0x3e, 0x83, 0xe6, 0xd9, 0x73, 0x46, 0xc4, 0x68,
+	0x60, 0xf2, 0xe1, 0xf4, 0x77, 0x53, 0x41, 0x56, 0xc6, 0xd9, 0x02, 0x7d, 0x00, 0xb5, 0xd3, 0xd1,
+	0xc0, 0x64, 0xc2, 0xe9, 0x77, 0x52, 0x99, 0x2e, 0x61, 0xfd, 0x83, 0xbe, 0x81, 0xf6, 0xa9, 0x20,
+	0xa1, 0x22, 0xb3, 0x13, 0x95, 0x06, 0xe1, 0xdd, 0xec, 0xf9, 0x0d, 0x41, 0x39, 0x1b, 0x73, 0xca,
+	0x54, 0xdf, 0xd6, 0x5e, 0xbc, 0x55, 0xfb, 0x27, 0xb0, 0x53, 0x52, 0xa0, 0x2e, 0xb4, 0x2e, 0x19,
+	0x7d, 0x71, 0x41, 0x57, 0xc4, 0x3c, 0x72, 0x0d, 0xe7, 0x58, 0xdf, 0xbd, 0x1f, 0xd6, 0x7c, 0x9a,
+	0x3d, 0x6b, 0x02, 0x7c, 0x0a, 0xbb, 0x77, 0xce, 0x17, 0x1d, 0xc0, 0x6e, 0xb2, 0x92, 0x79, 0x6e,
+	0xf4, 0x5e, 0x0e, 0xbe, 0x5b, 0x46, 0x5f, 0xc0, 0xfd, 0x6c, 0x7d, 0x4e, 0x23, 0x16, 0xaa, 0x58,
+	0x24, 0x57, 0xdb, 0xc1, 0x6f, 0x12, 0xfe, 0x9f, 0x56, 0x72, 0xb9, 0xd1, 0xc7, 0x60, 0xeb, 0x97,
+	0x93, 0xd9, 0xf5, 0xde, 0xf6, 0xb0, 0x35, 0x17, 0x5c, 0x6c, 0xd6, 0x04, 0x1b, 0x3a, 0x1d, 0x7f,
+	0xf5, 0x6d, 0xe3, 0xf7, 0x2f, 0xc0, 0xd6, 0x4a, 0xd4, 0x81, 0xe6, 0x25, 0xbb, 0x66, 0xfc, 0x39,
+	0x73, 0x2b, 0x08, 0xa0, 0x31, 0x0e, 0x05, 0x61, 0xca, 0xb5, 0x90, 0x03, 0xad, 0xb1, 0x20, 0xcf,
+	0x28, 0x8f, 0xa5, 0x5b, 0x45, 0x2d, 0xb0, 0x7f, 0x21, 0x2f, 0x94, 0x5b, 0x43, 0x6d, 0xa8, 0x9f,
+	0x2e, 0xe8, 0x72, 0xe6, 0xda, 0xc8, 0x2d, 0x47, 0xd7, 0xad, 0xfb, 0xcb, 0xc2, 0xb5, 0x47, 0x8f,
+	0x4a, 0x5d, 0x3e, 0x7c, 0xe3, 0xfa, 0x17, 0x5a, 0xf5, 0x1f, 0xbf, 0xad, 0x9d, 0x36, 0xd4, 0xcf,
+	0xd7, 0x4b, 0xaa, 0xbb, 0x69, 0x81, 0xad, 0xe7, 0xe0, 0x56, 0x75, 0xf1, 0x67, 0x1e, 0x2f, 0x67,
+	0x6e, 0xcd, 0xff, 0xdd, 0x82, 0xc6, 0x99, 0xd9, 0x14, 0x7d, 0x57, 0x4e, 0x6e, 0xfa, 0xfa, 0x7b,
+	0x90, 0xfd, 0x67, 0x91, 0x4b, 0x53, 0x50, 0x4e, 0x7a, 0x00, 0xcd, 0xf4, 0x6c, 0xbc, 0xea, 0x7e,
+	0xed, 0xa0, 0x73, 0x7c, 0x2f, 0xb3, 0x96, 0x4c, 0x99, 0x48, 0xdf, 0x8c, 0x34, 0xea, 0x49, 0xbc,
+	0x71, 0x06, 0xfd, 0x0f, 0x0b, 0xb7, 0x71, 0xfb, 0xba, 0x4e, 0xce, 0x3f, 0x01, 0xfd, 0x6f, 0x5f,
+	0xde, 0xf6, 0xac, 0xbf, 0x6f, 0x7b, 0xd6, 0x3f, 0xb7, 0x3d, 0xeb, 0xdf, 0xdb, 0x9e, 0xf5, 0xc7,
+	0x7f, 0xbd, 0xca, 0xaf, 0x9f, 0x16, 0x3e, 0x31, 0x4c, 0xae, 0xa7, 0xd3, 0xc3, 0x19, 0x79, 0x76,
+	0xc4, 0x08, 0x9f, 0xcb, 0xc3, 0xe4, 0x03, 0x93, 0x74, 0x34, 0x69, 0x18, 0xf4, 0xf8, 0x75, 0x00,
+	0x00, 0x00, 0xff, 0xff, 0x95, 0x5d, 0xc3, 0x1e, 0xf1, 0x06, 0x00, 0x00,
 }
 
 func (m *Range) Marshal() (dAtA []byte, err error) {
@@ -1152,6 +1202,27 @@ func (m *Header_StorageGroup) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	}
 	return len(dAtA) - i, nil
 }
+func (m *Header_PublicKey) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *Header_PublicKey) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	if m.PublicKey != nil {
+		{
+			size, err := m.PublicKey.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintTypes(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x5a
+	}
+	return len(dAtA) - i, nil
+}
 func (m *Tombstone) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -1176,11 +1247,6 @@ func (m *Tombstone) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
-	if m.Epoch != 0 {
-		i = encodeVarintTypes(dAtA, i, uint64(m.Epoch))
-		i--
-		dAtA[i] = 0x8
-	}
 	return len(dAtA) - i, nil
 }
 
@@ -1471,6 +1537,40 @@ func (m *Object) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *PublicKey) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PublicKey) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *PublicKey) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.Value) > 0 {
+		i -= len(m.Value)
+		copy(dAtA[i:], m.Value)
+		i = encodeVarintTypes(dAtA, i, uint64(len(m.Value)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintTypes(dAtA []byte, offset int, v uint64) int {
 	offset -= sovTypes(v)
 	base := offset
@@ -1653,15 +1753,24 @@ func (m *Header_StorageGroup) Size() (n int) {
 	}
 	return n
 }
-func (m *Tombstone) Size() (n int) {
+func (m *Header_PublicKey) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	if m.Epoch != 0 {
-		n += 1 + sovTypes(uint64(m.Epoch))
+	if m.PublicKey != nil {
+		l = m.PublicKey.Size()
+		n += 1 + l + sovTypes(uint64(l))
 	}
+	return n
+}
+func (m *Tombstone) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1788,6 +1897,22 @@ func (m *Object) Size() (n int) {
 	return n
 }
 
+func (m *PublicKey) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Value)
+	if l > 0 {
+		n += 1 + l + sovTypes(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
 func sovTypes(x uint64) (n int) {
 	return (math_bits.Len64(x|1) + 6) / 7
 }
@@ -2382,6 +2507,41 @@ func (m *Header) Unmarshal(dAtA []byte) error {
 			}
 			m.Value = &Header_StorageGroup{v}
 			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PublicKey", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &PublicKey{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Value = &Header_PublicKey{v}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipTypes(dAtA[iNdEx:])
@@ -2436,25 +2596,6 @@ func (m *Tombstone) Unmarshal(dAtA []byte) error {
 			return fmt.Errorf("proto: Tombstone: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
-		case 1:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Epoch", wireType)
-			}
-			m.Epoch = 0
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowTypes
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				m.Epoch |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipTypes(dAtA[iNdEx:])
@@ -3252,6 +3393,94 @@ func (m *Object) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *PublicKey) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowTypes
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PublicKey: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PublicKey: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = append(m.Value[:0], dAtA[iNdEx:postIndex]...)
+			if m.Value == nil {
+				m.Value = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipTypes(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipTypes(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/object/types.proto b/object/types.proto
index d2bbaab3..293f3470 100644
--- a/object/types.proto
+++ b/object/types.proto
@@ -45,13 +45,12 @@ message Header {
         IntegrityHeader Integrity              = 9;
         // StorageGroup contains meta information for the data audit
         storagegroup.StorageGroup StorageGroup = 10;
+        // PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert.
+        PublicKey PublicKey                    = 11;
     }
 }
 
-message Tombstone {
-    // Epoch when tombstone was created
-    uint64 Epoch = 1;
-}
+message Tombstone {}
 
 message SystemHeader {
     // Version of the object structure
@@ -125,3 +124,8 @@ message Object {
     // Payload is an object's payload
     bytes Payload             = 3;
 }
+
+message PublicKey {
+    // Value contains marshaled ecdsa public key
+    bytes Value = 1;
+}
diff --git a/object/verification.go b/object/verification.go
index 761c04e2..742375a9 100644
--- a/object/verification.go
+++ b/object/verification.go
@@ -63,28 +63,35 @@ func (m Object) verifySignature(key []byte, ih *IntegrityHeader) error {
 // Verify performs local integrity check by finding verification header and
 // integrity header. If header integrity is passed, function verifies
 // checksum of the object payload.
+// todo: move this verification logic into separate library
 func (m Object) Verify() error {
 	var (
 		err      error
 		checksum []byte
+		pubkey []byte
 	)
-	// Prepare structures
-	_, vh := m.LastHeader(HeaderType(VerifyHdr))
-	if vh == nil {
+	ind, ih := m.LastHeader(HeaderType(IntegrityHdr))
+	if ih == nil || ind != len(m.Headers) - 1{
 		return ErrHeaderNotFound
 	}
-	verify := vh.Value.(*Header_Verify).Verify
+	integrity := ih.Value.(*Header_Integrity).Integrity
 
-	_, ih := m.LastHeader(HeaderType(IntegrityHdr))
-	if ih == nil {
-		return ErrHeaderNotFound
+	// Prepare structures
+	_, vh := m.LastHeader(HeaderType(VerifyHdr))
+	if vh == nil {
+		_, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
+		if pkh == nil {
+			return ErrHeaderNotFound
+		}
+		pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
+	} else {
+		pubkey = vh.Value.(*Header_Verify).Verify.PublicKey
 	}
-	integrity := ih.Value.(*Header_Integrity).Integrity
 
 	// Verify signature
-	err = m.verifySignature(verify.PublicKey, integrity)
+	err = m.verifySignature(pubkey, integrity)
 	if err != nil {
-		return errors.Wrapf(err, "public key: %x", verify.PublicKey)
+		return errors.Wrapf(err, "public key: %x", pubkey)
 	}
 
 	// Verify checksum of header
@@ -111,22 +118,32 @@ func (m Object) Verify() error {
 	return nil
 }
 
-// Sign creates new integrity header and adds it to the end of the list of
-// extended headers.
-func (m *Object) Sign(key *ecdsa.PrivateKey) error {
-	headerChecksum, err := m.headersChecksum(false)
+// CreateIntegrityHeader returns signed integrity header for the object
+func CreateIntegrityHeader(obj *Object, key *ecdsa.PrivateKey) (*Header, error) {
+	headerChecksum, err := obj.headersChecksum(false)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	headerChecksumSignature, err := crypto.Sign(key, headerChecksum)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	m.AddHeader(&Header{Value: &Header_Integrity{
+
+	return &Header{Value: &Header_Integrity{
 		Integrity: &IntegrityHeader{
 			HeadersChecksum:   headerChecksum,
 			ChecksumSignature: headerChecksumSignature,
 		},
-	}})
+	}}, nil
+}
+
+// Sign creates new integrity header and adds it to the end of the list of
+// extended headers.
+func (m *Object) Sign(key *ecdsa.PrivateKey) error {
+	ih, err := CreateIntegrityHeader(m, key)
+	if err != nil {
+		return err
+	}
+	m.AddHeader(ih)
 	return nil
 }
diff --git a/object/verification_test.go b/object/verification_test.go
index f91e0518..b538023c 100644
--- a/object/verification_test.go
+++ b/object/verification_test.go
@@ -56,7 +56,7 @@ func TestObject_Verify(t *testing.T) {
 	obj.SetPayload(payload)
 	obj.SetHeader(&Header{Value: &Header_PayloadChecksum{[]byte("incorrect checksum")}})
 
-	t.Run("error no integrity header", func(t *testing.T) {
+	t.Run("error no integrity header and pubkey", func(t *testing.T) {
 		err = obj.Verify()
 		require.EqualError(t, err, ErrHeaderNotFound.Error())
 	})
@@ -83,12 +83,25 @@ func TestObject_Verify(t *testing.T) {
 	}
 	obj.SetVerificationHeader(vh)
 
+	// validation header is not last
+	t.Run("error validation header is not last", func(t *testing.T) {
+		err = obj.Verify()
+		require.EqualError(t, err, ErrHeaderNotFound.Error())
+	})
+
+	obj.Headers = obj.Headers[:len(obj.Headers)-2]
+	obj.SetVerificationHeader(vh)
+	obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
+
 	t.Run("error invalid header checksum", func(t *testing.T) {
 		err = obj.Verify()
 		require.EqualError(t, err, ErrVerifyHeader.Error())
 	})
 
-	require.NoError(t, obj.Sign(sessionkey))
+	obj.Headers = obj.Headers[:len(obj.Headers)-1]
+	genIH, err := CreateIntegrityHeader(obj, sessionkey)
+	require.NoError(t, err)
+	obj.SetHeader(genIH)
 
 	t.Run("error invalid payload checksum", func(t *testing.T) {
 		err = obj.Verify()
@@ -96,10 +109,39 @@ func TestObject_Verify(t *testing.T) {
 	})
 
 	obj.SetHeader(&Header{Value: &Header_PayloadChecksum{obj.PayloadChecksum()}})
-	require.NoError(t, obj.Sign(sessionkey))
 
-	t.Run("correct", func(t *testing.T) {
+	obj.Headers = obj.Headers[:len(obj.Headers)-1]
+	genIH, err = CreateIntegrityHeader(obj, sessionkey)
+	require.NoError(t, err)
+	obj.SetHeader(genIH)
+
+	t.Run("correct with vh", func(t *testing.T) {
 		err = obj.Verify()
 		require.NoError(t, err)
 	})
+
+	pkh := Header{Value: &Header_PublicKey{&PublicKey{
+		Value: crypto.MarshalPublicKey(&key.PublicKey),
+	}}}
+	// replace vh with pkh
+	obj.Headers[len(obj.Headers)-2] = pkh
+	// re-sign object
+	obj.Sign(sessionkey)
+
+
+	t.Run("incorrect with bad public key", func(t *testing.T) {
+		err = obj.Verify()
+		require.Error(t, err)
+	})
+
+	obj.SetHeader(&Header{Value: &Header_PublicKey{&PublicKey{
+		Value: dataPK,
+	}}})
+	obj.Sign(sessionkey)
+
+	t.Run("correct with good public key", func(t *testing.T) {
+		err = obj.Verify()
+		require.NoError(t, err)
+	})
+
 }
diff --git a/session/store_test.go b/session/store_test.go
index 1a9e9771..66f99d4a 100644
--- a/session/store_test.go
+++ b/session/store_test.go
@@ -31,20 +31,22 @@ func newTestClient(t *testing.T) *testClient {
 
 func signToken(t *testing.T, token *PToken, c *testClient) {
 	require.NotNil(t, token)
+	token.SetPublicKeys(&c.PublicKey)
 
 	signH, err := c.Sign(token.Header.PublicKey)
 	require.NoError(t, err)
 	require.NotNil(t, signH)
 
 	// data is not yet signed
-	require.False(t, token.Verify(&c.PublicKey))
+	keys := UnmarshalPublicKeys(&token.Token)
+	require.False(t, token.Verify(keys...))
 
 	signT, err := c.Sign(token.verificationData())
 	require.NoError(t, err)
 	require.NotNil(t, signT)
 
 	token.AddSignatures(signH, signT)
-	require.True(t, token.Verify(&c.PublicKey))
+	require.True(t, token.Verify(keys...))
 }
 
 func TestTokenStore(t *testing.T) {
diff --git a/session/types.go b/session/types.go
index aff7ccae..08abec8f 100644
--- a/session/types.go
+++ b/session/types.go
@@ -6,6 +6,7 @@ import (
 	"sync"
 
 	crypto "github.com/nspcc-dev/neofs-crypto"
+	"github.com/nspcc-dev/neofs-proto/chain"
 	"github.com/nspcc-dev/neofs-proto/internal"
 	"github.com/nspcc-dev/neofs-proto/refs"
 	"github.com/pkg/errors"
@@ -111,11 +112,24 @@ func (m *Token) Sign(key *ecdsa.PrivateKey) error {
 	return nil
 }
 
+// SetPublicKeys sets owner's public keys to the token
+func (m *Token) SetPublicKeys(keys... *ecdsa.PublicKey) {
+	m.PublicKeys = m.PublicKeys[:0]
+	for i := range keys {
+		m.PublicKeys = append(m.PublicKeys, crypto.MarshalPublicKey(keys[i]))
+	}
+}
+
 // Verify checks if token is correct and signed.
 func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
 	if m.FirstEpoch > m.LastEpoch {
 		return false
 	}
+	ownerFromKeys := chain.KeysToAddress(keys...)
+	if m.OwnerID.String() != ownerFromKeys {
+		return false
+	}
+
 	for i := range keys {
 		if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
 			return true
@@ -156,3 +170,12 @@ func (m *VerificationHeader) Verify(keys ...*ecdsa.PublicKey) bool {
 	}
 	return false
 }
+
+// UnmarshalPublicKeys returns unmarshal public keys from the token
+func UnmarshalPublicKeys(t *Token) []*ecdsa.PublicKey {
+	r := make([]*ecdsa.PublicKey, 0, len(t.PublicKeys))
+	for i := range t.PublicKeys {
+		r = append(r, crypto.UnmarshalPublicKey(t.PublicKeys[i]))
+	}
+	return r
+}
diff --git a/session/types.pb.go b/session/types.pb.go
index f5976129..5b2f5c4a 100644
--- a/session/types.pb.go
+++ b/session/types.pb.go
@@ -91,7 +91,9 @@ type Token struct {
 	// Signature is a token signature, signed by owner of manipulation object
 	Signature []byte `protobuf:"bytes,6,opt,name=Signature,proto3" json:"Signature,omitempty"`
 	// ID is a token identifier. valid UUIDv4 represented in bytes
-	ID                   TokenID  `protobuf:"bytes,7,opt,name=ID,proto3,customtype=TokenID" json:"ID"`
+	ID TokenID `protobuf:"bytes,7,opt,name=ID,proto3,customtype=TokenID" json:"ID"`
+	// PublicKeys associated with owner
+	PublicKeys           [][]byte `protobuf:"bytes,8,rep,name=PublicKeys,proto3" json:"PublicKeys,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -154,6 +156,13 @@ func (m *Token) GetSignature() []byte {
 	return nil
 }
 
+func (m *Token) GetPublicKeys() [][]byte {
+	if m != nil {
+		return m.PublicKeys
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*VerificationHeader)(nil), "session.VerificationHeader")
 	proto.RegisterType((*Token)(nil), "session.Token")
@@ -162,29 +171,30 @@ func init() {
 func init() { proto.RegisterFile("session/types.proto", fileDescriptor_c0d9d9cb855cdad8) }
 
 var fileDescriptor_c0d9d9cb855cdad8 = []byte{
-	// 344 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x91, 0x4d, 0x4b, 0xc3, 0x30,
-	0x18, 0xc7, 0x97, 0xee, 0x4d, 0xe3, 0x40, 0x89, 0x97, 0xa2, 0xd2, 0x8d, 0x9d, 0x2a, 0xb8, 0x16,
-	0xf4, 0xe4, 0xc5, 0x43, 0xa9, 0x62, 0x99, 0x30, 0xa9, 0xb2, 0x83, 0xb7, 0x36, 0xcb, 0xba, 0xf8,
-	0x92, 0x94, 0x26, 0x55, 0xf6, 0x4d, 0xf6, 0x91, 0x76, 0xf4, 0x28, 0x1e, 0x86, 0xd4, 0x2f, 0x22,
-	0x4b, 0xbb, 0x75, 0xc3, 0xdb, 0xf3, 0xfc, 0xfe, 0xc9, 0xf3, 0xf2, 0x7f, 0xe0, 0xa1, 0x20, 0x42,
-	0x50, 0xce, 0x6c, 0x39, 0x8d, 0x89, 0xb0, 0xe2, 0x84, 0x4b, 0x8e, 0x9a, 0x05, 0x3c, 0xea, 0x45,
-	0x54, 0x4e, 0xd2, 0xd0, 0xc2, 0xfc, 0xcd, 0x8e, 0x78, 0xc4, 0x6d, 0xa5, 0x87, 0xe9, 0x58, 0x65,
-	0x2a, 0x51, 0x51, 0xfe, 0xaf, 0x3b, 0x84, 0x68, 0x48, 0x12, 0x3a, 0xa6, 0x38, 0x90, 0x94, 0xb3,
-	0x5b, 0x12, 0x8c, 0x48, 0x82, 0x4e, 0xe0, 0xee, 0x7d, 0x1a, 0xbe, 0x52, 0xdc, 0x27, 0x53, 0x1d,
-	0x74, 0x80, 0xd9, 0xf2, 0x4b, 0x80, 0xba, 0xb0, 0xd5, 0x27, 0xd3, 0x07, 0x1a, 0xb1, 0x40, 0xa6,
-	0x09, 0xd1, 0x35, 0xf5, 0x60, 0x8b, 0x75, 0x67, 0x1a, 0xac, 0x3f, 0xf2, 0x17, 0xc2, 0xd0, 0x25,
-	0x6c, 0xe4, 0x55, 0x55, 0xa1, 0xbd, 0xf3, 0x63, 0xab, 0x18, 0xd5, 0xfa, 0xdf, 0xd8, 0xa9, 0xcd,
-	0x17, 0xed, 0x8a, 0x5f, 0x7c, 0x40, 0xa7, 0xb0, 0x39, 0xf8, 0x60, 0x24, 0xf1, 0xdc, 0xbc, 0x87,
-	0xb3, 0xbf, 0x94, 0xbf, 0x17, 0xed, 0x15, 0xf6, 0x57, 0x01, 0x32, 0x20, 0xbc, 0xa1, 0x89, 0x90,
-	0xd7, 0x31, 0xc7, 0x13, 0xbd, 0xda, 0x01, 0x66, 0xcd, 0xdf, 0x20, 0xcb, 0x8d, 0xee, 0x82, 0x95,
-	0x5c, 0x53, 0x72, 0x09, 0xd0, 0x19, 0xdc, 0x19, 0x84, 0xcf, 0x04, 0x4b, 0xcf, 0xd5, 0xeb, 0x9d,
-	0xaa, 0xd9, 0x72, 0x0e, 0x8a, 0x4e, 0x6b, 0xee, 0xaf, 0xa3, 0x65, 0xad, 0x72, 0xf9, 0x46, 0xee,
-	0xce, 0x1a, 0xa0, 0x36, 0xd4, 0x3c, 0x57, 0x6f, 0x6e, 0xcf, 0xab, 0xac, 0xf0, 0x5c, 0x5f, 0xf3,
-	0x5c, 0xe7, 0x6a, 0x9e, 0x19, 0xe0, 0x33, 0x33, 0xc0, 0x57, 0x66, 0x80, 0x9f, 0xcc, 0x00, 0xb3,
-	0x5f, 0xa3, 0xf2, 0x64, 0x6e, 0xdc, 0x8d, 0x89, 0x18, 0xe3, 0xde, 0x88, 0xbc, 0xdb, 0x8c, 0xf0,
-	0xb1, 0xe8, 0xe5, 0x57, 0x2b, 0x6c, 0x0b, 0x1b, 0x2a, 0xbd, 0xf8, 0x0b, 0x00, 0x00, 0xff, 0xff,
-	0xc6, 0x87, 0x25, 0xf9, 0x08, 0x02, 0x00, 0x00,
+	// 358 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x91, 0xcd, 0x4e, 0xe3, 0x30,
+	0x14, 0x85, 0x9b, 0xf4, 0x77, 0x3c, 0x95, 0x66, 0xe4, 0xd9, 0x44, 0x03, 0x4a, 0xab, 0xae, 0x82,
+	0x44, 0x13, 0x09, 0x56, 0x6c, 0x58, 0x44, 0x01, 0x11, 0x15, 0xa9, 0xc8, 0xa0, 0x2e, 0xd8, 0x25,
+	0xae, 0x9b, 0x9a, 0x1f, 0x3b, 0x8a, 0x1d, 0x50, 0xdf, 0x84, 0x47, 0xe1, 0x11, 0xba, 0x64, 0x89,
+	0x58, 0x54, 0x28, 0xbc, 0x08, 0x8a, 0x93, 0xa6, 0xad, 0xd8, 0xdd, 0xfb, 0x1d, 0xfb, 0x9e, 0xeb,
+	0x63, 0xf0, 0x4f, 0x10, 0x21, 0x28, 0x67, 0x8e, 0x5c, 0xc4, 0x44, 0xd8, 0x71, 0xc2, 0x25, 0x87,
+	0xed, 0x12, 0xfe, 0x1f, 0x46, 0x54, 0xce, 0xd3, 0xd0, 0xc6, 0xfc, 0xd1, 0x89, 0x78, 0xc4, 0x1d,
+	0xa5, 0x87, 0xe9, 0x4c, 0x75, 0xaa, 0x51, 0x55, 0x71, 0x6f, 0x30, 0x01, 0x70, 0x42, 0x12, 0x3a,
+	0xa3, 0x38, 0x90, 0x94, 0xb3, 0x0b, 0x12, 0x4c, 0x49, 0x02, 0xf7, 0xc1, 0xaf, 0xab, 0x34, 0x7c,
+	0xa0, 0x78, 0x44, 0x16, 0x86, 0xd6, 0xd7, 0xac, 0x2e, 0xda, 0x00, 0x38, 0x00, 0xdd, 0x11, 0x59,
+	0x5c, 0xd3, 0x88, 0x05, 0x32, 0x4d, 0x88, 0xa1, 0xab, 0x03, 0x3b, 0x6c, 0xf0, 0xaa, 0x83, 0xe6,
+	0x0d, 0xbf, 0x27, 0x0c, 0x9e, 0x80, 0x56, 0x31, 0x55, 0x0d, 0xfa, 0x7d, 0xb4, 0x67, 0x97, 0xab,
+	0xda, 0x3f, 0x8d, 0xdd, 0xc6, 0x72, 0xd5, 0xab, 0xa1, 0xf2, 0x02, 0x3c, 0x00, 0xed, 0xf1, 0x33,
+	0x23, 0x89, 0xef, 0x15, 0x1e, 0xee, 0x9f, 0x5c, 0xfe, 0x58, 0xf5, 0xd6, 0x18, 0xad, 0x0b, 0x68,
+	0x02, 0x70, 0x4e, 0x13, 0x21, 0xcf, 0x62, 0x8e, 0xe7, 0x46, 0xbd, 0xaf, 0x59, 0x0d, 0xb4, 0x45,
+	0xf2, 0x17, 0x5d, 0x06, 0x6b, 0xb9, 0xa1, 0xe4, 0x0d, 0x80, 0x87, 0xa0, 0x33, 0x0e, 0xef, 0x08,
+	0x96, 0xbe, 0x67, 0x34, 0xfb, 0x75, 0xab, 0xeb, 0xfe, 0x2d, 0x9d, 0x2a, 0x8e, 0xaa, 0x2a, 0x9f,
+	0xb5, 0x79, 0x7c, 0xab, 0x48, 0xa7, 0x02, 0xb0, 0x07, 0x74, 0xdf, 0x33, 0xda, 0xbb, 0xfb, 0xaa,
+	0x28, 0x7c, 0x0f, 0xe9, 0xc5, 0xaa, 0x55, 0x96, 0xc2, 0xe8, 0xe4, 0x76, 0x68, 0x8b, 0xb8, 0xa7,
+	0xcb, 0xcc, 0xd4, 0xde, 0x32, 0x53, 0x7b, 0xcf, 0x4c, 0xed, 0x33, 0x33, 0xb5, 0x97, 0x2f, 0xb3,
+	0x76, 0x6b, 0x6d, 0xfd, 0x2b, 0x13, 0x31, 0xc6, 0xc3, 0x29, 0x79, 0x72, 0x18, 0xe1, 0x33, 0x31,
+	0x2c, 0x7e, 0xb5, 0x8c, 0x35, 0x6c, 0xa9, 0xf6, 0xf8, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xbe, 0x33,
+	0xae, 0xb5, 0x28, 0x02, 0x00, 0x00,
 }
 
 func (m *VerificationHeader) Marshal() (dAtA []byte, err error) {
@@ -252,6 +262,15 @@ func (m *Token) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.PublicKeys) > 0 {
+		for iNdEx := len(m.PublicKeys) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.PublicKeys[iNdEx])
+			copy(dAtA[i:], m.PublicKeys[iNdEx])
+			i = encodeVarintTypes(dAtA, i, uint64(len(m.PublicKeys[iNdEx])))
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	{
 		size := m.ID.Size()
 		i -= size
@@ -375,6 +394,12 @@ func (m *Token) Size() (n int) {
 	}
 	l = m.ID.Size()
 	n += 1 + l + sovTypes(uint64(l))
+	if len(m.PublicKeys) > 0 {
+		for _, b := range m.PublicKeys {
+			l = len(b)
+			n += 1 + l + sovTypes(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -744,6 +769,38 @@ func (m *Token) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PublicKeys", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PublicKeys = append(m.PublicKeys, make([]byte, postIndex-iNdEx))
+			copy(m.PublicKeys[len(m.PublicKeys)-1], dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipTypes(dAtA[iNdEx:])
diff --git a/session/types.proto b/session/types.proto
index 1ade791c..294928b5 100644
--- a/session/types.proto
+++ b/session/types.proto
@@ -29,4 +29,6 @@ message Token {
     bytes Signature = 6;
     // ID is a token identifier. valid UUIDv4 represented in bytes
     bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
+    // PublicKeys associated with owner
+    repeated bytes PublicKeys = 8;
 }