diff --git a/auth/registry_jwt_auth.py b/auth/registry_jwt_auth.py
index ca9f71cd1..9145dc1c0 100644
--- a/auth/registry_jwt_auth.py
+++ b/auth/registry_jwt_auth.py
@@ -95,7 +95,11 @@ def get_granted_entity():
     return GrantedEntity(user=user)
 
   if kind == 'token':
-    return GrantedEntity(token=context.get('token'))
+    token = model.token.load_token_data(context.get('token'))
+    if not token:
+      return None
+
+    return GrantedEntity(token=token)
 
   if kind == 'oauth':
     user = model.user.get_user(context.get('user', ''))
@@ -142,7 +146,7 @@ def build_context_and_subject(user, token, oauthtoken):
   if token:
     context = {
       'kind': 'token',
-      'token': token,
+      'token': token.code,
     }
     return (context, None)
 
diff --git a/test/registry_tests.py b/test/registry_tests.py
index 6ad43d140..a4d1cc517 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -12,6 +12,7 @@ from flask.ext.testing import LiveServerTestCase
 
 from app import app
 from data.database import close_db_filter, configure
+from data import model
 from endpoints.v1 import v1_bp
 from endpoints.v2 import v2_bp
 from endpoints.verbs import verbs
@@ -66,6 +67,14 @@ def set_feature(feature_name):
   features._FEATURES[feature_name].value = request.get_json()['value']
   return jsonify({'old_value': old_value})
 
+@testbp.route('/addtoken', methods=['POST'])
+def addtoken():
+  another_token = model.token.create_delegate_token('devtable', 'newrepo', 'my-new-token', 'write')
+  another_token.code = 'somecooltokencode'
+  another_token.save()
+  return 'OK'
+
+
 @testbp.route('/reloadapp', methods=['POST'])
 def reload_app():
   # Close any existing connection.
@@ -597,6 +606,25 @@ class RegistryTestsMixin(object):
     self.assertEquals('buynlarge+ownerbot', logs[0]['performer']['name'])
 
 
+  def test_push_pull_logging_bytoken(self):
+    # Push the repository.
+    self.do_push('devtable', 'newrepo', 'devtable', 'password')
+
+    # Add a token.
+    self.conduct('POST', '/__test/addtoken')
+
+    # Pull the repository.
+    self.do_pull('devtable', 'newrepo', '$token', 'somecooltokencode')
+
+    # Retrieve the logs and ensure the pull was added.
+    self.conduct_api_login('devtable', 'password')
+    result = self.conduct('GET', '/api/v1/repository/devtable/newrepo/logs')
+    logs = result.json()['logs']
+
+    self.assertEquals('pull_repo', logs[0]['kind'])
+    self.assertEquals('my-new-token', logs[0]['metadata']['token'])
+
+
   def test_push_pull_logging_byoauth(self):
     # Push the repository.
     self.do_push('devtable', 'newrepo', 'devtable', 'password')