diff --git a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
index 449c8113a0..859df41d3e 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
@@ -46,7 +46,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 @Extension
 public class ApiKeyRealm extends AuthenticatingRealm {
 
-  public static final String API_TOKEN_REALM_NAME = "ApiTokenRealm";
+  public static final String NAME = "ApiTokenRealm";
 
   private static final Logger LOG = LoggerFactory.getLogger(ApiKeyRealm.class);
 
@@ -57,7 +57,7 @@ public class ApiKeyRealm extends AuthenticatingRealm {
   @Inject
   public ApiKeyRealm(ApiKeyService apiKeyService, DAORealmHelperFactory helperFactory, RepositoryRoleManager repositoryRoleManager) {
     this.apiKeyService = apiKeyService;
-    this.helper = helperFactory.create(API_TOKEN_REALM_NAME);
+    this.helper = helperFactory.create(NAME);
     this.repositoryRoleManager = repositoryRoleManager;
     setAuthenticationTokenClass(BearerToken.class);
     setCredentialsMatcher(new AllowAllCredentialsMatcher());
diff --git a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java
index e9ef62edf5..5221142fc0 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java
@@ -33,7 +33,6 @@ import io.jsonwebtoken.SignatureAlgorithm;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.subject.Subject;
-import org.apache.shiro.util.ThreadContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -156,7 +155,7 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
 
   @Override
   public JwtAccessToken build() {
-    if (ThreadContext.getSubject().getPrincipals().getRealmNames().contains(ApiKeyRealm.API_TOKEN_REALM_NAME)) {
+    if (SecurityUtils.getSubject().getPrincipals().getRealmNames().contains(ApiKeyRealm.NAME)) {
       throw new AuthorizationException("Cannot create access token for api keys");
     }
     String id = keyGenerator.createKey();