diff --git a/lib/cartodb/server_options.js b/lib/cartodb/server_options.js
index 4d94cfa6..f32d0835 100644
--- a/lib/cartodb/server_options.js
+++ b/lib/cartodb/server_options.js
@@ -707,6 +707,8 @@ module.exports = function(){
         _.each(bad_query, function(key){ delete req.query[key]; });
         req.params =  _.extend({}, req.params); // shuffle things as request is a strange array/object
 
+        var user = me.userByReq(req);
+
         if ( req.params.token ) {
           //console.log("Request parameters include token " + req.params.token);
           var tksplit = req.params.token.split(':');
@@ -715,7 +717,7 @@ module.exports = function(){
           tksplit = req.params.token.split('@');
           if ( tksplit.length > 1 ) {
             req.params.signer = tksplit.shift();
-            if ( ! req.params.signer ) req.params.signer = this.userByReq(req);
+            if ( ! req.params.signer ) req.params.signer = user;
             if ( tksplit.length > 1 ) {
               var template_hash = tksplit.shift(); // unused
             }
@@ -734,8 +736,6 @@ module.exports = function(){
 
         if (req.profiler) req.profiler.done('req2params.setup');
 
-        var user = me.userByReq(req);
-
         Step(
             function getPrivacy(){
                 me.authorize(req, this);