diff --git a/pkg/server/api/generic-handlers.go b/pkg/server/api/generic-handlers.go
index 90c7a115f..db3a778f4 100644
--- a/pkg/server/api/generic-handlers.go
+++ b/pkg/server/api/generic-handlers.go
@@ -142,11 +142,14 @@ func (h validateAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		// Access key not found
-		if _, ok := authConfig.Users[accessKeyID]; !ok {
-			writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)
-			return
+		for _, user := range authConfig.Users {
+			if user.AccessKeyID == accessKeyID {
+				h.handler.ServeHTTP(w, r)
+				return
+			}
 		}
-		h.handler.ServeHTTP(w, r)
+		writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)
+		return
 	default:
 		// control reaches here, we should just send the request up the stack - internally
 		// individual calls will validate themselves against un-authenticated requests
diff --git a/pkg/server/api/signature.go b/pkg/server/api/signature.go
index 61ed8004d..2e28700e9 100644
--- a/pkg/server/api/signature.go
+++ b/pkg/server/api/signature.go
@@ -79,14 +79,16 @@ func InitSignatureV4(req *http.Request) (*donut.Signature, *probe.Error) {
 	if err != nil {
 		return nil, err.Trace()
 	}
-	if _, ok := authConfig.Users[accessKeyID]; !ok {
-		return nil, probe.NewError(errors.New("AccessID not found"))
-	}
-	signature := &donut.Signature{
-		AccessKeyID:     authConfig.Users[accessKeyID].AccessKeyID,
-		SecretAccessKey: authConfig.Users[accessKeyID].SecretAccessKey,
-		AuthHeader:      ah,
-		Request:         req,
+	for _, user := range authConfig.Users {
+		if user.AccessKeyID == accessKeyID {
+			signature := &donut.Signature{
+				AccessKeyID:     user.AccessKeyID,
+				SecretAccessKey: user.SecretAccessKey,
+				AuthHeader:      ah,
+				Request:         req,
+			}
+			return signature, nil
+		}
 	}
-	return signature, nil
+	return nil, probe.NewError(errors.New("AccessID not found"))
 }