diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index d993c787e..d8a172c3d 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -8,15 +8,15 @@ class API::V2::BaseController < ApplicationController
   private
 
   def context
-    # new token give administrateur_id
-    if api_token.administrateur?
-      { administrateur_id: api_token.administrateur_id, token: api_token.token }
+    # new token
+    if api_token.present?
+      { token: authorization_bearer_token, administrateur_id: api_token.administrateur.id }
     # web interface (/graphql) give current_administrateur
     elsif current_administrateur.present?
       { administrateur_id: current_administrateur.id }
     # old token
     else
-      { token: api_token.token }
+      { token: authorization_bearer_token }
     end
   end
 
@@ -24,6 +24,19 @@ class API::V2::BaseController < ApplicationController
     authorization_bearer_token.present?
   end
 
+  def authenticate_administrateur_from_token
+    if api_token.present?
+      @current_user = api_token.administrateur.user
+    end
+  end
+
+  def api_token
+    if @api_token.nil?
+      @api_token = APIToken.find_and_verify(authorization_bearer_token) || false
+    end
+    @api_token
+  end
+
   def authorization_bearer_token
     @authorization_bearer_token ||= begin
       received_token = nil
@@ -33,17 +46,4 @@ class API::V2::BaseController < ApplicationController
       received_token
     end
   end
-
-  def authenticate_administrateur_from_token
-    if api_token.administrateur?
-      administrateur = Administrateur.includes(:user).find_by(id: api_token.administrateur_id)
-      if administrateur.valid_api_token?(api_token.token)
-        @current_user = administrateur.user
-      end
-    end
-  end
-
-  def api_token
-    @api_token ||= APIToken.new(authorization_bearer_token)
-  end
 end
diff --git a/app/graphql/api/v2/context.rb b/app/graphql/api/v2/context.rb
index 26151a80e..431b877e9 100644
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@@ -23,15 +23,11 @@ class API::V2::Context < GraphQL::Query::Context
     # We are caching authorization logic because it is called for each node
     # of the requested graph and can be expensive. Context is reset per request so it is safe.
     self[:authorized] ||= Hash.new do |hash, demarche_id|
-      # Compute the hash value dynamically when first requested
-      authorized_administrateur = demarche.administrateurs.find do |administrateur|
-        if self[:token]
-          administrateur.valid_api_token?(self[:token])
-        else
-          administrateur.id == self[:administrateur_id]
-        end
+      hash[demarche_id] = if self[:token]
+        APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
+      elsif self[:administrateur_id]
+        demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
       end
-      hash[demarche_id] = authorized_administrateur.present?
     end
 
     self[:authorized][demarche.id]
diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb
index f7e21ec82..39c809b50 100644
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@@ -1,7 +1,7 @@
 describe API::V2::GraphqlController do
   let(:admin) { create(:administrateur) }
-  let(:token) { admin.renew_api_token }
-  let(:legacy_token) { APIToken.new(token).token }
+  let(:token) { APIToken.generate(admin)[1] }
+  let(:legacy_token) { APIToken.send(:unpack, token)[:plain_token] }
   let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) }
   let(:dossier)  { create(:dossier, :en_construction, :with_individual, procedure: procedure) }
   let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) }
@@ -108,6 +108,7 @@ describe API::V2::GraphqlController do
 
     before do
       request.env['HTTP_AUTHORIZATION'] = authorization_header
+      admin.api_tokens.first.update(version: 1)
     end
 
     it "returns the demarche" do
@@ -141,7 +142,7 @@ describe API::V2::GraphqlController do
 
       context "when the token is revoked" do
         before do
-          admin.update(encrypted_token: nil)
+          admin.api_tokens.destroy_all
         end
 
         it {
diff --git a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
index 674670b0e..cff2fabab 100644
--- a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
@@ -1,7 +1,7 @@
 describe API::V2::GraphqlController do
   let(:admin) { create(:administrateur) }
-  let(:token) { admin.renew_api_token }
-  let(:legacy_token) { APIToken.new(token).token }
+  let(:token) { APIToken.generate(admin)[1] }
+  let(:legacy_token) { APIToken.send(:unpack, token)[:plain_token] }
   let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) }
   let(:dossier)  { create(:dossier, :en_construction, :with_individual, procedure: procedure) }
   let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) }