diff --git a/lib/oauth3.js b/lib/oauth3.js
index 27d7220..fc3bc6f 100644
--- a/lib/oauth3.js
+++ b/lib/oauth3.js
@@ -188,11 +188,21 @@ function attachOauth3(req, res, next) {
       , url: 'https://oauth3.org/docs/errors#E_NOT_JWT'
       });
     }
+    if (!decoded.iss) {
+      return PromiseA.reject({
+        message: 'token missing iss'
+      , code: 'E_MISSING_ISS'
+      , url: 'https://oauth3.org/docs/errors#E_MISSING_ISS'
+      });
+    }
     var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
 
     req.oauth3.encodedToken = token;
     req.oauth3.token = decoded;
     req.oauth3.ppid = ppid;
+    req.oauth3.accountIdx  = ppid+'@'+token.iss;
+    req.oauth3.accountHash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
+    req.oauth3.accountHash = req.oauth3.accountHash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, '');
 
     req.oauth3.rescope = function (sub) {
       // TODO: this function is supposed to convert PPIDs of different parties to some account