diff --git a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LFSAuthCommand.java b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LFSAuthCommand.java
index 59502b800f..9f029f28c0 100644
--- a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LFSAuthCommand.java
+++ b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LFSAuthCommand.java
@@ -79,7 +79,7 @@ public class LFSAuthCommand implements CommandInterpreterFactory {
       Repository repository = repositoryContext.getRepository();
 
       String url = format(LFS_INFO_URL_PATTERN, baseUrl, repository.getNamespace(), repository.getName());
-      AccessToken accessToken = tokenFactory.getReadAccessToken(repository);
+      AccessToken accessToken = tokenFactory.createReadAccessToken(repository);
 
       return new ExpiringAction(url, accessToken);
     }
diff --git a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LfsAccessTokenFactory.java b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LfsAccessTokenFactory.java
index d7c7b70234..272d70fd6c 100644
--- a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LfsAccessTokenFactory.java
+++ b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/LfsAccessTokenFactory.java
@@ -18,14 +18,19 @@ public class LfsAccessTokenFactory {
     this.tokenBuilderFactory = tokenBuilderFactory;
   }
 
-  AccessToken getReadAccessToken(Repository repository) {
+  AccessToken createReadAccessToken(Repository repository) {
+    RepositoryPermissions.pull(repository).check();
+    RepositoryPermissions.read(repository).check();
     return createToken(
       Scope.valueOf(
         RepositoryPermissions.read(repository).asShiroString(),
         RepositoryPermissions.pull(repository).asShiroString()));
   }
 
-  AccessToken getWriteAccessToken(Repository repository) {
+  AccessToken createWriteAccessToken(Repository repository) {
+    RepositoryPermissions.read(repository).check();
+    RepositoryPermissions.pull(repository).check();
+    RepositoryPermissions.push(repository).check();
     return createToken(
       Scope.valueOf(
         RepositoryPermissions.read(repository).asShiroString(),
@@ -36,7 +41,7 @@ public class LfsAccessTokenFactory {
   private AccessToken createToken(Scope scope) {
     return tokenBuilderFactory
       .create()
-      .expiresIn(5, TimeUnit.MINUTES)
+      .expiresIn(1, TimeUnit.MINUTES)
       .scope(scope)
       .build();
   }
diff --git a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/ScmBlobLfsRepository.java b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/ScmBlobLfsRepository.java
index 2ce819e766..5d606379a1 100644
--- a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/ScmBlobLfsRepository.java
+++ b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/web/lfs/ScmBlobLfsRepository.java
@@ -54,7 +54,7 @@ public class ScmBlobLfsRepository implements LargeFileRepository {
   @Override
   public Response.Action getDownloadAction(AnyLongObjectId id) {
     if (accessToken == null) {
-      accessToken = tokenFactory.getReadAccessToken(repository);
+      accessToken = tokenFactory.createReadAccessToken(repository);
     }
     return getAction(id, accessToken);
   }
@@ -62,7 +62,7 @@ public class ScmBlobLfsRepository implements LargeFileRepository {
   @Override
   public Response.Action getUploadAction(AnyLongObjectId id, long size) {
     if (accessToken == null) {
-      accessToken = tokenFactory.getWriteAccessToken(repository);
+      accessToken = tokenFactory.createWriteAccessToken(repository);
     }
     return getAction(id, accessToken);
   }