diff --git a/dev/tool/src/index.ts b/dev/tool/src/index.ts
index 5d2e7a55f2..74472c3248 100644
--- a/dev/tool/src/index.ts
+++ b/dev/tool/src/index.ts
@@ -15,7 +15,7 @@
 //
 
 import accountPlugin, {
-  assignWorkspace,
+  assignAccountToWs,
   confirmEmail,
   createAcc,
   createWorkspace as createWorkspaceRecord,
@@ -320,7 +320,7 @@ export function devTool (
           console.log('assigning to workspace', workspaceInfo, endpoint)
           const client = await createClient(endpoint, token)
           console.log('assigning to workspace connected', workspaceInfo, endpoint)
-          await assignWorkspace(
+          await assignAccountToWs(
             toolCtx,
             db,
             null,
@@ -1744,7 +1744,7 @@ export function devTool (
           version
         })
         await createAcc(toolCtx, db, null, email, '1234', '', '', true)
-        await assignWorkspace(toolCtx, db, null, email, ws, AccountRole.User)
+        await assignAccountToWs(toolCtx, db, null, email, ws, AccountRole.User)
         console.log('Workspace created in', new Date().getTime() - start.getTime(), 'ms')
         const token = generateToken(systemAccountEmail, wsid)
         const endpoint = await getTransactorEndpoint(token, 'external')
diff --git a/server/account/src/operations.ts b/server/account/src/operations.ts
index 2510d5927e..eb5358e907 100644
--- a/server/account/src/operations.ts
+++ b/server/account/src/operations.ts
@@ -544,7 +544,7 @@ export async function join (
   const invite = await getInvite(db, inviteId)
   const workspace = await checkInvite(ctx, invite, email)
   ctx.info(`join attempt:${email}, ${workspace.name}`)
-  const ws = await assignWorkspace(
+  const ws = await assignAccountToWs(
     ctx,
     db,
     branding,
@@ -679,7 +679,7 @@ export async function signUpJoin (
     last,
     invite?.emailMask === email || invite?.personId !== undefined || sesURL === undefined || sesURL === ''
   )
-  const ws = await assignWorkspace(
+  const ws = await assignAccountToWs(
     ctx,
     db,
     branding,
@@ -1213,7 +1213,7 @@ async function postCreateUserWorkspace (
     }
   )
   try {
-    await assignWorkspace(
+    await assignAccountToWs(
       ctx,
       db,
       branding,
@@ -1607,6 +1607,38 @@ export async function createMissingEmployee (
  * @public
  */
 export async function assignWorkspace (
+  ctx: MeasureContext,
+  db: AccountDB,
+  branding: Branding | null,
+  token: string,
+  _email: string,
+  workspaceId: string,
+  role: AccountRole,
+  personId?: Ref<Person>,
+  shouldReplaceAccount: boolean = false,
+  client?: Client,
+  personAccountId?: Ref<PersonAccount>
+): Promise<Workspace> {
+  const decodedToken = decodeToken(ctx, token)
+  if (decodedToken.extra?.service !== 'aibot') {
+    throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+  }
+
+  return await assignAccountToWs(
+    ctx,
+    db,
+    branding,
+    _email,
+    workspaceId,
+    role,
+    personId,
+    shouldReplaceAccount,
+    client,
+    personAccountId
+  )
+}
+
+export async function assignAccountToWs (
   ctx: MeasureContext,
   db: AccountDB,
   branding: Branding | null,
@@ -2294,7 +2326,7 @@ export async function joinWithProvider (
         return result
       }
 
-      const wsRes = await assignWorkspace(
+      const wsRes = await assignAccountToWs(
         ctx,
         db,
         branding,
@@ -2318,7 +2350,7 @@ export async function joinWithProvider (
     }
     const newAccount = await createAcc(ctx, db, branding, email, null, first, last, true, true, extra)
     const token = generateToken(email, getWorkspaceId(''), getExtra(newAccount))
-    const ws = await assignWorkspace(
+    const ws = await assignAccountToWs(
       ctx,
       db,
       branding,
diff --git a/services/ai-bot/pod-ai-bot/src/account.ts b/services/ai-bot/pod-ai-bot/src/account.ts
index a162f6f766..04290b5f66 100644
--- a/services/ai-bot/pod-ai-bot/src/account.ts
+++ b/services/ai-bot/pod-ai-bot/src/account.ts
@@ -15,11 +15,13 @@
 
 import { LoginInfo, Workspace, WorkspaceLoginInfo } from '@hcengineering/account'
 import aiBot, { aiBotAccountEmail } from '@hcengineering/ai-bot'
-import { AccountRole } from '@hcengineering/core'
+import { AccountRole, systemAccountEmail } from '@hcengineering/core'
+import { generateToken } from '@hcengineering/server-token'
 
 import config from './config'
 
 export async function assignBotToWorkspace (workspace: string): Promise<Workspace> {
+  const token = generateToken(systemAccountEmail, { name: '-' }, { service: 'aibot' })
   const accountsUrl = config.AccountsURL
   const res = await (
     await fetch(accountsUrl, {
@@ -29,7 +31,16 @@ export async function assignBotToWorkspace (workspace: string): Promise<Workspac
       },
       body: JSON.stringify({
         method: 'assignWorkspace',
-        params: [aiBotAccountEmail, workspace, AccountRole.User, undefined, false, undefined, aiBot.account.AIBot]
+        params: [
+          token,
+          aiBotAccountEmail,
+          workspace,
+          AccountRole.User,
+          undefined,
+          false,
+          undefined,
+          aiBot.account.AIBot
+        ]
       })
     })
   ).json()