diff --git a/ChangeLog b/ChangeLog
index 1398623..b347d46 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,6 @@
 Version 4.2.1.1 'Monza':
 	- oAuth security implementation: 
 		TODO:
-		- access-token must be cached and included only in ALLOCATE and REFRESH;
 		- token timeout;
 		- kid timeout;
 	- TLS renegotiation DoS attack prevention implemented;
diff --git a/src/apps/uclient/session.h b/src/apps/uclient/session.h
index b7f98e2..7c078e5 100644
--- a/src/apps/uclient/session.h
+++ b/src/apps/uclient/session.h
@@ -83,6 +83,8 @@ typedef struct {
   /* oAuth */
   int oauth;
   u08bits server_name[STUN_MAX_SERVER_NAME_SIZE+1];
+  hmackey_t key;
+  int key_set;
   /* RFC 6062 */
   app_tcp_conn_info **tcp_conn;
   size_t tcp_conn_number;
diff --git a/src/apps/uclient/uclient.c b/src/apps/uclient/uclient.c
index 889e182..0413285 100644
--- a/src/apps/uclient/uclient.c
+++ b/src/apps/uclient/uclient.c
@@ -1432,20 +1432,28 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 	} else if(clnet_info->nonce[0]) {
 
 		if(oauth && clnet_info->oauth) {
-			encoded_oauth_token etoken;
-			u08bits nonce[12];
-			RAND_bytes((unsigned char*)nonce,12);
-			if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
-				return -1;
-			}
-			stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
+
+			u16bits method = stun_get_method_str(message->buf, message->len);
+
+			if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
+			{
+
+				encoded_oauth_token etoken;
+				u08bits nonce[12];
+				RAND_bytes((unsigned char*)nonce,12);
+				if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
+					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
+					return -1;
+				}
+				stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
 					(const u08bits*)etoken.token, (int)etoken.size);
 
-			hmackey_t key;
-			ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length);
+				ns_bcopy(otoken.enc_block.mac_key,clnet_info->key,otoken.enc_block.key_length);
+				clnet_info->key_set = 1;
+			}
+
 			if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid,
-					clnet_info->realm, key, clnet_info->nonce, clnet_info->shatype)<0) {
+					clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
 				return -1;
 			}
@@ -1454,7 +1462,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 			{
 				st_password_t pwd;
 				if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
-								message->buf, (size_t)(message->len), key, pwd, clnet_info->shatype, NULL)<1) {
+								message->buf, (size_t)(message->len), clnet_info->key, pwd, clnet_info->shatype, NULL)<1) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n");
 					return -1;
 				}
diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
index de697a9..aa1515e 100644
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@@ -3262,6 +3262,7 @@ static int check_stun_auth(turn_turnserver *server,
 	if(ss->username[0]) {
 		if(strcmp((char*)ss->username,(char*)usname)) {
 			if(ss->oauth) {
+				ss->hmackey_set = 0;
 				STRCPY(ss->username,usname);
 				set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
 			} else {