diff --git a/services/search/pkg/command/server.go b/services/search/pkg/command/server.go
index 9dc3f11100..ef38771ce0 100644
--- a/services/search/pkg/command/server.go
+++ b/services/search/pkg/command/server.go
@@ -33,7 +33,7 @@ func Server(cfg *config.Config) *cli.Command {
 			if err != nil {
 				return err
 			}
-			err = ogrpc.Configure(ogrpc.GetClientOptions(cfg.GRPCClientTLS)...)
+			err = ogrpc.Configure(append(ogrpc.GetClientOptions(cfg.GRPCClientTLS), ogrpc.WithTraceProvider(tracing.TraceProvider))...)
 			if err != nil {
 				return err
 			}
@@ -56,6 +56,7 @@ func Server(cfg *config.Config) *cli.Command {
 				grpc.Name(cfg.Service.Name),
 				grpc.Context(ctx),
 				grpc.Metrics(mtrcs),
+				grpc.JWTSecret(cfg.Commons.TokenManager.JWTSecret),
 			)
 			defer teardown()
 			if err != nil {
diff --git a/services/search/pkg/config/config.go b/services/search/pkg/config/config.go
index 5e0363846e..ab164fe0c7 100644
--- a/services/search/pkg/config/config.go
+++ b/services/search/pkg/config/config.go
@@ -18,6 +18,8 @@ type Config struct {
 
 	GRPC GRPCConfig `yaml:"grpc"`
 
+	TokenManager *TokenManager `yaml:"token_manager"`
+
 	Reva                       *shared.Reva          `yaml:"reva"`
 	GRPCClientTLS              *shared.GRPCClientTLS `yaml:"grpc_client_tls"`
 	Events                     Events                `yaml:"events"`
diff --git a/services/search/pkg/config/defaults/defaultconfig.go b/services/search/pkg/config/defaults/defaultconfig.go
index 5519dbb31b..50fe01b12c 100644
--- a/services/search/pkg/config/defaults/defaultconfig.go
+++ b/services/search/pkg/config/defaults/defaultconfig.go
@@ -83,6 +83,14 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.Tracing = &config.Tracing{}
 	}
 
+	if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {
+		cfg.TokenManager = &config.TokenManager{
+			JWTSecret: cfg.Commons.TokenManager.JWTSecret,
+		}
+	} else if cfg.TokenManager == nil {
+		cfg.TokenManager = &config.TokenManager{}
+	}
+
 	if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
diff --git a/services/search/pkg/config/reva.go b/services/search/pkg/config/reva.go
index 773424a28f..95025f4772 100644
--- a/services/search/pkg/config/reva.go
+++ b/services/search/pkg/config/reva.go
@@ -4,3 +4,8 @@ package config
 type Reva struct {
 	Address string `ocisConfig:"address" env:"OCIS_REVA_GATEWAY;REVA_GATEWAY" desc:"The CS3 gateway endpoint." deprecationVersion:"3.0" removalVersion:"4.0.0" deprecationInfo:"REVA_GATEWAY changing name for consistency" deprecationReplacement:"OCIS_REVA_GATEWAY"`
 }
+
+// TokenManager is the config for using the reva token manager
+type TokenManager struct {
+	JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;SEARCH_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`
+}
diff --git a/services/search/pkg/search/service.go b/services/search/pkg/search/service.go
index 60ce7b8c73..fd39dea05f 100644
--- a/services/search/pkg/search/service.go
+++ b/services/search/pkg/search/service.go
@@ -12,6 +12,7 @@ import (
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	revactx "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/errtypes"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	sdk "github.com/cs3org/reva/v2/pkg/sdk/common"
@@ -81,8 +82,14 @@ func (s *Service) Search(ctx context.Context, req *searchsvc.SearchRequest) (*se
 		return nil, err
 	}
 
+	currentUser := revactx.ContextMustGetUser(ctx)
+
 	listSpacesRes, err := gatewayClient.ListStorageSpaces(ctx, &provider.ListStorageSpacesRequest{
 		Filters: []*provider.ListStorageSpacesRequest_Filter{
+			{
+				Type: provider.ListStorageSpacesRequest_Filter_TYPE_USER,
+				Term: &provider.ListStorageSpacesRequest_Filter_User{User: currentUser.GetId()},
+			},
 			{
 				Type: provider.ListStorageSpacesRequest_Filter_TYPE_SPACE_TYPE,
 				Term: &provider.ListStorageSpacesRequest_Filter_SpaceType{SpaceType: "+grant"},
diff --git a/services/search/pkg/search/service_test.go b/services/search/pkg/search/service_test.go
index b6b0eb2c24..50600ecff3 100644
--- a/services/search/pkg/search/service_test.go
+++ b/services/search/pkg/search/service_test.go
@@ -7,6 +7,7 @@ import (
 	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	sprovider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	revactx "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/status"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	cs3mocks "github.com/cs3org/reva/v2/tests/cs3mocks/mocks"
@@ -83,7 +84,7 @@ var _ = Describe("Searchprovider", func() {
 			},
 		)
 
-		ctx = context.Background()
+		ctx = revactx.ContextSetUser(context.Background(), user)
 		indexClient = &engineMocks.Engine{}
 		extractor = &contentMocks.Extractor{}
 
diff --git a/services/search/pkg/server/grpc/option.go b/services/search/pkg/server/grpc/option.go
index 577a862d6a..a0fbe5d2f8 100644
--- a/services/search/pkg/server/grpc/option.go
+++ b/services/search/pkg/server/grpc/option.go
@@ -15,13 +15,14 @@ type Option func(o *Options)
 
 // Options defines the available options for this package.
 type Options struct {
-	Name    string
-	Logger  log.Logger
-	Context context.Context
-	Config  *config.Config
-	Metrics *metrics.Metrics
-	Flags   []cli.Flag
-	Handler *svc.Service
+	Name      string
+	Logger    log.Logger
+	Context   context.Context
+	Config    *config.Config
+	Metrics   *metrics.Metrics
+	Flags     []cli.Flag
+	Handler   *svc.Service
+	JWTSecret string
 }
 
 // newOptions initializes the available default options.
@@ -83,3 +84,10 @@ func Handler(val *svc.Service) Option {
 		o.Handler = val
 	}
 }
+
+// JWTSecret provides a function to set the Config option.
+func JWTSecret(val string) Option {
+	return func(o *Options) {
+		o.JWTSecret = val
+	}
+}
diff --git a/services/search/pkg/server/grpc/server.go b/services/search/pkg/server/grpc/server.go
index da3c14f197..19d53ea6ff 100644
--- a/services/search/pkg/server/grpc/server.go
+++ b/services/search/pkg/server/grpc/server.go
@@ -33,6 +33,7 @@ func Server(opts ...Option) (grpc.Service, func(), error) {
 	handle, teardown, err := svc.NewHandler(
 		svc.Config(options.Config),
 		svc.Logger(options.Logger),
+		svc.JWTSecret(options.JWTSecret),
 	)
 	if err != nil {
 		options.Logger.Error().
diff --git a/services/search/pkg/service/grpc/v0/option.go b/services/search/pkg/service/grpc/v0/option.go
index 9f1a7d19eb..72014b8e45 100644
--- a/services/search/pkg/service/grpc/v0/option.go
+++ b/services/search/pkg/service/grpc/v0/option.go
@@ -10,8 +10,9 @@ type Option func(o *Options)
 
 // Options defines the available options for this package.
 type Options struct {
-	Logger log.Logger
-	Config *config.Config
+	Logger    log.Logger
+	Config    *config.Config
+	JWTSecret string
 }
 
 func newOptions(opts ...Option) Options {
@@ -37,3 +38,10 @@ func Config(val *config.Config) Option {
 		o.Config = val
 	}
 }
+
+// JWTSecret provides a function to set the Config option.
+func JWTSecret(val string) Option {
+	return func(o *Options) {
+		o.JWTSecret = val
+	}
+}
diff --git a/services/search/pkg/service/grpc/v0/service.go b/services/search/pkg/service/grpc/v0/service.go
index 1cb9e89c9d..5d8d7ea118 100644
--- a/services/search/pkg/service/grpc/v0/service.go
+++ b/services/search/pkg/service/grpc/v0/service.go
@@ -15,6 +15,8 @@ import (
 	"github.com/cs3org/reva/v2/pkg/errtypes"
 	"github.com/cs3org/reva/v2/pkg/events/stream"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/v2/pkg/token"
+	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/jellydator/ttlcache/v2"
 	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
@@ -119,20 +121,30 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, func(), error)
 		return nil, teardown, err
 	}
 
+	tokenManager, err := jwt.New(map[string]interface{}{
+		"secret":  options.JWTSecret,
+		"expires": int64(24 * 60 * 60),
+	})
+	if err != nil {
+		return nil, teardown, err
+	}
+
 	return &Service{
-		id:       cfg.GRPC.Namespace + "." + cfg.Service.Name,
-		log:      logger,
-		searcher: ss,
-		cache:    cache,
+		id:           cfg.GRPC.Namespace + "." + cfg.Service.Name,
+		log:          logger,
+		searcher:     ss,
+		cache:        cache,
+		tokenManager: tokenManager,
 	}, teardown, nil
 }
 
 // Service implements the searchServiceHandler interface
 type Service struct {
-	id       string
-	log      log.Logger
-	searcher search.Searcher
-	cache    *ttlcache.Cache
+	id           string
+	log          log.Logger
+	searcher     search.Searcher
+	cache        *ttlcache.Cache
+	tokenManager token.Manager
 }
 
 // Search handles the search
@@ -145,7 +157,13 @@ func (s Service) Search(ctx context.Context, in *searchsvc.SearchRequest, out *s
 	}
 	ctx = grpcmetadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, t)
 
-	u, _ := revactx.ContextGetUser(ctx)
+	// unpack user
+	u, _, err := s.tokenManager.DismantleToken(ctx, t)
+	if err != nil {
+		return err
+	}
+	ctx = revactx.ContextSetUser(ctx, u)
+
 	key := cacheKey(in.Query, in.PageSize, in.Ref, u)
 	res, ok := s.FromCache(key)
 	if !ok {