diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 23344c9fb..7a0b38872 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -10,10 +10,11 @@ from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import status
 from rest_framework.decorators import action
-from rest_framework.exceptions import PermissionDenied
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 
+from accounts.const import AliasAccount
 from common.api import JMSModelViewSet
 from common.exceptions import JMSException
 from common.utils import random_string, get_logger, get_request_ip
@@ -282,13 +283,17 @@ class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelView
         data['org_id'] = asset.org_id
         data['user'] = user
         data['value'] = random_string(16)
+
+        if account_name == AliasAccount.ANON and asset.category not in ['web', 'custom']:
+            raise ValidationError(_('Anonymous account is not supported for this asset'))
+
         account = self._validate_perm(user, asset, account_name)
         if account.has_secret:
             data['input_secret'] = ''
 
-        if account.username != '@INPUT':
+        if account.username != AliasAccount.INPUT:
             data['input_username'] = ''
-        if account.username == '@USER':
+        elif account.username == AliasAccount.USER:
             data['input_username'] = user.username
 
         ticket = self._validate_acl(user, asset, account)
diff --git a/apps/authentication/models/connection_token.py b/apps/authentication/models/connection_token.py
index 503489b90..3375df145 100644
--- a/apps/authentication/models/connection_token.py
+++ b/apps/authentication/models/connection_token.py
@@ -210,16 +210,18 @@ class ConnectionToken(JMSOrgBaseModel):
         if not self.asset:
             return None
 
-        if self.account == AliasAccount.ANON and self.asset.category not in ['web', 'custom']:
-            raise JMSException({'error': 'Anonymous account is not supported in {}'.format(self.asset.category)})
-
         if self.account.startswith('@'):
             account = Account.get_special_account(self.account)
+            account.asset = self.asset
+            account.org_id = self.asset.org_id
+
+            if self.account == AliasAccount.INPUT:
+                account.username = self.input_username
+                account.secret = self.input_secret
         else:
             account = self.asset.accounts.filter(name=self.account).first()
-
-        account.asset = self.asset
-        account.secret = account.secret or self.input_secret
+            if not account.secret and self.input_secret:
+                account.secret = self.input_secret
         return account
 
     @lazyproperty