diff --git a/src/apps.js b/src/apps.js
index ed378b49c..12a4ec6cd 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -885,7 +885,7 @@ function createNewBackup(app, addonsToBackup, callback) {
         async.series([
             ignoreError(shell.sudo.bind(null, 'mountSwap', [ BACKUP_SWAP_CMD, '--on' ])),
             addons.backupAddons.bind(null, app, addonsToBackup),
-            shell.sudo.bind(null, 'backupApp', [ BACKUP_APP_CMD,  app.id, result.url, result.configUrl, result.backupKey, result.sessionToken ]),
+            shell.sudo.bind(null, 'backupApp', [ BACKUP_APP_CMD,  app.id, result.url, result.configUrl, result.backupKey ]),
             ignoreError(shell.sudo.bind(null, 'unmountSwap', [ BACKUP_SWAP_CMD, '--off' ])),
         ], function (error) {
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
diff --git a/src/backups.js b/src/backups.js
index 81cff6863..85da42564 100644
--- a/src/backups.js
+++ b/src/backups.js
@@ -96,11 +96,10 @@ function getBackupUrl(appBackupIds, callback) {
             var obj = {
                 id: filename,
                 url: result.url,
-                sessionToken: result.sessionToken,
                 backupKey: backupConfig.key
             };
 
-            debug('getBackupUrl: id:%s url:%s sessionToken:%s backupKey:%s', obj.id, obj.url, obj.sessionToken, obj.backupKey);
+            debug('getBackupUrl: id:%s url:%s backupKey:%s', obj.id, obj.url, obj.backupKey);
 
             backupdb.add({ filename: filename, creationTime: now, version: config.version(), type: backupdb.BACKUP_TYPE_BOX,
                            dependsOn: appBackupIds }, function (error) {
@@ -133,7 +132,6 @@ function getAppBackupUrl(app, callback) {
                     id: dataFilename,
                     url: dataResult.url,
                     configUrl: configResult.url,
-                    sessionToken: dataResult.sessionToken, // this token can be used for both config and data upload
                     backupKey: backupConfig.key // only data is encrypted
                 };
 
@@ -164,11 +162,10 @@ function getRestoreUrl(backupId, callback) {
             var obj = {
                 id: backupId,
                 url: result.url,
-                sessionToken: result.sessionToken,
                 backupKey: backupConfig.key
             };
 
-            debug('getRestoreUrl: id:%s url:%s sessionToken:%s backupKey:%s', obj.id, obj.url, obj.sessionToken, obj.backupKey);
+            debug('getRestoreUrl: id:%s url:%s backupKey:%s', obj.id, obj.url, obj.backupKey);
 
             callback(null, obj);
         });
diff --git a/src/cloudron.js b/src/cloudron.js
index ce4e54e94..8cca3abc6 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -655,7 +655,7 @@ function backupBoxWithAppBackupIds(appBackupIds, callback) {
 
         async.series([
             ignoreError(shell.sudo.bind(null, 'mountSwap', [ BACKUP_SWAP_CMD, '--on' ])),
-            shell.sudo.bind(null, 'backupBox', [ BACKUP_BOX_CMD, result.url, result.backupKey, result.sessionToken ]),
+            shell.sudo.bind(null, 'backupBox', [ BACKUP_BOX_CMD, result.url, result.backupKey ]),
             ignoreError(shell.sudo.bind(null, 'unmountSwap', [ BACKUP_SWAP_CMD, '--off' ])),
         ], function (error) {
             if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
diff --git a/src/routes/test/backups-test.js b/src/routes/test/backups-test.js
index 7efbbac8e..e38e39daa 100644
--- a/src/routes/test/backups-test.js
+++ b/src/routes/test/backups-test.js
@@ -95,7 +95,7 @@ describe('Backups API', function () {
         it('succeeds', function (done) {
             var scope = nock(config.apiServerOrigin())
                         .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=BACKUP_TOKEN')
-                        .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });
+                        .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey' } });
 
             superagent.post(SERVER_URL + '/api/v1/backups')
                    .query({ access_token: token })
diff --git a/src/scripts/backupapp.sh b/src/scripts/backupapp.sh
index 964f49b3c..5f0700a45 100755
--- a/src/scripts/backupapp.sh
+++ b/src/scripts/backupapp.sh
@@ -13,7 +13,7 @@ if [[ $# == 1 && "$1" == "--check" ]]; then
 fi
 
 if [ $# -lt 4 ]; then
-    echo "Usage: backupapp.sh <appid> <url> <url> <key> [aws session token]"
+    echo "Usage: backupapp.sh <appid> <url> <url> <key>"
     exit 1
 fi
 
@@ -23,7 +23,6 @@ app_id="$1"
 backup_url="$2"
 backup_config_url="$3"
 backup_key="$4"
-session_token="$5" # unused since it seems to be part of the url query param in v4 signature
 readonly now=$(date "+%Y-%m-%dT%H:%M:%S")
 readonly app_data_dir="${DATA_DIR}/${app_id}"
 readonly app_data_snapshot="${DATA_DIR}/snapshots/${app_id}-${now}"
diff --git a/src/scripts/backupbox.sh b/src/scripts/backupbox.sh
index 31d11ce91..f4d201b12 100755
--- a/src/scripts/backupbox.sh
+++ b/src/scripts/backupbox.sh
@@ -13,13 +13,12 @@ if [[ $# == 1 && "$1" == "--check" ]]; then
 fi
 
 if [ $# -lt 2 ]; then
-    echo "Usage: backupbox.sh <url> <key> [aws session token]"
+    echo "Usage: backupbox.sh <url> <key>"
     exit 1
 fi
 
 backup_url="$1"
 backup_key="$2"
-session_token="$3"
 now=$(date "+%Y-%m-%dT%H:%M:%S")
 BOX_DATA_DIR="${HOME}/data/box"
 box_snapshot_dir="${HOME}/data/snapshots/box-${now}"
@@ -36,11 +35,6 @@ for try in `seq 1 5`; do
 
     headers=("-H" "Content-Type:")
 
-    # federated tokens in CaaS case need session token
-    if [ ! -z "$session_token" ]; then
-        headers=(${headers[@]} "-H" "x-amz-security-token: ${session_token}")
-    fi
-
     if tar -cvzf - -C "${box_snapshot_dir}" . \
            | openssl aes-256-cbc -e -pass "pass:${backup_key}" \
            | curl --fail -X PUT ${headers[@]} --data-binary @- "${backup_url}" 2>"${error_log}"; then
diff --git a/src/storage/caas.js b/src/storage/caas.js
index 458ca3fb7..8a2ea363c 100644
--- a/src/storage/caas.js
+++ b/src/storage/caas.js
@@ -29,7 +29,6 @@ function getBackupCredentials(apiConfig, callback) {
         var credentials = {
             accessKeyId: result.body.credentials.AccessKeyId,
             secretAccessKey: result.body.credentials.SecretAccessKey,
-            sessionToken: result.body.credentials.SessionToken,
             region: apiConfig.region || 'us-east-1'
         };
 
@@ -75,7 +74,7 @@ function getSignedUploadUrl(apiConfig, filename, callback) {
 
         var url = s3.getSignedUrl('putObject', params);
 
-        callback(null, { url: url, sessionToken: credentials.sessionToken });
+        callback(null, { url: url });
     });
 }
 
@@ -100,7 +99,7 @@ function getSignedDownloadUrl(apiConfig, filename, callback) {
 
         var url = s3.getSignedUrl('getObject', params);
 
-        callback(null, { url: url, sessionToken: credentials.sessionToken });
+        callback(null, { url: url });
     });
 }
 
diff --git a/src/storage/s3.js b/src/storage/s3.js
index 08c2a48fc..f4a215088 100644
--- a/src/storage/s3.js
+++ b/src/storage/s3.js
@@ -81,7 +81,7 @@ function getSignedUploadUrl(apiConfig, filename, callback) {
 
         var url = s3.getSignedUrl('putObject', params);
 
-        callback(null, { url : url, sessionToken: credentials.sessionToken });
+        callback(null, { url : url });
     });
 }
 
@@ -104,7 +104,7 @@ function getSignedDownloadUrl(apiConfig, info, filename, callback) {
 
         var url = s3.getSignedUrl('getObject', params);
 
-        callback(null, { url: url, sessionToken: credentials.sessionToken });
+        callback(null, { url: url });
     });
 }