diff --git a/js/src/index.js b/js/src/index.js
index c0f4f94ad..fda785842 100644
--- a/js/src/index.js
+++ b/js/src/index.js
@@ -25,6 +25,7 @@ import ReactDOM from 'react-dom';
 import injectTapEventPlugin from 'react-tap-event-plugin';
 import { createHashHistory } from 'history';
 import { Redirect, Router, Route, useRouterHistory } from 'react-router';
+import qs from 'querystring';
 
 import SecureApi from './secureApi';
 import ContractInstances from './contracts';
@@ -45,6 +46,7 @@ import './index.html';
 
 injectTapEventPlugin();
 
+const AUTH_HASH = '#/auth?';
 const parityUrl = process.env.PARITY_URL ||
   (
     process.env.NODE_ENV === 'production'
@@ -52,7 +54,12 @@ const parityUrl = process.env.PARITY_URL ||
     : '127.0.0.1:8180'
   );
 
-const api = new SecureApi(`ws://${parityUrl}`);
+let token = null;
+if (window.location.hash && window.location.hash.indexOf(AUTH_HASH) === 0) {
+  token = qs.parse(window.location.hash.substr(AUTH_HASH.length)).token;
+}
+
+const api = new SecureApi(`ws://${parityUrl}`, token);
 ContractInstances.create(api);
 
 const store = initStore(api);
@@ -67,6 +74,7 @@ ReactDOM.render(
   <ContextProvider api={ api } muiTheme={ muiTheme } store={ store }>
     <Router className={ styles.reset } history={ routerHistory }>
       <Redirect from='/' to='/accounts' />
+      <Redirect from='/auth' to='/accounts' query={ {} } />
       <Redirect from='/settings' to='/settings/views' />
       <Route path='/' component={ Application }>
         <Route path='accounts' component={ Accounts } />
diff --git a/js/src/secureApi.js b/js/src/secureApi.js
index ed665a5e6..3e1d9eab0 100644
--- a/js/src/secureApi.js
+++ b/js/src/secureApi.js
@@ -19,12 +19,13 @@ import Api from './api';
 const sysuiToken = window.localStorage.getItem('sysuiToken');
 
 export default class SecureApi extends Api {
-  constructor (url) {
+  constructor (url, nextToken) {
     super(new Api.Transport.Ws(url, sysuiToken));
 
     this._isConnecting = true;
     this._connectState = sysuiToken === 'initial' ? 1 : 0;
     this._needsToken = false;
+    this._nextToken = nextToken;
     this._dappsPort = 8080;
     this._dappsInterface = null;
     this._signerPort = 8180;
@@ -57,7 +58,11 @@ export default class SecureApi extends Api {
         if (isConnected) {
           return this.connectSuccess();
         } else if (lastError) {
-          this.updateToken('initial', 1);
+          const nextToken = this._nextToken || 'initial';
+          const nextState = this._nextToken ? 0 : 1;
+
+          this._nextToken = null;
+          this.updateToken(nextToken, nextState);
         }
         break;
 
diff --git a/parity/configuration.rs b/parity/configuration.rs
index 75d319272..61063aa18 100644
--- a/parity/configuration.rs
+++ b/parity/configuration.rs
@@ -35,7 +35,7 @@ use params::{ResealPolicy, AccountsConfig, GasPricerConfig, MinerExtras};
 use ethcore_logger::Config as LogConfig;
 use dir::Directories;
 use dapps::Configuration as DappsConfiguration;
-use signer::{Configuration as SignerConfiguration, SignerCommand};
+use signer::{Configuration as SignerConfiguration};
 use run::RunCmd;
 use blockchain::{BlockchainCmd, ImportBlockchain, ExportBlockchain, DataFormat};
 use presale::ImportWallet;
@@ -49,7 +49,7 @@ pub enum Cmd {
 	Account(AccountCmd),
 	ImportPresaleWallet(ImportWallet),
 	Blockchain(BlockchainCmd),
-	SignerToken(SignerCommand),
+	SignerToken(SignerConfiguration),
 	Snapshot(SnapshotCommand),
 	Hash(Option<String>),
 }
@@ -103,9 +103,7 @@ impl Configuration {
 		let cmd = if self.args.flag_version {
 			Cmd::Version
 		} else if self.args.cmd_signer && self.args.cmd_new_token {
-			Cmd::SignerToken(SignerCommand {
-				path: dirs.signer
-			})
+			Cmd::SignerToken(signer_conf)
 		} else if self.args.cmd_tools && self.args.cmd_hash {
 			Cmd::Hash(self.args.arg_file)
 		} else if self.args.cmd_account {
@@ -690,7 +688,7 @@ mod tests {
 	use ethcore::miner::{MinerOptions, PrioritizationStrategy};
 	use helpers::{replace_home, default_network_config};
 	use run::RunCmd;
-	use signer::{Configuration as SignerConfiguration, SignerCommand};
+	use signer::{Configuration as SignerConfiguration};
 	use blockchain::{BlockchainCmd, ImportBlockchain, ExportBlockchain, DataFormat};
 	use presale::ImportWallet;
 	use account::{AccountCmd, NewAccount, ImportAccounts};
@@ -827,8 +825,12 @@ mod tests {
 		let args = vec!["parity", "signer", "new-token"];
 		let conf = parse(&args);
 		let expected = replace_home("$HOME/.parity/signer");
-		assert_eq!(conf.into_command().unwrap().cmd, Cmd::SignerToken(SignerCommand {
-			path: expected,
+		assert_eq!(conf.into_command().unwrap().cmd, Cmd::SignerToken(SignerConfiguration {
+			enabled: true,
+			signer_path: expected,
+			interface: "127.0.0.1".into(),
+			port: 8180,
+			skip_origin_validation: false,
 		}));
 	}
 
diff --git a/parity/run.rs b/parity/run.rs
index 9041ede01..2cc791f8c 100644
--- a/parity/run.rs
+++ b/parity/run.rs
@@ -93,13 +93,29 @@ pub struct RunCmd {
 	pub check_seal: bool,
 }
 
+pub fn open_ui(dapps_conf: &dapps::Configuration, signer_conf: &signer::Configuration) -> Result<(), String> {
+	if !dapps_conf.enabled {
+		return Err("Cannot use UI command with Dapps turned off.".into())
+	}
+
+	if !signer_conf.enabled {
+		return Err("Cannot use UI command with UI turned off.".into())
+	}
+
+	let token = try!(signer::generate_token_and_url(signer_conf));
+	// Open a browser
+	url::open(&token.url);
+	// Print a message
+	println!("{}", token.message);
+	Ok(())
+}
+
 pub fn execute(cmd: RunCmd, logger: Arc<RotatingLogger>) -> Result<(), String> {
 	if cmd.ui && cmd.dapps_conf.enabled {
 		// Check if Parity is already running
 		let addr = format!("{}:{}", cmd.dapps_conf.interface, cmd.dapps_conf.port);
 		if !TcpListener::bind(&addr as &str).is_ok() {
-			url::open(&format!("http://{}:{}/", cmd.dapps_conf.interface, cmd.dapps_conf.port));
-			return Ok(());
+			return open_ui(&cmd.dapps_conf, &cmd.signer_conf);
 		}
 	}
 
@@ -312,7 +328,7 @@ pub fn execute(cmd: RunCmd, logger: Arc<RotatingLogger>) -> Result<(), String> {
 	};
 
 	// start signer server
-	let signer_server = try!(signer::start(cmd.signer_conf, signer_deps));
+	let signer_server = try!(signer::start(cmd.signer_conf.clone(), signer_deps));
 
 	let informant = Arc::new(Informant::new(
 		service.client(),
@@ -366,10 +382,7 @@ pub fn execute(cmd: RunCmd, logger: Arc<RotatingLogger>) -> Result<(), String> {
 
 	// start ui
 	if cmd.ui {
-		if !cmd.dapps_conf.enabled {
-			return Err("Cannot use UI command with Dapps turned off.".into())
-		}
-		url::open(&format!("http://{}:{}/", cmd.dapps_conf.interface, cmd.dapps_conf.port));
+		try!(open_ui(&cmd.dapps_conf, &cmd.signer_conf));
 	}
 
 	// Handle exit
diff --git a/parity/signer.rs b/parity/signer.rs
index a26cc431a..6905fbb3c 100644
--- a/parity/signer.rs
+++ b/parity/signer.rs
@@ -27,7 +27,7 @@ pub use ethcore_signer::Server as SignerServer;
 
 const CODES_FILENAME: &'static str = "authcodes";
 
-#[derive(Debug, PartialEq)]
+#[derive(Debug, PartialEq, Clone)]
 pub struct Configuration {
 	pub enabled: bool,
 	pub port: u16,
@@ -53,6 +53,12 @@ pub struct Dependencies {
 	pub apis: Arc<rpc_apis::Dependencies>,
 }
 
+pub struct NewToken {
+	pub token: String,
+	pub url: String,
+	pub message: String,
+}
+
 pub fn start(conf: Configuration, deps: Dependencies) -> Result<Option<SignerServer>, String> {
 	if !conf.enabled {
 		Ok(None)
@@ -68,20 +74,33 @@ fn codes_path(path: String) -> PathBuf {
 	p
 }
 
-#[derive(Debug, PartialEq)]
-pub struct SignerCommand {
-	pub path: String,
+pub fn execute(cmd: Configuration) -> Result<String, String> {
+	Ok(try!(generate_token_and_url(&cmd)).message)
 }
 
-pub fn execute(cmd: SignerCommand) -> Result<String, String> {
-	generate_new_token(cmd.path)
-		.map(|code| format!("This key code will authorise your System Signer UI: {}", Colour::White.bold().paint(code)))
-		.map_err(|err| format!("Error generating token: {:?}", err))
+pub fn generate_token_and_url(conf: &Configuration) -> Result<NewToken, String> {
+	let code = try!(generate_new_token(conf.signer_path.clone()).map_err(|err| format!("Error generating token: {:?}", err)));
+	let auth_url = format!("http://{}:{}/#/auth?token={}", conf.interface, conf.port, code);
+	// And print in to the console
+	Ok(NewToken {
+		token: code.clone(),
+		url: auth_url.clone(),
+		message: format!(
+			r#"
+Open: {}
+to authorize your browser.
+Or use the generated token:
+{}"#,
+			Colour::White.bold().paint(auth_url),
+			code
+		)
+	})
 }
 
 pub fn generate_new_token(path: String) -> io::Result<String> {
 	let path = codes_path(path);
 	let mut codes = try!(signer::AuthCodes::from_file(&path));
+	codes.clear_garbage();
 	let code = try!(codes.generate_new());
 	try!(codes.to_file(&path));
 	trace!("New key code created: {}", Colour::White.bold().paint(&code[..]));
diff --git a/signer/src/authcode_store.rs b/signer/src/authcode_store.rs
index d8474441c..cbb78db41 100644
--- a/signer/src/authcode_store.rs
+++ b/signer/src/authcode_store.rs
@@ -16,12 +16,10 @@
 
 use rand::Rng;
 use rand::os::OsRng;
-use std::io;
-use std::io::{Read, Write};
-use std::fs;
+use std::io::{self, Read, Write};
 use std::path::Path;
-use std::time;
-use util::{H256, Hashable};
+use std::{fs, time, mem};
+use util::{H256, Hashable, Itertools};
 
 /// Providing current time in seconds
 pub trait TimeProvider {
@@ -47,12 +45,35 @@ impl TimeProvider for DefaultTimeProvider {
 
 /// No of seconds the hash is valid
 const TIME_THRESHOLD: u64 = 7;
+/// minimal length of hash
 const TOKEN_LENGTH: usize = 16;
+/// special "initial" token used for authorization when there are no tokens yet.
 const INITIAL_TOKEN: &'static str = "initial";
+/// Separator between fields in serialized tokens file.
+const SEPARATOR: &'static str = ";";
+/// Number of seconds to keep unused tokens.
+const UNUSED_TOKEN_TIMEOUT: u64 = 3600 * 24; // a day
+
+struct Code {
+	code: String,
+	/// Duration since unix_epoch
+	created_at: time::Duration,
+	/// Duration since unix_epoch
+	last_used_at: Option<time::Duration>,
+}
+
+fn decode_time(val: &str) -> Option<time::Duration> {
+	let time = val.parse::<u64>().ok();
+	time.map(time::Duration::from_secs)
+}
+
+fn encode_time(time: time::Duration) -> String {
+	format!("{}", time.as_secs())
+}
 
 /// Manages authorization codes for `SignerUIs`
 pub struct AuthCodes<T: TimeProvider = DefaultTimeProvider> {
-	codes: Vec<String>,
+	codes: Vec<Code>,
 	now: T,
 }
 
@@ -69,13 +90,32 @@ impl AuthCodes<DefaultTimeProvider> {
 				"".into()
 			}
 		};
+		let time_provider = DefaultTimeProvider::default();
+
 		let codes = content.lines()
-			.filter(|f| f.len() >= TOKEN_LENGTH)
-			.map(String::from)
+			.filter_map(|line| {
+				let mut parts = line.split(SEPARATOR);
+				let token = parts.next();
+				let created = parts.next();
+				let used = parts.next();
+
+				match token {
+					None => None,
+					Some(token) if token.len() < TOKEN_LENGTH => None,
+					Some(token) => {
+						Some(Code {
+							code: token.into(),
+							last_used_at: used.and_then(decode_time),
+							created_at: created.and_then(decode_time)
+											.unwrap_or_else(|| time::Duration::from_secs(time_provider.now())),
+						})
+					}
+				}
+			})
 			.collect();
 		Ok(AuthCodes {
 			codes: codes,
-			now: DefaultTimeProvider::default(),
+			now: time_provider,
 		})
 	}
 
@@ -86,19 +126,30 @@ impl<T: TimeProvider> AuthCodes<T> {
 	/// Writes all `AuthCodes` to a disk.
 	pub fn to_file(&self, file: &Path) -> io::Result<()> {
 		let mut file = try!(fs::File::create(file));
-		let content = self.codes.join("\n");
+		let content = self.codes.iter().map(|code| {
+			let mut data = vec![code.code.clone(), encode_time(code.created_at.clone())];
+			if let Some(used_at) = code.last_used_at.clone() {
+				data.push(encode_time(used_at));
+			}
+			data.join(SEPARATOR)
+		}).join("\n");
 		file.write_all(content.as_bytes())
 	}
 
 	/// Creates a new `AuthCodes` store with given `TimeProvider`.
 	pub fn new(codes: Vec<String>, now: T) -> Self {
 		AuthCodes {
-			codes: codes,
+			codes: codes.into_iter().map(|code| Code {
+				code: code,
+				created_at: time::Duration::from_secs(now.now()),
+				last_used_at: None,
+			}).collect(),
 			now: now,
 		}
 	}
 
-	/// Checks if given hash is correct identifier of `SignerUI`
+	/// Checks if given hash is correct authcode of `SignerUI`
+	/// Updates this hash last used field in case it's valid.
 	#[cfg_attr(feature="dev", allow(wrong_self_convention))]
 	pub fn is_valid(&mut self, hash: &H256, time: u64) -> bool {
 		let now = self.now.now();
@@ -121,8 +172,14 @@ impl<T: TimeProvider> AuthCodes<T> {
 		}
 
 		// look for code
-		self.codes.iter()
-			.any(|code| &as_token(code) == hash)
+		for mut code in &mut self.codes {
+			if &as_token(&code.code) == hash {
+				code.last_used_at = Some(time::Duration::from_secs(now));
+				return true;
+			}
+		}
+
+		false
 	}
 
 	/// Generates and returns a new code that can be used by `SignerUIs`
@@ -135,7 +192,11 @@ impl<T: TimeProvider> AuthCodes<T> {
 			.collect::<Vec<String>>()
 			.join("-");
 		trace!(target: "signer", "New authentication token generated.");
-		self.codes.push(code);
+		self.codes.push(Code {
+			code: code,
+			created_at: time::Duration::from_secs(self.now.now()),
+			last_used_at: None,
+		});
 		Ok(readable_code)
 	}
 
@@ -143,12 +204,31 @@ impl<T: TimeProvider> AuthCodes<T> {
 	pub fn is_empty(&self) -> bool {
 		self.codes.is_empty()
 	}
-}
 
+	/// Removes old tokens that have not been used since creation.
+	pub fn clear_garbage(&mut self) {
+		let now = self.now.now();
+		let threshold = time::Duration::from_secs(now.saturating_sub(UNUSED_TOKEN_TIMEOUT));
+
+		let codes = mem::replace(&mut self.codes, Vec::new());
+		for code in codes {
+			// Skip codes that are old and were never used.
+			if code.last_used_at.is_none() && code.created_at <= threshold {
+				continue;
+			}
+			self.codes.push(code);
+		}
+	}
+}
 
 #[cfg(test)]
 mod tests {
 
+	use devtools;
+	use std::io::{Read, Write};
+	use std::{time, fs};
+	use std::cell::Cell;
+
 	use util::{H256, Hashable};
 	use super::*;
 
@@ -217,6 +297,54 @@ mod tests {
 		assert_eq!(res2, false);
 	}
 
+	#[test]
+	fn should_read_old_format_from_file() {
+		// given
+		let path = devtools::RandomTempPath::new();
+		let code = "23521352asdfasdfadf";
+		{
+			let mut file = fs::File::create(&path).unwrap();
+			file.write_all(b"a\n23521352asdfasdfadf\nb\n").unwrap();
+		}
+
+		// when
+		let mut authcodes = AuthCodes::from_file(&path).unwrap();
+		let time = time::UNIX_EPOCH.elapsed().unwrap().as_secs();
+
+		// then
+		assert!(authcodes.is_valid(&generate_hash(code, time), time), "Code should be read from file");
+	}
+
+	#[test]
+	fn should_remove_old_unused_tokens() {
+		// given
+		let path = devtools::RandomTempPath::new();
+		let code1 = "11111111asdfasdf111";
+		let code2 = "22222222asdfasdf222";
+		let code3 = "33333333asdfasdf333";
+
+		let time = Cell::new(100);
+		let mut codes = AuthCodes::new(vec![code1.into(), code2.into(), code3.into()], || time.get());
+		// `code2` should not be removed (we never remove tokens that were used)
+		codes.is_valid(&generate_hash(code2, time.get()), time.get());
+
+		// when
+		time.set(100 + 10_000_000);
+		// mark `code1` as used now
+		codes.is_valid(&generate_hash(code1, time.get()), time.get());
+
+		let new_code = codes.generate_new().unwrap().replace('-', "");
+		codes.clear_garbage();
+		codes.to_file(&path).unwrap();
+
+		// then
+		let mut content = String::new();
+		let mut file = fs::File::open(&path).unwrap();
+		file.read_to_string(&mut content).unwrap();
+
+		assert_eq!(content, format!("{};100;10000100\n{};100;100\n{};10000100", code1, code2, new_code));
+	}
+
 }
 
 
diff --git a/signer/src/ws_server/session.rs b/signer/src/ws_server/session.rs
index b99ef48ef..5adc3fa80 100644
--- a/signer/src/ws_server/session.rs
+++ b/signer/src/ws_server/session.rs
@@ -94,6 +94,9 @@ fn auth_is_valid(codes_path: &Path, protocols: ws::Result<Vec<&str>>) -> bool {
 					// Check if the code is valid
 					AuthCodes::from_file(codes_path)
 						.map(|mut codes| {
+							// remove old tokens
+							codes.clear_garbage();
+
 							let res = codes.is_valid(&auth, time);
 							// make sure to save back authcodes - it might have been modified
 							if let Err(_) = codes.to_file(codes_path) {