diff --git a/managed/services/grafana/client.go b/managed/services/grafana/client.go
index a3d5b2883d..3930d12339 100644
--- a/managed/services/grafana/client.go
+++ b/managed/services/grafana/client.go
@@ -218,13 +218,33 @@ func (c *Client) GetUserID(ctx context.Context) (int, error) {
 	return int(userID), nil
 }
 
+var emptyUser = authUser{
+	role:   none,
+	userID: 0,
+}
+
 // getAuthUser returns grafanaAdmin if currently authenticated user is a Grafana (super) admin.
 // Otherwise, it returns a role in the default organization (with ID 1).
 // Ctx is used only for cancelation.
 func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (authUser, error) {
-	// Check if it's API Key or Service Token
-	role, authorized := c.proceedTokenAuth(ctx, authHeaders)
-	if authorized {
+	// Check if API Key or Service Token is authorized.
+	token := c.getTokenAuth(ctx, authHeaders)
+	if token != "" {
+		if strings.HasPrefix(token, "glsa_") {
+			role, err := c.getRoleForServiceToken(ctx, authHeaders)
+			if err != nil {
+				return emptyUser, err
+			}
+			return authUser{
+				role:   role,
+				userID: 0,
+			}, nil
+		}
+
+		role, err := c.getRoleForAPIKey(ctx, authHeaders)
+		if err != nil {
+			return emptyUser, err
+		}
 		return authUser{
 			role:   role,
 			userID: 0,
@@ -235,10 +255,7 @@ func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (auth
 	var m map[string]interface{}
 	err := c.do(ctx, http.MethodGet, "/api/user", "", authHeaders, nil, &m)
 	if err != nil {
-		return authUser{
-			role:   none,
-			userID: 0,
-		}, err
+		return emptyUser, err
 	}
 
 	id, _ := m["id"].(float64)
@@ -281,40 +298,25 @@ func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (auth
 	}, nil
 }
 
-func (c *Client) proceedTokenAuth(ctx context.Context, authHeaders http.Header) (role, bool) {
+func (c *Client) getTokenAuth(ctx context.Context, authHeaders http.Header) string {
 	authHeader := authHeaders.Get("Authorization")
-	token := ""
 	switch {
 	case strings.HasPrefix(authHeader, "Bearer"):
-		token = strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer"))
+		return strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer"))
 	case strings.HasPrefix(authHeader, "Basic"):
 		h := strings.TrimPrefix(authHeader, "Basic")
 		t, err := base64.StdEncoding.DecodeString(strings.TrimSpace(h))
 		if err != nil {
-			return none, false
+			return ""
 		}
 		tk := string(t)
 		if strings.HasPrefix(tk, "api_key:") || strings.HasPrefix(tk, "service_token:") {
-			token = strings.Split(tk, ":")[1]
-			break
+			return strings.Split(tk, ":")[1]
 		}
 
-		return none, false
 	}
 
-	if strings.HasPrefix(token, "glsa_") {
-		role, err := c.getRoleForServiceToken(ctx, authHeaders)
-		if err != nil {
-			return none, false
-		}
-		return role, true
-	}
-
-	role, err := c.getRoleForAPIKey(ctx, authHeaders)
-	if err != nil {
-		return none, false
-	}
-	return role, true
+	return ""
 }
 
 func (c *Client) convertRole(role string) role {
@@ -653,9 +655,6 @@ func (c *Client) createServiceAccountAndToken(ctx context.Context, name string,
 
 	// orgId is ignored during creating service account and default is -1
 	// orgId should be setup to 1
-	if err != nil {
-		return 0, "", errors.WithStack(err)
-	}
 	if err = c.do(ctx, "PATCH", fmt.Sprintf("/api/serviceaccounts/%d", serviceAccountID), "", authHeaders, []byte("{\"orgId\": 1}"), &m); err != nil {
 		return 0, "", err
 	}
@@ -663,7 +662,7 @@ func (c *Client) createServiceAccountAndToken(ctx context.Context, name string,
 	// due to reregister of node PMM agent related tokens should be deleted first
 	err = c.deletePMMAgentRelatedServiceTokens(ctx, serviceAccountID, authHeaders)
 	if err != nil {
-		return 0, "", errors.WithStack(err)
+		return 0, "", err
 	}
 
 	serviceTokenName := fmt.Sprintf("%s-%s-%d", pmmServiceTokenName, name, rand.Int63())
@@ -672,7 +671,7 @@ func (c *Client) createServiceAccountAndToken(ctx context.Context, name string,
 		return 0, "", errors.WithStack(err)
 	}
 	if err = c.do(ctx, "POST", fmt.Sprintf("/api/serviceaccounts/%d/tokens", serviceAccountID), "", authHeaders, b, &m); err != nil {
-		return 0, "", errors.WithStack(err)
+		return 0, "", err
 	}
 	serviceTokenID := int64(m["id"].(float64)) //nolint:forcetypeassert
 	serviceTokenKey := m["key"].(string)       //nolint:forcetypeassert
@@ -688,7 +687,9 @@ func (c *Client) deletePMMAgentRelatedServiceTokens(ctx context.Context, service
 
 	for _, token := range tokens {
 		if strings.HasPrefix(token.Name, pmmServiceTokenName) {
-			c.do(ctx, "DELETE", fmt.Sprintf("/api/serviceaccounts/%d/tokens/%d", serviceAccountID, token.ID), "", authHeaders, nil, nil)
+			if err := c.do(ctx, "DELETE", fmt.Sprintf("/api/serviceaccounts/%d/tokens/%d", serviceAccountID, token.ID), "", authHeaders, nil, nil); err != nil {
+				return err
+			}
 		}
 	}
 
diff --git a/managed/services/grafana/client_test.go b/managed/services/grafana/client_test.go
index 75b4e5376f..94c626314e 100644
--- a/managed/services/grafana/client_test.go
+++ b/managed/services/grafana/client_test.go
@@ -103,57 +103,87 @@ func TestClient(t *testing.T) {
 		for _, role := range []role{viewer, editor, admin} {
 			role := role
 
-			t.Run(fmt.Sprintf("Basic auth %s", role.String()), func(t *testing.T) {
+			// t.Run(fmt.Sprintf("Basic auth %s", role.String()), func(t *testing.T) {
+			// 	// do not run this test in parallel - they lock Grafana's sqlite3 database
+			// 	// t.Parallel()
+
+			// 	login := fmt.Sprintf("basic-%s-%d", role, time.Now().Nanosecond())
+			// 	userID, err := c.testCreateUser(ctx, login, role, authHeaders)
+			// 	require.NoError(t, err)
+			// 	require.NotZero(t, userID)
+			// 	if err != nil {
+			// 		defer func() {
+			// 			err = c.testDeleteUser(ctx, userID, authHeaders)
+			// 			require.NoError(t, err)
+			// 		}()
+			// 	}
+
+			// 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "/dummy", nil)
+			// 	require.NoError(t, err)
+			// 	req.SetBasicAuth(login, login)
+			// 	userAuthHeaders := req.Header
+
+			// 	u, err := c.getAuthUsyer(ctx, userAuthHeaders)
+			// 	actualRole := u.role
+			// 	assert.NoError(t, err)
+			// 	assert.Equal(t, role, actualRole)
+			// 	assert.Equal(t, role.String(), actualRole.String())
+			// })
+
+			// t.Run(fmt.Sprintf("API Key auth %s", role.String()), func(t *testing.T) {
+			// 	// do not run this test in parallel - they lock Grafana's sqlite3 database
+			// 	// t.Parallel()
+
+			// 	login := fmt.Sprintf("api-%s-%d", role, time.Now().Nanosecond())
+			// 	apiKeyID, apiKey, err := c.createAPIKey(ctx, login, role, authHeaders)
+			// 	require.NoError(t, err)
+			// 	require.NotZero(t, apiKeyID)
+			// 	require.NotEmpty(t, apiKey)
+			// 	if err != nil {
+			// 		defer func() {
+			// 			err = c.deleteAPIKey(ctx, apiKeyID, authHeaders)
+			// 			require.NoError(t, err)
+			// 		}()
+			// 	}
+
+			// 	apiKeyAuthHeaders := http.Header{}
+			// 	apiKeyAuthHeaders.Set("Authorization", fmt.Sprintf("Bearer %s", apiKey))
+
+			// 	u, err := c.getAuthUser(ctx, apiKeyAuthHeaders)
+			// 	actualRole := u.role
+			// 	assert.NoError(t, err)
+			// 	assert.Equal(t, role, actualRole)
+			// 	assert.Equal(t, role.String(), actualRole.String())
+			// })
+
+			t.Run(fmt.Sprintf("Service token auth %s", role.String()), func(t *testing.T) {
 				// do not run this test in parallel - they lock Grafana's sqlite3 database
 				// t.Parallel()
 
-				login := fmt.Sprintf("basic-%s-%d", role, time.Now().Nanosecond())
-				userID, err := c.testCreateUser(ctx, login, role, authHeaders)
+				login := fmt.Sprintf("servicetoken-%s-%d", role, time.Now().Nanosecond())
+				serviceTokenID, serviceToken, err := c.createServiceAccountAndToken(ctx, login, role, authHeaders)
 				require.NoError(t, err)
-				require.NotZero(t, userID)
-				if err != nil {
-					defer func() {
-						err = c.testDeleteUser(ctx, userID, authHeaders)
-						require.NoError(t, err)
-					}()
+				require.NotZero(t, serviceTokenID)
+				require.NotEmpty(t, serviceToken)
+				// if err != nil {
+				// 	defer func() {
+				// 		err = c.deleteAPIKey(ctx, apiKeyID, authHeaders)
+				// 		require.NoError(t, err)
+				// 	}()
+				// }
+
+				serviceTokenAuthHeaders := http.Header{}
+				serviceTokenAuthHeaders.Set("Authorization", fmt.Sprintf("Bearer %s", serviceToken))
+				u, err := c.getAuthUser(ctx, serviceTokenAuthHeaders)
+				switch role {
+				case admin:
+					assert.NoError(t, err)
+					actualRole := u.role
+					assert.Equal(t, role, actualRole)
+					assert.Equal(t, role.String(), actualRole.String())
+				case viewer, editor:
+					require.ErrorContains(t, err, "Permissions needed: serviceaccounts:read")
 				}
-
-				req, err := http.NewRequestWithContext(ctx, http.MethodGet, "/dummy", nil)
-				require.NoError(t, err)
-				req.SetBasicAuth(login, login)
-				userAuthHeaders := req.Header
-
-				u, err := c.getAuthUser(ctx, userAuthHeaders)
-				actualRole := u.role
-				assert.NoError(t, err)
-				assert.Equal(t, role, actualRole)
-				assert.Equal(t, role.String(), actualRole.String())
-			})
-
-			t.Run(fmt.Sprintf("API Key auth %s", role.String()), func(t *testing.T) {
-				// do not run this test in parallel - they lock Grafana's sqlite3 database
-				// t.Parallel()
-
-				login := fmt.Sprintf("api-%s-%d", role, time.Now().Nanosecond())
-				apiKeyID, apiKey, err := c.createAPIKey(ctx, login, role, authHeaders)
-				require.NoError(t, err)
-				require.NotZero(t, apiKeyID)
-				require.NotEmpty(t, apiKey)
-				if err != nil {
-					defer func() {
-						err = c.deleteAPIKey(ctx, apiKeyID, authHeaders)
-						require.NoError(t, err)
-					}()
-				}
-
-				apiKeyAuthHeaders := http.Header{}
-				apiKeyAuthHeaders.Set("Authorization", fmt.Sprintf("Bearer %s", apiKey))
-
-				u, err := c.getAuthUser(ctx, apiKeyAuthHeaders)
-				actualRole := u.role
-				assert.NoError(t, err)
-				assert.Equal(t, role, actualRole)
-				assert.Equal(t, role.String(), actualRole.String())
 			})
 		}
 	})