diff --git a/models/error.go b/models/error.go
index cd7fa35de4..69b2962475 100644
--- a/models/error.go
+++ b/models/error.go
@@ -280,6 +280,18 @@ func (err ErrAccessTokenNotExist) Error() string {
 	return fmt.Sprintf("access token does not exist [sha: %s]", err.SHA)
 }
 
+type ErrAccessTokenEmpty struct {
+}
+
+func IsErrAccessTokenEmpty(err error) bool {
+	_, ok := err.(ErrAccessTokenEmpty)
+	return ok
+}
+
+func (err ErrAccessTokenEmpty) Error() string {
+	return fmt.Sprintf("access token is empty")
+}
+
 // ________                            .__                __  .__
 // \_____  \_______  _________    ____ |__|____________ _/  |_|__| ____   ____
 //  /   |   \_  __ \/ ___\__  \  /    \|  \___   /\__  \\   __\  |/  _ \ /    \
diff --git a/models/token.go b/models/token.go
index 38d83e2172..d015d97aa6 100644
--- a/models/token.go
+++ b/models/token.go
@@ -56,6 +56,9 @@ func NewAccessToken(t *AccessToken) error {
 
 // GetAccessTokenBySHA returns access token by given sha1.
 func GetAccessTokenBySHA(sha string) (*AccessToken, error) {
+	if sha == "" {
+		return nil, ErrAccessTokenEmpty{}
+	}
 	t := &AccessToken{Sha1: sha}
 	has, err := x.Get(t)
 	if err != nil {
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index 0c1f2fbdc1..3265b326c6 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -49,7 +49,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
 		if len(tokenSHA) > 0 {
 			t, err := models.GetAccessTokenBySHA(tokenSHA)
 			if err != nil {
-				if models.IsErrAccessTokenNotExist(err) {
+				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
 					log.Error(4, "GetAccessTokenBySHA: %v", err)
 				}
 				return 0
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 80a480bc59..fba06133c9 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -112,7 +112,7 @@ func HTTP(ctx *context.Context) {
 			// Assume username now is a token.
 			token, err := models.GetAccessTokenBySHA(authUsername)
 			if err != nil {
-				if models.IsErrAccessTokenNotExist(err) {
+				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
 					ctx.HandleText(http.StatusUnauthorized, "invalid token")
 				} else {
 					ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err)