diff --git a/changelog/unreleased/link-context.md b/changelog/unreleased/link-context.md
new file mode 100644
index 00000000000..50d6981795b
--- /dev/null
+++ b/changelog/unreleased/link-context.md
@@ -0,0 +1,5 @@
+Bugfix: link context in metadata client
+
+We now disconnect the existing outgoing grpc metadata when making calls in the metadata client. To keep track of related spans we link the two contexts.
+
+https://github.com/cs3org/reva/pull/3947
diff --git a/pkg/storage/utils/metadata/cs3.go b/pkg/storage/utils/metadata/cs3.go
index aa467478e25..a536f9284e3 100644
--- a/pkg/storage/utils/metadata/cs3.go
+++ b/pkg/storage/utils/metadata/cs3.go
@@ -461,7 +461,9 @@ func (cs3 *CS3) providerClient() (provider.ProviderAPIClient, error) {
 }
 
 func (cs3 *CS3) getAuthContext(ctx context.Context) (context.Context, error) {
-	ctx, span := tracer.Start(ctx, "getAuthContext")
+	// we need to start a new context to get rid of an existing x-access-token in the outgoing context
+	authCtx := context.Background()
+	authCtx, span := tracer.Start(authCtx, "getAuthContext", trace.WithLinks(trace.LinkFromContext(ctx)))
 	defer span.End()
 
 	client, err := pool.GetGatewayServiceClient(cs3.gatewayAddr)
@@ -469,7 +471,7 @@ func (cs3 *CS3) getAuthContext(ctx context.Context) (context.Context, error) {
 		return nil, err
 	}
 
-	authCtx := ctxpkg.ContextSetUser(ctx, cs3.serviceUser)
+	authCtx = ctxpkg.ContextSetUser(authCtx, cs3.serviceUser)
 	authRes, err := client.Authenticate(authCtx, &gateway.AuthenticateRequest{
 		Type:         "machine",
 		ClientId:     "userid:" + cs3.serviceUser.Id.OpaqueId,