diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2a8114..33655ea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,8 @@
   - Implement two new flags to customize the logging format
     - `-standard-logging-format` Sets the format for standard logging
     - `-auth-logging-format` Sets the format for auth logging
+- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
+
 
 # v3.1.0
 
diff --git a/README.md b/README.md
index 9a7727f..6d0ef54 100644
--- a/README.md
+++ b/README.md
@@ -220,6 +220,7 @@ Usage of oauth2_proxy:
   -logging-max-backups int: Maximum number of old log files to retain; 0 to disable (default 0)
   -logging-max-size int: Maximum size in megabytes of the log file before rotation (default 100)
   -login-url string: Authentication endpoint
+  -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
   -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
   -pass-authorization-header: pass OIDC IDToken to upstream via Authorization Bearer header
   -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
@@ -478,6 +479,10 @@ server {
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;
 
+    # if you enabled --pass-access-token, this will pass the token to the backend
+    auth_request_set $token  $upstream_http_x_auth_request_access_token;
+    proxy_set_header X-Access-Token $token;
+
     # if you enabled --cookie-refresh, this is needed for it to work with auth_request
     auth_request_set $auth_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $auth_cookie;
diff --git a/configure b/configure
index 499ae23..0e13959 100755
--- a/configure
+++ b/configure
@@ -106,6 +106,7 @@ check_docker_version() {
 
 check_go_env() {
   echo -n "Checking \$GOPATH... "
+  GOPATH="$(go env GOPATH)"
   if [ -z "$GOPATH" ]; then
     printf "${RED}invalid${NC} - GOPATH not set\n"
     exit 1
diff --git a/oauthproxy.go b/oauthproxy.go
index 2ea2623..6b05442 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -887,6 +887,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 		if session.Email != "" {
 			rw.Header().Set("X-Auth-Request-Email", session.Email)
 		}
+		if p.PassAccessToken && session.AccessToken != "" {
+			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
+		}
 	}
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}