diff --git a/aiohttp_security/api.py b/aiohttp_security/api.py
index a8a024c..831f8de 100644
--- a/aiohttp_security/api.py
+++ b/aiohttp_security/api.py
@@ -17,6 +17,7 @@ def remember(request, response, identity, **kwargs):
     pushed into custom header also.
     """
     assert isinstance(identity, str), identity
+    assert identity
     identity_policy = request.app.get(IDENTITY_KEY)
     if identity_policy is None:
         text = ("Security subsystem is not initialized, "
@@ -53,6 +54,8 @@ def authorized_userid(request):
     if identity_policy is None or autz_policy is None:
         return None
     identity = yield from identity_policy.identify(request)
+    if identity is None:
+        return None  # non-registered user has None user_id
     user_id = yield from autz_policy.authorized_userid(identity)
     return user_id
 
@@ -60,11 +63,13 @@ def authorized_userid(request):
 @asyncio.coroutine
 def permits(request, permission, context=None):
     assert isinstance(permission, str), permission
+    assert permission
     identity_policy = request.app.get(IDENTITY_KEY)
     autz_policy = request.app.get(AUTZ_KEY)
     if identity_policy is None or autz_policy is None:
         return True
     identity = yield from identity_policy.identify(request)
+    # non-registered user still may has some permissions
     access = yield from autz_policy.permits(identity, permission, context)
     return access