diff --git a/authorized-exec.pl b/authorized-exec.pl
index 5f8d6b8..be28324 100755
--- a/authorized-exec.pl
+++ b/authorized-exec.pl
@@ -22,6 +22,30 @@ my %config = do $configfile;
 	die "Couldn't run $configfile"       unless %config;
 
 my $user = $ENV{'USER'};
+my $authfile = $ENV{'SSH_USER_AUTH'};
+
+my %publickeys;
+
+if ($authfile && -f $authfile) {
+	open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
+	while (<$fh>) {
+		$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
+		$publickeys{$1} = 1;
+	}
+	close $fh or print STDERR "Failed to close authentication file: $!";
+}
+
+foreach my $userentry (keys %config) {
+	my @userelements = split(':', $userentry);
+	if (scalar @userelements > 1) {
+		my $entry_user = $userelements[0];
+		my $entry_key = $userelements[1];
+		if ($entry_user eq $user && exists($publickeys{$entry_key})) {
+			$user = $userentry;
+			last;
+		}
+	}
+}
 
 if (! exists($config{$user}) ) {
 	print STDERR 'Unauthorized user.';
diff --git a/authorized-exec.pod b/authorized-exec.pod
index 22f1906..c65c44a 100644
--- a/authorized-exec.pod
+++ b/authorized-exec.pod
@@ -15,10 +15,12 @@
 
 	The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
 
+	The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
+
 =head1 EXAMPLES
 
 	In authorized_keys, sshd(8), the following syntax can be used:
-		command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 ....
+		command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
 
 =head1 AUTHOR
 
diff --git a/config.example.pl b/config.example.pl
index ea6396c..8954771 100644
--- a/config.example.pl
+++ b/config.example.pl
@@ -1,10 +1,13 @@
 # the patterns are read as regular expressions and anchored with ^ and $ by default
 (
-	'georg' => [
+	'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
 		'echo hi',
 		'true',
 		'printf %s [a-z0-9 ]+',
 	],
+	'georg2' => [
+		'echo bye',
+	],
 	'root' => [
 		'ls -a /root',
 	],