Cannot refetch token generated via API

Hi everyone,

I am trying to fetch a token I previously created via the Jupyter Hub REST API.

However, when I fetch the tokens for the user at the route:


I get the following reply:

            "user": "52f15d0b-fba8-4026-9bd1-02abb03438fa",
            "id": "a958",
            "kind": "api_token",
            "roles": [],
            "scopes": [
            "created": "2023-12-02T17:15:36.162131Z",
            "last_activity": "2023-12-02T18:27:43.084793Z",
            "expires_at": null,
            "note": "Requested via api by user admin",
            "session_id": null,
            "oauth_client": "JupyterHub"

It does not include the token field for me to reuse the token.

The token is only returned the first time, when you create it.

Thanks a lot, that is very helpful.

What is the expected design pattern with the token? Is it expected that it is only used once and never again?

As is standard practice for token-issuing services (GitHub, PyPI, Google, etc.), you can only see the token one time when you create it. It’s then up to you to store it appropriately for re-use, if needed (e.g. in a password manager, cookie, or other safe secret storage). The issuing service only stores a hash of the token, so it can check if a request is made with the token, but it does not have the information it needs to retrieve the token a second time. This way a compromise of the database cannot reveal any existing tokens.

1 Like

Thanks a lot, that is very helpful!