Correct, but…
JupyterHub has two kinds of tokens: OAuth access tokens, and API tokens. OAuth access tokens should expire by default at one hour (they do not yet, but will in the next release). API tokens support expiry, but do not expire by default. OAuth access tokens are used in the cookies for browser authentication to a given server. API tokens are used for e.g. the server itself to call back to the Hub (for example, completing the oauth flow to issue these oauth tokens).
I do eventually want to merge these and eliminate the distinction. Tasks involved in that:
- define OAuth scopes for APIs
- implement scope-based auth for token-authenticated requests
- implement refresh_token mechanism and use it in jupyterhub-singleuser
- enable token expiry by default