Is JUPYTERHUB_API_TOKEN sensitive?

I deployed Jupyterhub on a GKE cluster. From a notebook I executed an !env command, and looking at the environment variables I see JUPYTERHUB_API_TOKEN and JPY_API_TOKEN, which are identical. Are these sensitive? Could they be used maliciously? If so, is there a way to prevent them being exposed?

JUPYTERHUB_API_TOKEN is required for the singleuser server to communicate with the hub. JPY_API_TOKEN is the old deprecated name that is keep for backwards compatibility and can be removed for modern servers.

Only the current user should have access to it, if it’s leaked then other potentially malicious entities would gain access to that user’s server, files, etc. In theory it could be removed from some user-facing components such as the kernel and terminal environments, but that would have to be done in Jupyter-server/lab/notebook, not in JupyterHub.

2 Likes

Thank you, that’s helpful.