Service Token invalidation

Dear Team,

I have created a service which has admin access. I had exposed this token externally and caused a security threat. I have created a new token and is now secured. However, I am not able to find an API to invalidate the previous token. Can you please guide me to remove/invalidate a token associated with a service ?

Hi! How did you create the token?

I created the new token using hub rest api - Post call - https://jupyterhub.readthedocs.io/hub/api/users//tokens with old token as authorization in headers
and assigned this id to hub services
c.JupyterHub.services = [
{‘name’:’’, “admin”: True, ‘api_token’:’’}
]

Did you mean https://jupyterhub.readthedocs.io/hub/api/users/USERNAME/tokens ? That should create a token for USERNAME, and you should be able to list/delete tokens for USERNAME:
https://jupyterhub.readthedocs.io/en/stable/reference/rest-api.html

You can also edit tokens in the UI at http://<jupyterhub>/hub/token if you’re logged in as USERNAME.

Yes i used the tokens api but the userid is a service, not a actual user. I have mapped the userid to services and given admin access to it.
Similar to how we revoke a token associated to a user, i would like to invalidate/revoke a token assigned to a service.

It’s a bit embarrassing, but there is no equivalent API to revoke individual tokens for services. There should be! I’d even argue that changing service tokens in config should revoke any tokens no longer in config so you don’t have to do this extra step.

In the absence of a proper revocation API, the quickest way to revoke a token is to rename your service - when a given service name is removed from config, all of its tokens are revoked and jupyterhub start. Then you can rename the service back.

The alternative is to use python -m jupyterhub.dbutil shell to locate and delete the token:

orm_token = orm.APIToken.find(db, 'old-token')
db.delete(orm_token)
db.commit()
2 Likes