Whese does Authorization token generated with jupyterhub + jupyterlab + Dockerspawner

When using the combination of JupyterHub, JupyterLab, and DockerSpawner, I’ve noticed that the token found in the browser request header Authorization: token xxx is different from the token displayed in the terminal, such as http://localhost:8888/?token=yyy. The browser token appears in a format like tnKM6RjHAuYuHrTwuwOu2BDqAAEjSv, while the terminal token has a format like 8b5926063ed71c4f4200cba6c7fb2f70168d646c72446531.

This discrepancy is important because I need the token to access the /api/sessions API. The terminal token, which I obtain from jupyter_server.serverapp.list_running_servers(), does not grant access to the API (resulting in a 403 error). However, the browser token (e.g., tnKM6RjHAuYuHrTwuwOu2BDqAAEjSv) does allow access.

Interestingly, when I launch JupyterLab directly from the terminal (without JupyterHub) using jupyter lab, the tokens displayed in the terminal and used in the browser are identical, and provide access to the aforementioned API.

How can I obtain the browser token needed to access the API? Additionally, where is this token generated in the source code?

The package versions on my system are:

  • JupyterLab 3.4.7
  • JupyterHub 3.1.1

Thank you.

After some digging, I found that the token is actually generated by hub during the OAuth process. The code is in jupyterhub/services/auth.py

When accessing lab’s api, the token needs to be verified with hub to gain access to lab’s api. So when accessing /api/sessions lab api, we must provide a token that hub recognizes.

By default, lab generates a random token when start, we can tell lab to use a configured token with --IdentityProvider.token=xxx spawner args. And then we tell hub to recognize this token by setting this token in c.JupyterHub.api_tokens config.

Then we will get this preconfigured token xxx from api jupyter_server.serverapp.list_running_servers() and can access /api/session successfully.

1 Like