Tracking down old API token usage

I’m trying to retire an old legacy API token. I can see from the token stats that it’s actively being used. Is there any way to log the usage of a specific token ID? Preferable with source IP address? Or even which jobs are being called with which token ID?

What do you mean by legacy API tokens. Do you mean API tokens for a Jenkins user account? Or do you mean credentials?

The credentials page should show where that credential was used.

Where are you seeing the API token being used. Can you post a screenshot?

In 2018 Jenkins 2.129 changed the way a users API Tokens were stored. Per @wfollonier , moving from an encrypted value to a hash. Under /user/[username]/configure there is a list of created tokens and any legacy-stored tokens are highlighted. The system message view alerts that this token should be retired.

I have created new tokens and implemented them in my environment, but I still get hits from the old one. These are used via basic auth un/pw in a curl from a shell script that launches a job. The UI shows that “last time was 0 day(s) ago”, but that’s basically just trolling me. I have no way to determine where it’s coming from or what job it’s hitting.

Hello @8N1,

As the legacy API Token were deprecated and disabled by default in newer instances since 2018, there is no plan to add features to them.

Depending on your infrastructure, you could use the log present in to change the logger configuration, and in correlation with some access log from your infra, you can have a better understanding about where it’s coming from.

Does it help?

I think it might! Understanding the class to log was the secret sauce I was hoping for. I’ll set that up and see what I can collect.

Do you know if there is a class that would produce an access log like Tomcat or Apache httpd? Where I could capture source IP and a header?

Thanks for the guidance. Sorry for the direct name drop, but I suspected you would uniquely be able to advise.