add caveat about sensitivity of auth_state

jupyterhub · Dec 2, 2024 · 39fdc3d · 39fdc3d
1 parent cae80b7
commit 39fdc3d
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/docs/source/how-to/refresh.md b/docs/source/how-to/refresh.md
@@ -40,6 +40,14 @@ because it ensures the token is valid when the server starts.
 
 ## Refreshing tokens from user sessions
 
+```{warning}
+This example requires granting users read access to their own `auth_state`.
+If you plan to provide users with access tokens,
+`auth_state` does not typically include information your users won't have access to with the token itself,
+but it is worth making sure that your Authenticator configuration places anything in `auth_state`
+that you do not want users to be able to see.
+```
+
 If your user sessions use access tokens from your oauth provider and those tokens may expire during user sessions,
 you can rely on this mechanism to get fresh access tokens from JupyterHub.