From e94da17c3c45589aa17e58f850bdf61aca7361ba Mon Sep 17 00:00:00 2001
From: Seth Nickell <snickell@gmail.com>
Date: Thu, 13 Aug 2020 12:28:17 -1000
Subject: [PATCH] Document external service api_tokens better - Explicitly
 mention min-8-char constraint - Connect the api_token in the configuration
 with the one mentioned in auth requests

Co-authored-by: Mike Situ <msitu@ceresimaging.net>
---
 docs/source/reference/services.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/source/reference/services.md b/docs/source/reference/services.md
index d940034b..77d6cb25 100644
--- a/docs/source/reference/services.md
+++ b/docs/source/reference/services.md
@@ -151,6 +151,8 @@ c.JupyterHub.services = [
     {
         'name': 'my-web-service',
         'url': 'https://10.0.1.1:1984',
+        # any secret >8 characters, you'll use api_token to
+        # authenticate api requests to the hub from your service
         'api_token': 'super-secret',
     }
 ]
@@ -331,7 +333,9 @@ and taking note of the following process:
 1. retrieve the cookie `jupyterhub-services` from the request.
 2. Make an API request `GET /hub/api/authorizations/cookie/jupyterhub-services/cookie-value`,
     where cookie-value is the url-encoded value of the `jupyterhub-services` cookie.
-    This request must be authenticated with a Hub API token in the `Authorization` header.
+    This request must be authenticated with a Hub API token in the `Authorization` header,
+    for example using the `api_token` from your [external service's configuration](#externally-managed-services).
+
     For example, with [requests][]:
 
     ```python