diff --git a/kubespawner/objects.py b/kubespawner/objects.py
index 75c7c69f..d55971f1 100644
--- a/kubespawner/objects.py
+++ b/kubespawner/objects.py
@@ -9,6 +9,7 @@
 from typing import Dict, List, Optional
 from urllib.parse import urlparse
 
+from kubernetes.client import V1EnvVarSource, V1SecretKeySelector
 from kubernetes_asyncio.client.models import (
     V1Affinity,
     V1Container,
@@ -69,6 +70,7 @@ def make_pod(
     port,
     image,
     image_pull_policy,
+    user_secret_name,
     image_pull_secrets=None,
     node_selector=None,
     uid=None,
@@ -468,6 +470,15 @@ def _get_env_var_deps(env):
             if not "name" in env:
                 env["name"] = key
             env = get_k8s_model(V1EnvVar, env)
+        elif key == "JUPYTERHUB_API_TOKEN":
+            env = V1EnvVar(
+                name="JUPYTERHUB_API_TOKEN",
+                value_from=V1EnvVarSource(
+                    secret_key_ref=V1SecretKeySelector(
+                        name=user_secret_name, key="JUPYTERHUB_API_TOKEN"
+                    )
+                ),
+            )
         else:
             env = V1EnvVar(name=key, value=env)
 
@@ -922,6 +933,7 @@ def make_secret(
     owner_references,
     labels=None,
     annotations=None,
+    jupyterhub_api_token="",
 ):
     """
     Make a k8s secret specification using pre-existing ssl credentials for a given user.
@@ -941,6 +953,8 @@ def make_secret(
         Labels to add to the secret.
     annotations:
         Annotations to add to the secret.
+    jupyterhub_api_token:
+        The JupyterHub API token for the user.
     """
 
     secret = V1Secret()
@@ -972,6 +986,10 @@ def make_secret(
             "notebooks-ca_trust.crt"
         ] + encoded.decode("utf-8")
 
+    secret.data["jupyterhub_api.token"] = (
+        base64.b64encode(jupyterhub_api_token).decode("utf-8"),
+    )
+
     return secret
 
 
diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py
index bfda7fa4..0c2c0632 100644
--- a/kubespawner/spawner.py
+++ b/kubespawner/spawner.py
@@ -2045,6 +2045,7 @@ async def get_pod_manifest(self):
             port=self.port,
             image=self.image,
             image_pull_policy=self.image_pull_policy,
+            user_secret_name=self.secret_name,
             image_pull_secrets=self.image_pull_secrets,
             node_selector=self.node_selector,
             uid=uid,
@@ -2106,6 +2107,7 @@ def get_secret_manifest(self, owner_reference):
             owner_references=[owner_reference],
             labels=labels,
             annotations=annotations,
+            jupyterhub_api_token=self.api_token,
         )
 
     def get_service_manifest(self, owner_reference):