If the user still has the API token that's generated from secret.key, don't accept that. Hopefully this is the last fix (cherry picked from commit 94a8789b)