HumanSignal · benglewis · Apr 16, 2025 · Apr 16, 2025 · Apr 17, 2025 · Apr 17, 2025
diff --git a/docs/source/guide/start.md b/docs/source/guide/start.md
@@ -55,8 +55,9 @@ The following command line arguments are optional and must be specified with `la
 | `--initial-project-description` | `LABEL_STUDIO_PROJECT_DESC` | `''` | Specify a project description for a Label Studio project. See [Set up your labeling project](setup.html). |
 | `--password` | `LABEL_STUDIO_PASSWORD` | `None` | Password to use for the default user. See [Set up user accounts](signup.html). |
 | `--username` | `LABEL_STUDIO_USERNAME` | `default_user@localhost` | Username to use for the default user. See [Set up user accounts](signup.html). |
-| `--user-token` |  `LABEL_STUDIO_USER_TOKEN` | Automatically generated. | Authentication token for a user to use for the API. Must be set with a username, otherwise automatically generated. See [Set up user accounts](signup.html).
+| `--user-token` |  `LABEL_STUDIO_USER_TOKEN` | Automatically generated. | Authentication token for a user to use for the API. Must be set with a username, otherwise automatically generated. See [Set up user accounts](signup.html). |
 | `--agree-fix-sqlite` | N/A | `False` | Automatically agree to let Label Studio fix SQLite issues when using Python 3.6–3.8 on Windows operating systems. | 
+| `--enable-legacy-api-token` | `LABEL_STUDIO_ENABLE_LEGACY_API_TOKEN` | `False` | Enable legacy API token authentication. Useful for running with a pre-existing token via `--user-token`. |
 | N/A | `LABEL_STUDIO_LOCAL_FILES_SERVING_ENABLED` | `False` | Allow Label Studio to access local file directories to import storage. See [Run Label Studio on Docker and use local storage](start.html#Run_Label_Studio_on_Docker_and_use_local_storage). |
 | N/A | `LABEL_STUDIO_LOCAL_FILES_DOCUMENT_ROOT` | `/` | Specify the root directory for Label Studio to use when accessing local file directories. See [Run Label Studio on Docker and use local storage](start.html#Run_Label_Studio_on_Docker_and_use_local_storage). |
 

diff --git a/label_studio/core/argparser.py b/label_studio/core/argparser.py
@@ -100,6 +100,12 @@ def project_name(raw_name):
         action='store_true',
         help='Agree to fix SQLite issues on python 3.6-3.8 on Windows automatically',
     )
+    root_parser.add_argument(
+        '--enable-legacy-api-token',
+        dest='enable_legacy_api_token',
+        action='store_true',
+        help='Enable legacy API token authentication',
+    )
 
     parser = argparse.ArgumentParser(description='Label studio', parents=[root_parser])
 

diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -821,6 +821,8 @@ def collect_versions_dummy(**kwargs):
 
 LOGOUT_REDIRECT_URL = get_env('LOGOUT_REDIRECT_URL', None)
 
+# Enable legacy tokens (useful for running with a pre-existing token via `LABEL_STUDIO_USER_TOKEN`)
+LABEL_STUDIO_ENABLE_LEGACY_API_TOKEN = get_bool_env('LABEL_STUDIO_ENABLE_LEGACY_API_TOKEN', False)
 RESOLVER_PROXY_BUFFER_SIZE = int(get_env('RESOLVER_PROXY_BUFFER_SIZE', 512 * 1024))
 RESOLVER_PROXY_TIMEOUT = int(get_env('RESOLVER_PROXY_TIMEOUT', 20))
 RESOLVER_PROXY_MAX_RANGE_SIZE = int(get_env('RESOLVER_PROXY_MAX_RANGE_SIZE', 8 * 1024 * 1024))

diff --git a/label_studio/organizations/functions.py b/label_studio/organizations/functions.py
@@ -1,10 +1,11 @@
 from core.utils.common import temporary_disconnect_all_signals
+from django.conf import settings
 from django.db import transaction
 from organizations.models import Organization, OrganizationMember
 from projects.models import Project
 
 
-def create_organization(title, created_by, **kwargs):
+def create_organization(title, created_by, legacy_api_tokens_enabled=False, **kwargs):
     from core.feature_flags import flag_set
 
     JWT_ACCESS_TOKEN_ENABLED = flag_set('fflag__feature_develop__prompts__dia_1829_jwt_token_auth')
@@ -13,9 +14,11 @@ def create_organization(title, created_by, **kwargs):
         org = Organization.objects.create(title=title, created_by=created_by, **kwargs)
         OrganizationMember.objects.create(user=created_by, organization=org)
         if JWT_ACCESS_TOKEN_ENABLED:
-            # set auth tokens to new system for new users
+            # set auth tokens to new system for new users, unless specified otherwise
             org.jwt.api_tokens_enabled = True
-            org.jwt.legacy_api_tokens_enabled = False
+            org.jwt.legacy_api_tokens_enabled = (
+                legacy_api_tokens_enabled or settings.LABEL_STUDIO_ENABLE_LEGACY_API_TOKEN
+            )
             org.jwt.save()
         return org
 

diff --git a/label_studio/server.py b/label_studio/server.py
@@ -171,7 +171,9 @@ def _create_user(input_args, config):
     user = User.objects.get(email=username)
     org = Organization.objects.first()
     if not org:
-        org = Organization.create_organization(created_by=user, title='Label Studio')
+        org = Organization.create_organization(
+            created_by=user, title='Label Studio', legacy_api_tokens_enabled=input_args.enable_legacy_api_token
+        )
     else:
         org.add_user(user)
     user.active_organization = org