Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Visit the change page for a Token in Django admin. Since the primary key is the key, the key is used to reference the token in the URL. This leaks the auth token into access logs.

The access permissions for users with access to the admin page (high) and those with permissions to view logs (medium) are different.

Expected behavior

Auth tokens should use an integer as the primary key that is used in urls and for foreign key references. The token value itself should be a non-keyed attribute with a unique index.

Actual behavior

Primary key is the secret key material.