diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65af90f62..3b17509c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@
   you're highly encouraged to restrict your API keys to limit damage in case
   they get leaked or stolen.
 
+* The login action (POST /sessions) no longer returns the api_token field.
+
 ## 2021-02-05
 
 ### Changes
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 56d17a4e1..09b008457 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -15,7 +15,7 @@ class SessionsController < ApplicationController
 
     if user
       url = posts_path unless url&.start_with?("/")
-      respond_with(user, location: url, methods: [:api_token])
+      respond_with(user, location: url)
     else
       flash.now[:notice] = "Password was incorrect"
       raise SessionLoader::AuthenticationFailure
diff --git a/app/models/user.rb b/app/models/user.rb
index 6a50b10ba..2c22b0557 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -559,11 +559,6 @@ class User < ApplicationRecord
         neutral_feedback_count negative_feedback_count
       ]
     end
-
-    # XXX
-    def api_token
-      api_keys.first.try(:key)
-    end
   end
 
   module CountMethods