diff --git a/CHANGES b/CHANGES
index 7b8f9989c..c6ac96554 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1535,4 +1535,5 @@
 [3.5.2]
 * Fix encoding of links in plain text email
 * Hide mail relay password
+* Do not return API tokens in REST API
 
diff --git a/src/clients.js b/src/clients.js
index 5c2fa6741..72b8e928f 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -18,6 +18,8 @@ exports = module.exports = {
 
     addDefaultClients: addDefaultClients,
 
+    removeTokenPrivateFields: removeTokenPrivateFields,
+
     // client type enums
     TYPE_EXTERNAL: 'external',
     TYPE_BUILT_IN: 'built-in',
@@ -39,7 +41,8 @@ var apps = require('./apps.js'),
     users = require('./users.js'),
     UsersError = users.UsersError,
     util = require('util'),
-    uuid = require('uuid');
+    uuid = require('uuid'),
+    _ = require('underscore');
 
 function ClientsError(reason, errorOrMessage) {
     assert.strictEqual(typeof reason, 'string');
@@ -342,3 +345,7 @@ function addDefaultClients(origin, callback) {
         clientdb.upsert.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*')
     ], callback);
 }
+
+function removeTokenPrivateFields(token) {
+    return _.pick(token, 'identifier', 'clientId', 'scope', 'expires', 'name');
+}
diff --git a/src/routes/clients.js b/src/routes/clients.js
index 36f70432b..a64d72a65 100644
--- a/src/routes/clients.js
+++ b/src/routes/clients.js
@@ -96,6 +96,9 @@ function getTokens(req, res, next) {
     clients.getTokensByUserId(req.params.clientId, req.user.id, function (error, result) {
         if (error && error.reason === ClientsError.NOT_FOUND) return next(new HttpError(404, error.message));
         if (error) return next(new HttpError(500, error));
+
+        result = result.map(clients.removeTokenPrivateFields);
+
         next(new HttpSuccess(200, { tokens: result }));
     });
 }