Security review - users, passwords and tokens

Gannon · February 10, 2026, 11:28pm

Hi all,

Is there any way for a super user to see all active users and when their password was last changed?

Is there any way for a super user to see all active tokens by user and when they were created and/or last used?

Thanks in advance!!

Jason_1282 · February 12, 2026, 10:36pm

At the moment it is not possible to see the last time a password was updated or global view of available tokens in the UI. It is possible to see these in the DB directly with the user_token_auth containing the user and status of a token and the user table containing the last modified column.

Gannon · February 13, 2026, 1:57am

Thanks Jason we are on Matomo Cloud, not self hosted. What are our options? Thanks

Jason_1282 · February 13, 2026, 2:37am

I have created a GitHub issue around the last password update. The data is already in the DB so in my mind that doesn’t seem too hard to implement, I could be wrong. For the tokens I have another issue open Add Super User Impersonation Feature · Issue #23469 · matomo-org/matomo that could help. For now, though on the cloud you wouldn’t have access to this data. It would depend on how often you need to audit these numbers. You could for example ask for a dump.

Jason_1282 · March 11, 2026, 10:57pm

If anyone on prem would like a “last time updated” column, a colleague Ronan has created a feature to enable the last time the password was modified. You can find it here: Chardonneaur/UsersPasswordModified: Adds a password last modified column to the superuser Users Manager report.

nathan_foster · April 19, 2026, 9:55am

Hey, good question — I’ve run into almost the same thing while dealing with admin panels.

From what I understand, you’re basically trying to get full visibility as a super user: who’s active, when passwords were last changed, and also token activity (creation + usage). That’s something most systems don’t fully expose by default for security reasons.

I faced something similar when managing a SaaS dashboard — password change dates were usually in the user table or audit logs, but tokens were trickier. Most of the time they’re hashed or only visible via auth logs, not directly readable.

What worked for me:

Check audit logs (if enabled)
Use identity provider logs (like auth server)
Enable token/session tracking from backend if possible

In tools like MuseWeb, we had to build custom audit logging for this.

What system are you working with?

Gannon · May 19, 2026, 3:24am

Hi Nathan, this is just in Matomo alone. Reviewing security to see who has access and if people have tokens, who we needed to tell to force their rotation. I don’t need to see the tokens, just know who is using them. We just forced everyone to change and rotated all known tokens (then waited for anyone to scream). Cheers!!