diff --git a/Jenkinsfile b/Jenkinsfile
index c884c9c..f706dd1 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -31,6 +31,7 @@ pipeline {
         stage('Test') {
           steps {
             lock('xoa-test-runner') {
+              sh 'export BYPASS_XOA_TOKEN=\$(xo-cli --createToken $XOA_URL $XOA_USER $XOA_PASSWORD | tail -n1)'
               sh 'cp /opt/terraform-provider-xenorchestra/testdata/images/alpine-virt-3.17.0-x86_64.iso xoa/testdata/alpine-virt-3.17.0-x86_64.iso'
               sh 'TF_VERSION=${TF_VERSION} TIMEOUT=60m make ci'
             }
diff --git a/docs/index.md b/docs/index.md
index 0bd7339..81681a5 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -24,6 +24,9 @@ terraform {
     xenorchestra = {
       source = "vatesfr/xenorchestra"
     }
+    xenorchestra_token_auth = {
+      source = "vatesfr/xenorchestra"
+    }
   }
 }
 
@@ -41,11 +44,20 @@ provider "xenorchestra" {
   # used sparingly!
   insecure = <false|true>              # Or set XOA_INSECURE environment variable to any value
 }
+
+provider "xenorchestra_token_auth" {
+  # XOA_USER and XOA_PASSWORD cannot be set, nor can their arguments
+  token = "<token from XO>" # or set XOA_TOKEN environment variable
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
+### Required
+
+- `url` (String) Hostname of the xoa router. Can be set via the XOA_URL environment variable.
+
 ### Optional
 
 - `insecure` (Boolean) Whether SSL should be verified or not. Can be set via the XOA_INSECURE environment variable.
@@ -53,5 +65,4 @@ provider "xenorchestra" {
 - `retry_max_time` (String) If `retry_mode` is set, this specifies the duration for which the backoff method will continue retries. Can be set via the `XOA_RETRY_MAX_TIME` environment variable
 - `retry_mode` (String) Specifies if retries should be attempted for requests that require eventual . Can be set via the XOA_RETRY_MODE environment variable.
 - `token` (String) Password for xoa api. Can be set via the XOA_TOKEN environment variable.
-- `url` (String) Hostname of the xoa router. Can be set via the XOA_URL environment variable.
 - `username` (String) User account for xoa api. Can be set via the XOA_USER environment variable.
diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf
index ad6fd03..b66944e 100644
--- a/examples/provider/provider.tf
+++ b/examples/provider/provider.tf
@@ -4,6 +4,9 @@ terraform {
     xenorchestra = {
       source = "vatesfr/xenorchestra"
     }
+    xenorchestra_token_auth = {
+      source = "vatesfr/xenorchestra"
+    }
   }
 }
 
@@ -21,3 +24,8 @@ provider "xenorchestra" {
   # used sparingly!
   insecure = <false|true>              # Or set XOA_INSECURE environment variable to any value
 }
+
+provider "xenorchestra_token_auth" {
+  # XOA_USER and XOA_PASSWORD cannot be set, nor can their arguments
+  token = "<token from XO>" # or set XOA_TOKEN environment variable
+}
diff --git a/xoa/acc_setup_test.go b/xoa/acc_setup_test.go
index 19a58c0..85879b1 100644
--- a/xoa/acc_setup_test.go
+++ b/xoa/acc_setup_test.go
@@ -12,6 +12,7 @@ import (
 
 var testObjectIndex int = 1
 var accTestPrefix string = "terraform-acc"
+var accTestXoToken string = os.Getenv("BYPASS_XOA_TOKEN")
 var accTestPool client.Pool
 var accTestHost client.Host
 var accDefaultSr client.StorageRepository
diff --git a/xoa/data_source_host_test.go b/xoa/data_source_host_test.go
index cec63e2..2353f02 100644
--- a/xoa/data_source_host_test.go
+++ b/xoa/data_source_host_test.go
@@ -32,6 +32,28 @@ func TestAccXenorchestraDataSource_host(t *testing.T) {
 	)
 }
 
+func TestAccXenorchestraDataSource_hostXoTokenAuth(t *testing.T) {
+	resourceName := "data.xenorchestra_host.host"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccTokenAuthProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccXenorchestraDataSourceHostConfig(accTestHost.NameLabel),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckXenorchestraDataSourceHost(resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "cpus.cores"),
+					resource.TestCheckResourceAttrSet(resourceName, "cpus.sockets"),
+					resource.TestCheckResourceAttrSet(resourceName, "memory"),
+					resource.TestCheckResourceAttrSet(resourceName, "memory_usage"),
+					resource.TestCheckResourceAttr(resourceName, "name_label", accTestHost.NameLabel)),
+			},
+		},
+	},
+	)
+}
+
 func TestAccXenorchestraDataSource_hostNotFound(t *testing.T) {
 	resourceName := "data.xenorchestra_host.host"
 	resource.Test(t, resource.TestCase{
diff --git a/xoa/provider_test.go b/xoa/provider_test.go
index 252ac17..b1269ef 100644
--- a/xoa/provider_test.go
+++ b/xoa/provider_test.go
@@ -9,10 +9,12 @@ import (
 )
 
 var testAccProviders map[string]*schema.Provider
+var testAccTokenAuthProviders map[string]*schema.Provider
 var testAccFailToStartAndHaltProviders map[string]*schema.Provider
 var testAccFailToDeleteVmProviders map[string]*schema.Provider
 
 var testAccProvider *schema.Provider
+var testAccTokenAuthProvider *schema.Provider
 var testAccFailToStartHaltVmProvider *schema.Provider
 var testAccFailToDeleteVmProvider *schema.Provider
 
@@ -22,6 +24,11 @@ func init() {
 		"xenorchestra": testAccProvider,
 	}
 
+	testAccTokenAuthProvider = Provider()
+	testAccTokenAuthProviders = map[string]*schema.Provider{
+		"xenorchestra": testAccTokenAuthProvider,
+	}
+
 	testAccFailToStartHaltVmProvider = Provider()
 	testAccFailToStartHaltVmProvider.ConfigureFunc = internal.GetFailToStartAndHaltXOClient
 	testAccFailToStartAndHaltProviders = map[string]*schema.Provider{
@@ -34,6 +41,21 @@ func init() {
 	}
 }
 
+func createTokenAuthProvider() *schema.Provider {
+	provider := Provider()
+
+	var f schema.SchemaDefaultFunc = func() (interface{}, error) { return "", nil }
+	provider.Schema["username"].DefaultFunc = f
+	provider.Schema["username"].ConflictsWith = []string{}
+
+	provider.Schema["password"].DefaultFunc = f
+	provider.Schema["password"].ConflictsWith = []string{}
+
+	provider.Schema["token"].ConflictsWith = []string{}
+	provider.Schema["token"].DefaultFunc = schema.EnvDefaultFunc("BYPASS_XOA_TOKEN", nil)
+	return provider
+}
+
 func testAccPreCheck(t *testing.T) {
 	if v := os.Getenv("XOA_URL"); v == "" {
 		t.Fatal("The XOA_URL environment variable must be set")
@@ -41,10 +63,10 @@ func testAccPreCheck(t *testing.T) {
 
 	user := os.Getenv("XOA_USER")
 	password := os.Getenv("XOA_PASSWORD")
-	token := os.Getenv("XOA_TOKEN")
+	token := os.Getenv("BYPASS_XOA_TOKEN")
 
 	if token == "" && (user == "" || password == "") {
-		t.Fatal("One of the following environment variable(s) must be set: XOA_USER and XOA_PASSWORD or XOA_TOKEN")
+		t.Fatal("One of the following environment variable(s) must be set: XOA_USER and XOA_PASSWORD or BYPASS_XOA_TOKEN")
 	}
 
 	if v := os.Getenv("XOA_POOL"); v == "" {