diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ed6b20cf4..ece22af4b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -50,7 +50,7 @@ jobs:
       matrix:
         k3s-channel:
           # Available channels: https://github.com/k3s-io/k3s/blob/HEAD/channel.yaml
-          - v1.24
+          - latest
         test:
           - main
           - auth
@@ -64,7 +64,7 @@ jobs:
           - k3s-channel: v1.20
             helm-version: v3.5.0
             test: helm
-          - k3s-channel: v1.24
+          - k3s-channel: latest
             test: helm
             test-variation: upgrade
             # upgrade-from represents a release channel, see: https://jupyterhub.github.io/helm-chart/info.json
diff --git a/doc/authentication.rst b/doc/authentication.rst
index 49c2177f9..f2f7e4f32 100644
--- a/doc/authentication.rst
+++ b/doc/authentication.rst
@@ -26,7 +26,6 @@ you need to add the following into ``config.yaml``:
           binder:
             oauth_no_confirm: true
             oauth_redirect_uri: "https://<binderhub_url>/oauth_callback"
-            oauth_client_id: "binder-oauth-client-test"
 
       singleuser:
         # to make notebook servers aware of hub
diff --git a/helm-chart/binderhub/Chart.yaml b/helm-chart/binderhub/Chart.yaml
index 145084b65..74c31bd91 100644
--- a/helm-chart/binderhub/Chart.yaml
+++ b/helm-chart/binderhub/Chart.yaml
@@ -12,7 +12,7 @@ dependencies:
   #            and run "./dependencies freeze --upgrade".
   #
   - name: jupyterhub
-    version: "1.2.0"
+    version: "2.0.0"
     repository: "https://jupyterhub.github.io/helm-chart"
 description: |-
   BinderHub is like a JupyterHub that automatically builds environments for the
diff --git a/helm-chart/binderhub/templates/deployment.yaml b/helm-chart/binderhub/templates/deployment.yaml
index bd9020a7c..d3b4b725c 100644
--- a/helm-chart/binderhub/templates/deployment.yaml
+++ b/helm-chart/binderhub/templates/deployment.yaml
@@ -118,6 +118,8 @@ spec:
               name: "{{ include "jupyterhub.hub.fullname" . }}"
               key: hub.services.binder.apiToken
         {{- if .Values.config.BinderHub.auth_enabled }}
+        - name: JUPYTERHUB_SERVICE_NAME
+          value: binder
         - name: JUPYTERHUB_API_URL
           value: {{ (print (.Values.config.BinderHub.hub_url_local | default .Values.config.BinderHub.hub_url | trimSuffix "/") "/hub/api/") }}
         - name: JUPYTERHUB_BASE_URL
diff --git a/helm-chart/binderhub/values.yaml b/helm-chart/binderhub/values.yaml
index 3c0a692e6..63a9cbe99 100644
--- a/helm-chart/binderhub/values.yaml
+++ b/helm-chart/binderhub/values.yaml
@@ -56,14 +56,20 @@ jupyterhub:
   cull:
     enabled: true
     users: true
-  rbac:
-    enabled: true
   hub:
     config:
       JupyterHub:
         authenticator_class: nullauthenticator.NullAuthenticator
       BinderSpawner:
         auth_enabled: false
+    loadRoles:
+      binder:
+        services:
+          - binder
+        scopes:
+          - servers
+          # we don't need admin:users if auth is not enabled!
+          - "admin:users"
     extraConfig:
       0-binderspawnermixin: |
         """
@@ -188,8 +194,7 @@ jupyterhub:
         c.JupyterHub.spawner_class = BinderSpawner
     services:
       binder:
-        admin: true
-        apiToken:
+        display: false
   singleuser:
     # start notebook server with lab ui as default
     # *if available*
diff --git a/helm-chart/images/binderhub/requirements.in b/helm-chart/images/binderhub/requirements.in
index 8ae8ec99d..99a0e6046 100644
--- a/helm-chart/images/binderhub/requirements.in
+++ b/helm-chart/images/binderhub/requirements.in
@@ -10,7 +10,7 @@ google-cloud-logging==3.*
 # jupyterhub's major version should be matched with the JupyterHub Helm chart's
 # used version of JupyterHub.
 #
-jupyterhub==1.*
+jupyterhub==3.*
 
 # https://github.com/kubernetes-client/python
 kubernetes==9.*
diff --git a/helm-chart/images/binderhub/requirements.txt b/helm-chart/images/binderhub/requirements.txt
index 6a78650f0..14c730aa2 100644
--- a/helm-chart/images/binderhub/requirements.txt
+++ b/helm-chart/images/binderhub/requirements.txt
@@ -26,8 +26,6 @@ cryptography==38.0.1
     # via pyopenssl
 docker==6.0.0
     # via -r helm-chart/images/binderhub/../../../requirements.txt
-entrypoints==0.4
-    # via jupyterhub
 escapism==1.0.1
     # via -r helm-chart/images/binderhub/../../../requirements.txt
 google-api-core[grpc]==2.10.2
@@ -68,6 +66,8 @@ grpcio-status==1.49.1
     # via google-api-core
 idna==3.4
     # via requests
+importlib-metadata==5.0.0
+    # via jupyterhub
 jinja2==3.1.2
     # via
     #   -r helm-chart/images/binderhub/../../../requirements.txt
@@ -78,7 +78,7 @@ jsonschema==4.16.0
     #   jupyter-telemetry
 jupyter-telemetry==0.1.0
     # via jupyterhub
-jupyterhub==1.5.0
+jupyterhub==3.0.0
     # via
     #   -r helm-chart/images/binderhub/../../../requirements.txt
     #   -r helm-chart/images/binderhub/requirements.in
@@ -97,7 +97,9 @@ oauthlib==3.2.1
     #   jupyterhub
     #   requests-oauthlib
 packaging==21.3
-    # via docker
+    # via
+    #   docker
+    #   jupyterhub
 pamela==1.0.0
     # via jupyterhub
 prometheus-client==0.14.1
@@ -186,6 +188,8 @@ websocket-client==1.4.1
     # via
     #   docker
     #   kubernetes
+zipp==3.9.0
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools
diff --git a/testing/local-binder-k8s-hub/binderhub_config_auth_additions.py b/testing/local-binder-k8s-hub/binderhub_config_auth_additions.py
index 5a54e5665..0b648a7f4 100644
--- a/testing/local-binder-k8s-hub/binderhub_config_auth_additions.py
+++ b/testing/local-binder-k8s-hub/binderhub_config_auth_additions.py
@@ -25,4 +25,5 @@
 c.HubOAuth.base_url = c.BinderHub.base_url
 c.HubOAuth.hub_prefix = c.BinderHub.base_url + "hub/"
 c.HubOAuth.oauth_redirect_uri = "http://127.0.0.1:8585/oauth_callback"
-c.HubOAuth.oauth_client_id = "binder-oauth-client-test"
+c.HubOAuth.oauth_client_id = "service-binder"
+c.HubOAuth.access_scopes = {"access:services!service=binder"}
diff --git a/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml b/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml
index 9ec6df348..54ce9ff67 100644
--- a/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml
+++ b/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml
@@ -6,7 +6,6 @@ hub:
     binder:
       oauth_no_confirm: true
       oauth_redirect_uri: "http://127.0.0.1:8585/oauth_callback"
-      oauth_client_id: "binder-oauth-client-test"
   config:
     JupyterHub:
       authenticator_class: "dummy"
@@ -14,3 +13,8 @@ hub:
       password: "dummy"
     BinderSpawner:
       auth_enabled: true
+  loadRoles:
+    user:
+      scopes:
+        - self
+        - "access:services"
diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
index f229596a7..362bc66d8 100644
--- a/tools/templates/lint-and-validate-values.yaml
+++ b/tools/templates/lint-and-validate-values.yaml
@@ -53,8 +53,6 @@ jupyterhub:
   cull:
     enabled: true
     users: true
-  rbac:
-    enabled: true
   hub:
     config:
       JupyterHub: