diff --git a/REFERENCE.md b/REFERENCE.md
index 98911b2..c130f10 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -847,7 +847,7 @@ Default value: `undef`
 
 ##### <a name="-k8s--node--node_token"></a>`node_token`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Sensitive[String]]`
 
 k8s token to join a cluster
 
@@ -879,7 +879,7 @@ Default value: `undef`
 
 ##### <a name="-k8s--node--proxy_token"></a>`proxy_token`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Sensitive[String]]`
 
 k8s token for kube-proxy
 
@@ -1011,7 +1011,7 @@ Default value: `$k8s::node::proxy_key`
 
 ##### <a name="-k8s--node--kube_proxy--token"></a>`token`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Sensitive[String]]`
 
 
 
@@ -1218,7 +1218,7 @@ Default value: `$k8s::cluster_cidr =~ Array[Data, 2]`
 
 ##### <a name="-k8s--node--kubelet--token"></a>`token`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Sensitive[String]]`
 
 k8s token to join a cluster
 
diff --git a/manifests/node.pp b/manifests/node.pp
index 67676bb..6c746e4 100644
--- a/manifests/node.pp
+++ b/manifests/node.pp
@@ -48,8 +48,8 @@
   Optional[Stdlib::Unixpath] $proxy_key  = undef,
 
   # For token and bootstrap auth
-  Optional[String[1]] $node_token  = undef,
-  Optional[String[1]] $proxy_token = undef,
+  Optional[Sensitive[String]] $node_token  = undef,
+  Optional[Sensitive[String]] $proxy_token = undef,
 
   Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type,
 ) {
diff --git a/manifests/node/kube_proxy.pp b/manifests/node/kube_proxy.pp
index 9092fe0..d58971d 100644
--- a/manifests/node/kube_proxy.pp
+++ b/manifests/node/kube_proxy.pp
@@ -20,7 +20,7 @@
   Optional[Stdlib::Unixpath] $key     = $k8s::node::proxy_key,
 
   # For token and bootstrap auth
-  Optional[String[1]] $token = $k8s::node::proxy_token,
+  Optional[Sensitive[String]] $token = $k8s::node::proxy_token,
 ) {
   assert_private()
 
@@ -43,7 +43,7 @@
         owner           => $k8s::user,
         group           => $k8s::group,
         server          => $control_plane_url,
-        token           => $token,
+        token           => $token.unwrap,
         current_context => 'default',
         ca_cert         => $ca_cert,
         notify          => Service['kube-proxy'],
diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp
index af847d1..2a2331b 100644
--- a/manifests/node/kubelet.pp
+++ b/manifests/node/kubelet.pp
@@ -48,7 +48,7 @@
   Optional[Stdlib::Unixpath] $key     = $k8s::node::node_key,
 
   # For token and bootstrap auth
-  Optional[String[1]] $token = $k8s::node::node_token,
+  Optional[Sensitive[String]] $token  = $k8s::node::node_token,
 
   Optional[K8s::Firewall] $firewall_type = $k8s::node::firewall_type,
 ) {
@@ -93,7 +93,7 @@
         group           => $k8s::group,
         server          => $control_plane_url,
         current_context => 'default',
-        token           => $token,
+        token           => $token.unwrap,
 
         ca_cert         => $_ca_cert,
 
@@ -115,7 +115,7 @@
         group           => $k8s::group,
         server          => $control_plane_url,
         current_context => 'default',
-        token           => $token,
+        token           => $token.unwrap,
         notify          => Service['kubelet'],
       }
       $_authentication_hash = {}
diff --git a/spec/classes/node/kube_proxy_spec.rb b/spec/classes/node/kube_proxy_spec.rb
index 26d196b..42f4cb7 100644
--- a/spec/classes/node/kube_proxy_spec.rb
+++ b/spec/classes/node/kube_proxy_spec.rb
@@ -56,7 +56,7 @@ class { '::k8s::node':
           {
             auth: 'token',
             ca_cert: '/tmp/ca.pem',
-            token: 'blah',
+            token: sensitive('blah'),
           }
         end