AuthenticatedApiToken implemented for per-request ApiToken::$key value storage.

src/Security/ApiTokenAuthenticator.php

@@ -3,6 +3,7 @@
 namespace App\Security;
 
 use App\Api\V1\DTO\ApiResponse;
+use App\Security\Token\AuthenticatedApiToken;
 use Symfony\Component\HttpFoundation\{JsonResponse, Request};
 use Symfony\Component\Security\Core\Authentication\Token\{PreAuthenticatedToken, TokenInterface};
 use Symfony\Component\Security\Core\Exception\{AuthenticationException, BadCredentialsException, CustomUserMessageAuthenticationException};
@@ -59,7 +60,7 @@ class ApiTokenAuthenticator implements SimplePreAuthenticatorInterface, Authenti
             ));
         }
 
-        return new PreAuthenticatedToken(
+        return new AuthenticatedApiToken(
             $user,
             $apiTokenKey,
             $providerKey,

src/Security/Token/AuthenticatedApiToken.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Security\Token;
+
+use App\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticatedToken;
+
+/** This token stores ApiToken key even after eraseCredentials() called */
+class AuthenticatedApiToken extends PreAuthenticatedToken
+{
+    /** @var string|null This token is stored only for this request and will not be erased by eraseCredentials() or serialized */
+    private $tokenKey;
+
+    public function __construct(User $user, string $credentials, string $providerKey, array $roles = [])
+    {
+        parent::__construct($user, $credentials, $providerKey, $roles);
+        // @todo probably separate constructor argument needed
+        $this->tokenKey = $credentials;
+    }
+
+    public function getTokenKey(): ?string
+    {
+        return $this->tokenKey;
+    }
+}