diff --git a/services/jenkins/deployment.yaml b/services/jenkins/deployment.yaml
index d6bb8f58..8357a8d0 100644
--- a/services/jenkins/deployment.yaml
+++ b/services/jenkins/deployment.yaml
@@ -52,7 +52,7 @@ spec:
           ARIADNE_JENKINS_API_USER={{ .Data.data.username }}
           ARIADNE_JENKINS_API_TOKEN={{ .Data.data.token }}
           {{ end }}
-        bstein.dev/restarted-at: "2026-04-13T05:20:00Z"
+        bstein.dev/restarted-at: "2026-04-13T06:35:00Z"
     spec:
       serviceAccountName: jenkins
       nodeSelector:
diff --git a/services/jenkins/scripts/ariadne-api-user.groovy b/services/jenkins/scripts/ariadne-api-user.groovy
index aeec25cb..59ce9aef 100644
--- a/services/jenkins/scripts/ariadne-api-user.groovy
+++ b/services/jenkins/scripts/ariadne-api-user.groovy
@@ -2,13 +2,15 @@ import hudson.model.User
 import jenkins.security.ApiTokenProperty
 
 def userId = (System.getenv("ARIADNE_JENKINS_API_USER") ?: "").trim()
-def tokenValue = (System.getenv("ARIADNE_JENKINS_API_TOKEN") ?: "").trim()
+def envTokenValue = (System.getenv("ARIADNE_JENKINS_API_TOKEN") ?: "").trim()
 def tokenName = "ariadne-weather"
 def tokenFile = new File("/var/jenkins_home/secrets/ariadne-api-token")
 def userFile = new File("/var/jenkins_home/secrets/ariadne-api-user")
+def persistedTokenValue = tokenFile.exists() ? (tokenFile.text ?: "").trim() : ""
+def tokenValue = envTokenValue ?: persistedTokenValue
 
 if (!userId || !tokenValue) {
-  println("Ariadne API user bootstrap skipped: missing ARIADNE_JENKINS_API_USER or ARIADNE_JENKINS_API_TOKEN")
+  println("Ariadne API user bootstrap skipped: missing ARIADNE_JENKINS_API_USER and no token source available")
   return
 }
 
@@ -28,30 +30,35 @@ if (prop == null) {
   user.addProperty(prop)
 }
 
+if (persistedTokenValue && prop.matchesPassword(persistedTokenValue)) {
+  tokenValue = persistedTokenValue
+}
+
 if (!prop.matchesPassword(tokenValue)) {
   def store = prop.getTokenStore()
-  def existing = store.getTokenListSortedByName().find { token ->
-    try {
-      token.getName() == tokenName
-    } catch (Throwable ignored) {
-      false
-    }
-  }
-
-  if (existing != null) {
-    try {
-      store.revokeToken(existing.getUuid())
-    } catch (Throwable ignored) {
-      try {
-        store.revokeToken(existing.uuid)
-      } catch (Throwable ignoredAgain) {
-        println("Ariadne API user bootstrap warning: failed to revoke existing token ${tokenName}")
-      }
-    }
-  }
 
   boolean configured = false
   try {
+    def existing = store.getTokenListSortedByName().find { token ->
+      try {
+        token.getName() == tokenName
+      } catch (Throwable ignored) {
+        false
+      }
+    }
+
+    if (existing != null) {
+      try {
+        store.revokeToken(existing.getUuid())
+      } catch (Throwable ignored) {
+        try {
+          store.revokeToken(existing.uuid)
+        } catch (Throwable ignoredAgain) {
+          println("Ariadne API user bootstrap warning: failed to revoke existing token ${tokenName}")
+        }
+      }
+    }
+
     store.addFixedNewToken(tokenName, tokenValue)
     configured = true
   } catch (Throwable ignored) {
@@ -59,11 +66,15 @@ if (!prop.matchesPassword(tokenValue)) {
   }
 
   if (!configured) {
-    def generated = store.generateNewToken(tokenName)
-    if (generated?.plainValue) {
-      tokenValue = generated.plainValue
+    if (persistedTokenValue && prop.matchesPassword(persistedTokenValue)) {
+      tokenValue = persistedTokenValue
+    } else {
+      def generated = store.generateNewToken(tokenName)
+      if (generated?.plainValue) {
+        tokenValue = generated.plainValue
+      }
+      println("Ariadne API user bootstrap warning: addFixedNewToken unavailable, generated replacement token")
     }
-    println("Ariadne API user bootstrap warning: addFixedNewToken unavailable, generated replacement token")
   }
 }