Jenkins 2.129 introduced a new API token system (see Security Hardening: New API token system).

The recommendation is for users to delete their existing (legacy) tokens, and replace them (if they are required) with a newly generated non-legacy token.

However, I cannot do that for a service account that cannot log in. 

• Previously, administrators could generate tokens on behalf of such users.
• In 2.129+, an administrator can generate a new value for an existing legacy token, but cannot generate a new non-legacy token for a service user.

Administrators should be able to generate a token for a service account.