When a ServiceToken is created, like many token generation algorithms, they can only be read on creation. If you ever try to read the value again, you will get an API error. You must create a new token to get a token value if you didn't save the value.
One or more secret fields are restricted: [raw computed]. You must use a service account or service token to manage these > resources. Otherwise, Terraform cannot fetch these restricted secrets to check the validity of their state.
Thoughts
Maybe the get/refresh operations should simply get the metadata about the resource and/or check if it exists with the same name. If there is a hash of the secret, that could be good to check against it to see if the resource needs to be recreated.
Summary
When a ServiceToken is created, like many token generation algorithms, they can only be read on creation. If you ever try to read the value again, you will get an API error. You must create a new token to get a token value if you didn't save the value.
Resource in question:
https://www.pulumi.com/registry/packages/doppler/api-docs/servicetoken/
Error
Thoughts
Maybe the get/refresh operations should simply get the metadata about the resource and/or check if it exists with the same name. If there is a hash of the secret, that could be good to check against it to see if the resource needs to be recreated.