diff --git a/provider/pkg/internal/pulumiapi/orgtokens.go b/provider/pkg/internal/pulumiapi/orgtokens.go
index 36713cc9..444e4595 100644
--- a/provider/pkg/internal/pulumiapi/orgtokens.go
+++ b/provider/pkg/internal/pulumiapi/orgtokens.go
@@ -21,12 +21,6 @@ import (
 	"path"
 )
 
-type OrgAccessToken struct {
-	ID          string `json:"id"`
-	TokenValue  string `json:"tokenValue"`
-	Description string `json:"description"`
-}
-
 type createOrgTokenResponse struct {
 	ID         string `json:"id"`
 	TokenValue string `json:"tokenValue"`
@@ -38,7 +32,7 @@ type createOrgTokenRequest struct {
 	Admin       bool   `json:"admin"`
 }
 
-func (c *Client) CreateOrgAccessToken(ctx context.Context, name string, orgName string, description string, admin bool) (*AccessToken, error) {
+func (c *Client) CreateOrgAccessToken(ctx context.Context, name, orgName, description string, admin bool) (*AccessToken, error) {
 
 	if len(orgName) == 0 {
 		return nil, errors.New("empty orgName")
@@ -72,7 +66,7 @@ func (c *Client) CreateOrgAccessToken(ctx context.Context, name string, orgName
 
 }
 
-func (c *Client) DeleteOrgAccessToken(ctx context.Context, tokenId string, orgName string) error {
+func (c *Client) DeleteOrgAccessToken(ctx context.Context, tokenId, orgName string) error {
 	if len(tokenId) == 0 {
 		return errors.New("tokenid length must be greater than zero")
 	}
@@ -92,3 +86,27 @@ func (c *Client) DeleteOrgAccessToken(ctx context.Context, tokenId string, orgNa
 
 	return nil
 }
+
+func (c *Client) GetOrgAccessToken(ctx context.Context, tokenId, orgName string) (*AccessToken, error) {
+	apiPath := path.Join("orgs", orgName, "tokens")
+
+	var listRes listTokenResponse
+
+	_, err := c.do(ctx, http.MethodGet, apiPath, nil, &listRes)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to list org access tokens: %w", err)
+	}
+
+	for i := 0; i < len(listRes.Tokens); i++ {
+		token := listRes.Tokens[i]
+		if token.ID == tokenId {
+			return &AccessToken{
+				ID:          token.ID,
+				Description: token.Description,
+			}, nil
+		}
+	}
+
+	return nil, nil
+}
diff --git a/provider/pkg/internal/pulumiapi/orgtokens_test.go b/provider/pkg/internal/pulumiapi/orgtokens_test.go
index 33094ef0..2d558a34 100644
--- a/provider/pkg/internal/pulumiapi/orgtokens_test.go
+++ b/provider/pkg/internal/pulumiapi/orgtokens_test.go
@@ -1,15 +1,13 @@
 package pulumiapi
 
 import (
-	"context"
+	"fmt"
 	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
 
-var orgCtx = context.Background()
-
 func TestDeleteOrgAccessToken(t *testing.T) {
 	orgName := "anOrg"
 	tokenId := "abcdegh"
@@ -121,3 +119,60 @@ func TestCreateOrgAccessToken(t *testing.T) {
 		)
 	})
 }
+
+func TestGetOrgAccessToken(t *testing.T) {
+	id := "uuid"
+	desc := "token description"
+	org := "anOrg"
+	lastUsed := 123
+	t.Run("Happy Path", func(t *testing.T) {
+		resp := listTokenResponse{
+			Tokens: []accessTokenResponse{
+				{
+					ID:          id,
+					Description: desc,
+					LastUsed:    lastUsed,
+				},
+				{
+					ID:          "other",
+					Description: desc,
+					LastUsed:    lastUsed,
+				},
+			},
+		}
+		c, cleanup := startTestServer(t, testServerConfig{
+			ExpectedReqMethod: http.MethodGet,
+			ExpectedReqBody:   nil,
+			ExpectedReqPath:   fmt.Sprintf("/api/orgs/%s/tokens", org),
+			ResponseCode:      200,
+			ResponseBody:      resp,
+		})
+		defer cleanup()
+		token, err := c.GetOrgAccessToken(ctx, id, org)
+		assert.NoError(t, err)
+		assert.Equal(t, &AccessToken{
+			ID:          id,
+			Description: desc,
+		}, token)
+	})
+
+	t.Run("Error", func(t *testing.T) {
+		c, cleanup := startTestServer(t, testServerConfig{
+			ExpectedReqMethod: http.MethodGet,
+			ExpectedReqPath:   fmt.Sprintf("/api/orgs/%s/tokens", org),
+			ExpectedReqBody:   nil,
+			ResponseCode:      401,
+			ResponseBody: errorResponse{
+				StatusCode: 401,
+				Message:    "unauthorized",
+			},
+		})
+		defer cleanup()
+		token, err := c.GetOrgAccessToken(ctx, id, org)
+		assert.Nil(t, token, "token should be nil")
+		assert.EqualError(t,
+			err,
+			`failed to list org access tokens: 401 API error: unauthorized`,
+		)
+	})
+}
diff --git a/provider/pkg/internal/pulumiapi/teamtokens.go b/provider/pkg/internal/pulumiapi/teamtokens.go
index 44037b6b..0d557d63 100644
--- a/provider/pkg/internal/pulumiapi/teamtokens.go
+++ b/provider/pkg/internal/pulumiapi/teamtokens.go
@@ -21,12 +21,6 @@ import (
 	"path"
 )
 
-type TeamAccessToken struct {
-	ID          string `json:"id"`
-	TokenValue  string `json:"tokenValue"`
-	Description string `json:"description"`
-}
-
 type createTeamTokenResponse struct {
 	ID         string `json:"id"`
 	TokenValue string `json:"tokenValue"`
@@ -37,7 +31,7 @@ type createTeamTokenRequest struct {
 	Description string `json:"description"`
 }
 
-func (c *Client) CreateTeamAccessToken(ctx context.Context, name string, orgName string, teamName string, description string) (*AccessToken, error) {
+func (c *Client) CreateTeamAccessToken(ctx context.Context, name, orgName, teamName, description string) (*AccessToken, error) {
 
 	if len(orgName) == 0 {
 		return nil, errors.New("empty orgName")
@@ -70,7 +64,7 @@ func (c *Client) CreateTeamAccessToken(ctx context.Context, name string, orgName
 
 }
 
-func (c *Client) DeleteTeamAccessToken(ctx context.Context, tokenId string, orgName string, teamName string) error {
+func (c *Client) DeleteTeamAccessToken(ctx context.Context, tokenId, orgName, teamName string) error {
 	if len(tokenId) == 0 {
 		return errors.New("tokenid length must be greater than zero")
 	}
@@ -92,3 +86,27 @@ func (c *Client) DeleteTeamAccessToken(ctx context.Context, tokenId string, orgN
 
 	return nil
 }
+
+func (c *Client) GetTeamAccessToken(ctx context.Context, tokenId, orgName, teamName string) (*AccessToken, error) {
+	apiPath := path.Join("orgs", orgName, "teams", teamName, "tokens")
+
+	var listRes listTokenResponse
+
+	_, err := c.do(ctx, http.MethodGet, apiPath, nil, &listRes)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to list team access tokens: %w", err)
+	}
+
+	for i := 0; i < len(listRes.Tokens); i++ {
+		token := listRes.Tokens[i]
+		if token.ID == tokenId {
+			return &AccessToken{
+				ID:          token.ID,
+				Description: token.Description,
+			}, nil
+		}
+	}
+
+	return nil, nil
+}
diff --git a/provider/pkg/internal/pulumiapi/teamtokens_test.go b/provider/pkg/internal/pulumiapi/teamtokens_test.go
index 404dbee7..0301e703 100644
--- a/provider/pkg/internal/pulumiapi/teamtokens_test.go
+++ b/provider/pkg/internal/pulumiapi/teamtokens_test.go
@@ -2,6 +2,7 @@ package pulumiapi
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"testing"
 
@@ -96,3 +97,61 @@ func TestCreateTeamAccessToken(t *testing.T) {
 		)
 	})
 }
+
+func TestGetTeamAccessToken(t *testing.T) {
+	id := "uuid"
+	desc := "token description"
+	org := "anOrg"
+	team := "aTeam"
+	lastUsed := 123
+	t.Run("Happy Path", func(t *testing.T) {
+		resp := listTokenResponse{
+			Tokens: []accessTokenResponse{
+				{
+					ID:          id,
+					Description: desc,
+					LastUsed:    lastUsed,
+				},
+				{
+					ID:          "other",
+					Description: desc,
+					LastUsed:    lastUsed,
+				},
+			},
+		}
+		c, cleanup := startTestServer(t, testServerConfig{
+			ExpectedReqMethod: http.MethodGet,
+			ExpectedReqBody:   nil,
+			ExpectedReqPath:   fmt.Sprintf("/api/orgs/%s/teams/%s/tokens", org, team),
+			ResponseCode:      200,
+			ResponseBody:      resp,
+		})
+		defer cleanup()
+		token, err := c.GetTeamAccessToken(ctx, id, org, team)
+		assert.NoError(t, err)
+		assert.Equal(t, &AccessToken{
+			ID:          id,
+			Description: desc,
+		}, token)
+	})
+
+	t.Run("Error", func(t *testing.T) {
+		c, cleanup := startTestServer(t, testServerConfig{
+			ExpectedReqMethod: http.MethodGet,
+			ExpectedReqPath:   fmt.Sprintf("/api/orgs/%s/teams/%s/tokens", org, team),
+			ExpectedReqBody:   nil,
+			ResponseCode:      401,
+			ResponseBody: errorResponse{
+				StatusCode: 401,
+				Message:    "unauthorized",
+			},
+		})
+		defer cleanup()
+		token, err := c.GetTeamAccessToken(ctx, id, org, team)
+		assert.Nil(t, token, "token should be nil")
+		assert.EqualError(t,
+			err,
+			`failed to list team access tokens: 401 API error: unauthorized`,
+		)
+	})
+}
diff --git a/provider/pkg/provider/access_token.go b/provider/pkg/provider/access_token.go
index 3cbbaf99..2e4da9cd 100644
--- a/provider/pkg/provider/access_token.go
+++ b/provider/pkg/provider/access_token.go
@@ -41,32 +41,7 @@ func (at *PulumiServiceAccessTokenResource) Name() string {
 }
 
 func (at *PulumiServiceAccessTokenResource) Diff(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) {
-	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true})
-	if err != nil {
-		return nil, err
-	}
-
-	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: false})
-	if err != nil {
-		return nil, err
-	}
-
-	diffs := olds["__inputs"].ObjectValue().Diff(news)
-	if diffs == nil {
-		return &pulumirpc.DiffResponse{
-			Changes: pulumirpc.DiffResponse_DIFF_NONE,
-		}, nil
-	}
-
-	changes := pulumirpc.DiffResponse_DIFF_NONE
-	if diffs.Changed("description") {
-		changes = pulumirpc.DiffResponse_DIFF_SOME
-	}
-
-	return &pulumirpc.DiffResponse{
-		Changes:  changes,
-		Replaces: []string{"description"},
-	}, nil
+	return considerAllChangesReplaces(req)
 }
 
 func (at *PulumiServiceAccessTokenResource) Delete(req *pulumirpc.DeleteRequest) (*pbempty.Empty, error) {
@@ -115,19 +90,20 @@ func (at *PulumiServiceAccessTokenResource) Check(req *pulumirpc.CheckRequest) (
 	return &pulumirpc.CheckResponse{Inputs: req.News, Failures: nil}, nil
 }
 
-func (at *PulumiServiceAccessTokenResource) Update(req *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
-	return &pulumirpc.UpdateResponse{}, nil
+func (at *PulumiServiceAccessTokenResource) Update(_ *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
+	// all updates are destructive, so we just call Create.
+	return nil, fmt.Errorf("unexpected call to update, expected create to be called instead")
 }
 
 func (at *PulumiServiceAccessTokenResource) Read(req *pulumirpc.ReadRequest) (*pulumirpc.ReadResponse, error) {
 	ctx := context.Background()
 
 	// the access token is immutable; if we get nil it got deleted, otherwise all data is the same
-	accesstoken, err := at.getAccessToken(ctx, req.GetId())
+	accessToken, err := at.client.GetAccessToken(ctx, req.GetId())
 	if err != nil {
 		return nil, err
 	}
-	if accesstoken == nil {
+	if accessToken == nil {
 		return &pulumirpc.ReadResponse{}, nil
 	}
 
@@ -137,32 +113,23 @@ func (at *PulumiServiceAccessTokenResource) Read(req *pulumirpc.ReadRequest) (*p
 	}, nil
 }
 
-func (at *PulumiServiceAccessTokenResource) Invoke(s *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
+func (at *PulumiServiceAccessTokenResource) Invoke(_ *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
 	return &pulumirpc.InvokeResponse{Return: nil}, fmt.Errorf("unknown function '%s'", req.Tok)
 }
 
-func (at *PulumiServiceAccessTokenResource) Configure(config PulumiServiceConfig) {
+func (at *PulumiServiceAccessTokenResource) Configure(_ PulumiServiceConfig) {
 }
 
 func (at *PulumiServiceAccessTokenResource) createAccessToken(ctx context.Context, input PulumiServiceAccessTokenInput) (*pulumiapi.AccessToken, error) {
 
-	accesstoken, err := at.client.CreateAccessToken(ctx, input.Description)
+	accessToken, err := at.client.CreateAccessToken(ctx, input.Description)
 	if err != nil {
 		return nil, err
 	}
 
-	return accesstoken, nil
+	return accessToken, nil
 }
 
 func (at *PulumiServiceAccessTokenResource) deleteAccessToken(ctx context.Context, tokenId string) error {
 	return at.client.DeleteAccessToken(ctx, tokenId)
 }
-
-func (at *PulumiServiceAccessTokenResource) getAccessToken(ctx context.Context, id string) (*pulumiapi.AccessToken, error) {
-	accesstoken, err := at.client.GetAccessToken(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return accesstoken, nil
-}
diff --git a/provider/pkg/provider/deployment_settings.go b/provider/pkg/provider/deployment_settings.go
index 9289d9ae..24fb9bae 100644
--- a/provider/pkg/provider/deployment_settings.go
+++ b/provider/pkg/provider/deployment_settings.go
@@ -471,40 +471,7 @@ func getSecretOrStringValue(prop resource.PropertyValue) string {
 }
 
 func (ds *PulumiServiceDeploymentSettingsResource) Diff(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) {
-	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true})
-	if err != nil {
-		return nil, err
-	}
-
-	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
-	if err != nil {
-		return nil, err
-	}
-
-	diffs := olds.Diff(news)
-	if diffs == nil {
-		return &pulumirpc.DiffResponse{
-			Changes: pulumirpc.DiffResponse_DIFF_NONE,
-		}, nil
-	}
-
-	dd := plugin.NewDetailedDiffFromObjectDiff(diffs)
-
-	detailedDiffs := map[string]*pulumirpc.PropertyDiff{}
-	for k, v := range dd {
-		v.Kind = v.Kind.AsReplace()
-		detailedDiffs[k] = &pulumirpc.PropertyDiff{
-			Kind:      pulumirpc.PropertyDiff_Kind(v.Kind),
-			InputDiff: v.InputDiff,
-		}
-	}
-
-	return &pulumirpc.DiffResponse{
-		Changes:             pulumirpc.DiffResponse_DIFF_SOME,
-		DetailedDiff:        detailedDiffs,
-		DeleteBeforeReplace: true,
-		HasDetailedDiff:     true,
-	}, nil
+	return considerAllChangesReplaces(req)
 }
 
 func (ds *PulumiServiceDeploymentSettingsResource) Check(req *pulumirpc.CheckRequest) (*pulumirpc.CheckResponse, error) {
@@ -526,7 +493,7 @@ func (ds *PulumiServiceDeploymentSettingsResource) Check(req *pulumirpc.CheckReq
 	return &pulumirpc.CheckResponse{Inputs: req.News, Failures: failures}, nil
 }
 
-func (ds *PulumiServiceDeploymentSettingsResource) Configure(config PulumiServiceConfig) {}
+func (ds *PulumiServiceDeploymentSettingsResource) Configure(_ PulumiServiceConfig) {}
 
 func (ds *PulumiServiceDeploymentSettingsResource) Read(req *pulumirpc.ReadRequest) (*pulumirpc.ReadResponse, error) {
 	ctx := context.Background()
@@ -602,7 +569,7 @@ func (ds *PulumiServiceDeploymentSettingsResource) Create(req *pulumirpc.CreateR
 	}, nil
 }
 
-func (ds *PulumiServiceDeploymentSettingsResource) Update(req *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
+func (ds *PulumiServiceDeploymentSettingsResource) Update(_ *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
 	// For simplicity, all updates are destructive, so we just call Create.
 	return nil, fmt.Errorf("unexpected call to update, expected create to be called instead")
 }
@@ -610,3 +577,40 @@ func (ds *PulumiServiceDeploymentSettingsResource) Update(req *pulumirpc.UpdateR
 func (ds *PulumiServiceDeploymentSettingsResource) Name() string {
 	return "pulumiservice:index:DeploymentSettings"
 }
+
+func considerAllChangesReplaces(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) {
+	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true})
+	if err != nil {
+		return nil, err
+	}
+
+	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
+	if err != nil {
+		return nil, err
+	}
+
+	diffs := olds.Diff(news)
+	if diffs == nil {
+		return &pulumirpc.DiffResponse{
+			Changes: pulumirpc.DiffResponse_DIFF_NONE,
+		}, nil
+	}
+
+	dd := plugin.NewDetailedDiffFromObjectDiff(diffs)
+
+	detailedDiffs := map[string]*pulumirpc.PropertyDiff{}
+	for k, v := range dd {
+		v.Kind = v.Kind.AsReplace()
+		detailedDiffs[k] = &pulumirpc.PropertyDiff{
+			Kind:      pulumirpc.PropertyDiff_Kind(v.Kind),
+			InputDiff: v.InputDiff,
+		}
+	}
+
+	return &pulumirpc.DiffResponse{
+		Changes:             pulumirpc.DiffResponse_DIFF_SOME,
+		DetailedDiff:        detailedDiffs,
+		DeleteBeforeReplace: true,
+		HasDetailedDiff:     true,
+	}, nil
+}
diff --git a/provider/pkg/provider/org_access_token.go b/provider/pkg/provider/org_access_token.go
index ed99826e..247d31b1 100644
--- a/provider/pkg/provider/org_access_token.go
+++ b/provider/pkg/provider/org_access_token.go
@@ -60,35 +60,7 @@ func (ot *PulumiServiceOrgAccessTokenResource) Name() string {
 }
 
 func (ot *PulumiServiceOrgAccessTokenResource) Diff(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) {
-	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true})
-	if err != nil {
-		return nil, err
-	}
-
-	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: false})
-	if err != nil {
-		return nil, err
-	}
-
-	diffs := olds["__inputs"].ObjectValue().Diff(news)
-	if diffs == nil {
-		return &pulumirpc.DiffResponse{
-			Changes: pulumirpc.DiffResponse_DIFF_NONE,
-		}, nil
-	}
-
-	changes, replaces := pulumirpc.DiffResponse_DIFF_NONE, []string(nil)
-	if diffs.Changed("description") {
-		changes, replaces = pulumirpc.DiffResponse_DIFF_SOME, append(replaces, "description")
-	}
-	if diffs.Changed("admin") {
-		changes, replaces = pulumirpc.DiffResponse_DIFF_SOME, append(replaces, "admin")
-	}
-
-	return &pulumirpc.DiffResponse{
-		Changes:  changes,
-		Replaces: replaces,
-	}, nil
+	return considerAllChangesReplaces(req)
 }
 
 func (ot *PulumiServiceOrgAccessTokenResource) Delete(req *pulumirpc.DeleteRequest) (*pbempty.Empty, error) {
@@ -145,29 +117,47 @@ func (ot *PulumiServiceOrgAccessTokenResource) Check(req *pulumirpc.CheckRequest
 	return &pulumirpc.CheckResponse{Inputs: req.News, Failures: nil}, nil
 }
 
-func (ot *PulumiServiceOrgAccessTokenResource) Update(req *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
-	return &pulumirpc.UpdateResponse{}, nil
+func (ot *PulumiServiceOrgAccessTokenResource) Update(_ *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
+	// all updates are destructive, so we just call Create.
+	return nil, fmt.Errorf("unexpected call to update, expected create to be called instead")
 }
 
 func (ot *PulumiServiceOrgAccessTokenResource) Read(req *pulumirpc.ReadRequest) (*pulumirpc.ReadResponse, error) {
-	return &pulumirpc.ReadResponse{}, nil
+	ctx := context.Background()
+	urn := req.GetId()
+
+	orgName, _, tokenId, err := splitOrgAccessTokenId(urn)
+
+	// the org access token is immutable; if we get nil it got deleted, otherwise all data is the same
+	accessToken, err := ot.client.GetOrgAccessToken(ctx, tokenId, orgName)
+	if err != nil {
+		return nil, err
+	}
+	if accessToken == nil {
+		return &pulumirpc.ReadResponse{}, nil
+	}
+
+	return &pulumirpc.ReadResponse{
+		Id:         req.GetId(),
+		Properties: req.GetProperties(),
+	}, nil
 }
 
-func (ot *PulumiServiceOrgAccessTokenResource) Invoke(s *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
+func (ot *PulumiServiceOrgAccessTokenResource) Invoke(_ *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
 	return &pulumirpc.InvokeResponse{Return: nil}, fmt.Errorf("unknown function '%s'", req.Tok)
 }
 
-func (ot *PulumiServiceOrgAccessTokenResource) Configure(config PulumiServiceConfig) {
+func (ot *PulumiServiceOrgAccessTokenResource) Configure(_ PulumiServiceConfig) {
 }
 
 func (ot *PulumiServiceOrgAccessTokenResource) createOrgAccessToken(ctx context.Context, input PulumiServiceOrgAccessTokenInput) (*pulumiapi.AccessToken, error) {
 
-	accesstoken, err := ot.client.CreateOrgAccessToken(ctx, input.Name, input.OrgName, input.Description, input.Admin)
+	accessToken, err := ot.client.CreateOrgAccessToken(ctx, input.Name, input.OrgName, input.Description, input.Admin)
 	if err != nil {
 		return nil, err
 	}
 
-	return accesstoken, nil
+	return accessToken, nil
 }
 
 func (ot *PulumiServiceOrgAccessTokenResource) deleteOrgAccessToken(ctx context.Context, id string) error {
diff --git a/provider/pkg/provider/team_access_token.go b/provider/pkg/provider/team_access_token.go
index c22b94b8..36671da5 100644
--- a/provider/pkg/provider/team_access_token.go
+++ b/provider/pkg/provider/team_access_token.go
@@ -60,32 +60,7 @@ func (t *PulumiServiceTeamAccessTokenResource) Name() string {
 }
 
 func (t *PulumiServiceTeamAccessTokenResource) Diff(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) {
-	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true})
-	if err != nil {
-		return nil, err
-	}
-
-	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: false})
-	if err != nil {
-		return nil, err
-	}
-
-	diffs := olds["__inputs"].ObjectValue().Diff(news)
-	if diffs == nil {
-		return &pulumirpc.DiffResponse{
-			Changes: pulumirpc.DiffResponse_DIFF_NONE,
-		}, nil
-	}
-
-	changes := pulumirpc.DiffResponse_DIFF_NONE
-	if diffs.Changed("description") {
-		changes = pulumirpc.DiffResponse_DIFF_SOME
-	}
-
-	return &pulumirpc.DiffResponse{
-		Changes:  changes,
-		Replaces: []string{"description"},
-	}, nil
+	return considerAllChangesReplaces(req)
 }
 
 func (t *PulumiServiceTeamAccessTokenResource) Delete(req *pulumirpc.DeleteRequest) (*pbempty.Empty, error) {
@@ -138,29 +113,47 @@ func (t *PulumiServiceTeamAccessTokenResource) Check(req *pulumirpc.CheckRequest
 	return &pulumirpc.CheckResponse{Inputs: req.News, Failures: nil}, nil
 }
 
-func (t *PulumiServiceTeamAccessTokenResource) Update(req *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
-	return &pulumirpc.UpdateResponse{}, nil
+func (t *PulumiServiceTeamAccessTokenResource) Update(_ *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) {
+	// all updates are destructive, so we just call Create.
+	return nil, fmt.Errorf("unexpected call to update, expected create to be called instead")
 }
 
 func (t *PulumiServiceTeamAccessTokenResource) Read(req *pulumirpc.ReadRequest) (*pulumirpc.ReadResponse, error) {
-	return &pulumirpc.ReadResponse{}, nil
+	ctx := context.Background()
+	urn := req.GetId()
+
+	orgName, teamName, _, tokenId, err := splitTeamAccessTokenId(urn)
+
+	// the team access token is immutable; if we get nil it got deleted, otherwise all data is the same
+	accessToken, err := t.client.GetTeamAccessToken(ctx, tokenId, orgName, teamName)
+	if err != nil {
+		return nil, err
+	}
+	if accessToken == nil {
+		return &pulumirpc.ReadResponse{}, nil
+	}
+
+	return &pulumirpc.ReadResponse{
+		Id:         req.GetId(),
+		Properties: req.GetProperties(),
+	}, nil
 }
 
-func (t *PulumiServiceTeamAccessTokenResource) Invoke(s *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
+func (t *PulumiServiceTeamAccessTokenResource) Invoke(_ *pulumiserviceProvider, req *pulumirpc.InvokeRequest) (*pulumirpc.InvokeResponse, error) {
 	return &pulumirpc.InvokeResponse{Return: nil}, fmt.Errorf("unknown function '%s'", req.Tok)
 }
 
-func (t *PulumiServiceTeamAccessTokenResource) Configure(config PulumiServiceConfig) {
+func (t *PulumiServiceTeamAccessTokenResource) Configure(_ PulumiServiceConfig) {
 }
 
 func (t *PulumiServiceTeamAccessTokenResource) createTeamAccessToken(ctx context.Context, input PulumiServiceTeamAccessTokenInput) (*pulumiapi.AccessToken, error) {
 
-	accesstoken, err := t.client.CreateTeamAccessToken(ctx, input.Name, input.OrgName, input.TeamName, input.Description)
+	accessToken, err := t.client.CreateTeamAccessToken(ctx, input.Name, input.OrgName, input.TeamName, input.Description)
 	if err != nil {
 		return nil, err
 	}
 
-	return accesstoken, nil
+	return accessToken, nil
 }
 
 func (t *PulumiServiceTeamAccessTokenResource) deleteTeamAccessToken(ctx context.Context, id string) error {