diff --git a/apps/authentication/models/__init__.py b/apps/authentication/models/__init__.py
new file mode 100644
index 000000000..e889e03b1
--- /dev/null
+++ b/apps/authentication/models/__init__.py
@@ -0,0 +1,5 @@
+from .access_key import *
+from .connection_token import *
+from .private_token import *
+from .sso_token import *
+from .temp_token import *
diff --git a/apps/authentication/models/access_key.py b/apps/authentication/models/access_key.py
new file mode 100644
index 000000000..67aa6b812
--- /dev/null
+++ b/apps/authentication/models/access_key.py
@@ -0,0 +1,31 @@
+import uuid
+from django.utils.translation import ugettext_lazy as _
+from django.conf import settings
+
+from django.db import models
+
+
+class AccessKey(models.Model):
+    id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True,
+                          default=uuid.uuid4, editable=False)
+    secret = models.UUIDField(verbose_name='AccessKeySecret',
+                              default=uuid.uuid4, editable=False)
+    user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name='User',
+                             on_delete=models.CASCADE, related_name='access_keys')
+    is_active = models.BooleanField(default=True, verbose_name=_('Active'))
+    date_created = models.DateTimeField(auto_now_add=True)
+
+    def get_id(self):
+        return str(self.id)
+
+    def get_secret(self):
+        return str(self.secret)
+
+    def get_full_value(self):
+        return '{}:{}'.format(self.id, self.secret)
+
+    def __str__(self):
+        return str(self.id)
+
+    class Meta:
+        verbose_name = _("Access key")
diff --git a/apps/authentication/models.py b/apps/authentication/models/connection_token.py
similarity index 63%
rename from apps/authentication/models.py
rename to apps/authentication/models/connection_token.py
index 2ec71451f..c76d6e0f4 100644
--- a/apps/authentication/models.py
+++ b/apps/authentication/models/connection_token.py
@@ -1,62 +1,14 @@
 import time
-import uuid
-from datetime import datetime, timedelta
+from datetime import timedelta
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
-from rest_framework.authtoken.models import Token
 from orgs.mixins.models import OrgModelMixin
 
 from django.db import models
 from common.utils import lazyproperty
 from common.utils.timezone import as_current_tz
-from common.db.models import BaseCreateUpdateModel, JMSBaseModel
-
-
-class AccessKey(models.Model):
-    id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True,
-                          default=uuid.uuid4, editable=False)
-    secret = models.UUIDField(verbose_name='AccessKeySecret',
-                              default=uuid.uuid4, editable=False)
-    user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name='User',
-                             on_delete=models.CASCADE, related_name='access_keys')
-    is_active = models.BooleanField(default=True, verbose_name=_('Active'))
-    date_created = models.DateTimeField(auto_now_add=True)
-
-    def get_id(self):
-        return str(self.id)
-
-    def get_secret(self):
-        return str(self.secret)
-
-    def get_full_value(self):
-        return '{}:{}'.format(self.id, self.secret)
-
-    def __str__(self):
-        return str(self.id)
-
-    class Meta:
-        verbose_name = _("Access key")
-
-
-class PrivateToken(Token):
-    """Inherit from auth token, otherwise migration is boring"""
-
-    class Meta:
-        verbose_name = _('Private Token')
-
-
-class SSOToken(BaseCreateUpdateModel):
-    """
-    类似腾讯企业邮的 [单点登录](https://exmail.qq.com/qy_mng_logic/doc#10036)
-    出于安全考虑，这里的 `token` 使用一次随即过期。但我们保留每一个生成过的 `token`。
-    """
-    authkey = models.UUIDField(primary_key=True, default=uuid.uuid4, verbose_name=_('Token'))
-    expired = models.BooleanField(default=False, verbose_name=_('Expired'))
-    user = models.ForeignKey('users.User', on_delete=models.CASCADE, verbose_name=_('User'), db_constraint=False)
-
-    class Meta:
-        verbose_name = _('SSO token')
+from common.db.models import JMSBaseModel
 
 
 def date_expired_default():
@@ -182,27 +134,6 @@ class ConnectionToken(OrgModelMixin, JMSBaseModel):
         return rules
 
 
-class TempToken(JMSBaseModel):
-    username = models.CharField(max_length=128, verbose_name=_("Username"))
-    secret = models.CharField(max_length=64, verbose_name=_("Secret"))
-    verified = models.BooleanField(default=False, verbose_name=_("Verified"))
-    date_verified = models.DateTimeField(null=True, verbose_name=_("Date verified"))
-    date_expired = models.DateTimeField(verbose_name=_("Date expired"))
-
-    class Meta:
-        verbose_name = _("Temporary token")
-
-    @property
-    def user(self):
-        from users.models import User
-        return User.objects.filter(username=self.username).first()
-
-    @property
-    def is_valid(self):
-        not_expired = self.date_expired and self.date_expired > timezone.now()
-        return not self.verified and not_expired
-
-
 class SuperConnectionToken(ConnectionToken):
     class Meta:
         proxy = True
diff --git a/apps/authentication/models/private_token.py b/apps/authentication/models/private_token.py
new file mode 100644
index 000000000..8d83d1e0a
--- /dev/null
+++ b/apps/authentication/models/private_token.py
@@ -0,0 +1,9 @@
+from django.utils.translation import ugettext_lazy as _
+from rest_framework.authtoken.models import Token
+
+
+class PrivateToken(Token):
+    """Inherit from auth token, otherwise migration is boring"""
+
+    class Meta:
+        verbose_name = _('Private Token')
diff --git a/apps/authentication/models/sso_token.py b/apps/authentication/models/sso_token.py
new file mode 100644
index 000000000..fb4c68827
--- /dev/null
+++ b/apps/authentication/models/sso_token.py
@@ -0,0 +1,18 @@
+import uuid
+from django.utils.translation import ugettext_lazy as _
+
+from django.db import models
+from common.db.models import BaseCreateUpdateModel
+
+
+class SSOToken(BaseCreateUpdateModel):
+    """
+    类似腾讯企业邮的 [单点登录](https://exmail.qq.com/qy_mng_logic/doc#10036)
+    出于安全考虑，这里的 `token` 使用一次随即过期。但我们保留每一个生成过的 `token`。
+    """
+    authkey = models.UUIDField(primary_key=True, default=uuid.uuid4, verbose_name=_('Token'))
+    expired = models.BooleanField(default=False, verbose_name=_('Expired'))
+    user = models.ForeignKey('users.User', on_delete=models.CASCADE, verbose_name=_('User'), db_constraint=False)
+
+    class Meta:
+        verbose_name = _('SSO token')
diff --git a/apps/authentication/models/temp_token.py b/apps/authentication/models/temp_token.py
new file mode 100644
index 000000000..d76a30a42
--- /dev/null
+++ b/apps/authentication/models/temp_token.py
@@ -0,0 +1,26 @@
+from django.utils import timezone
+from django.utils.translation import ugettext_lazy as _
+
+from django.db import models
+from common.db.models import JMSBaseModel
+
+
+class TempToken(JMSBaseModel):
+    username = models.CharField(max_length=128, verbose_name=_("Username"))
+    secret = models.CharField(max_length=64, verbose_name=_("Secret"))
+    verified = models.BooleanField(default=False, verbose_name=_("Verified"))
+    date_verified = models.DateTimeField(null=True, verbose_name=_("Date verified"))
+    date_expired = models.DateTimeField(verbose_name=_("Date expired"))
+
+    class Meta:
+        verbose_name = _("Temporary token")
+
+    @property
+    def user(self):
+        from users.models import User
+        return User.objects.filter(username=self.username).first()
+
+    @property
+    def is_valid(self):
+        not_expired = self.date_expired and self.date_expired > timezone.now()
+        return not self.verified and not_expired