diff -u b/src/Plugin/CKEditorPlugin/TokenBrowser.php b/src/Plugin/CKEditorPlugin/TokenBrowser.php
--- b/src/Plugin/CKEditorPlugin/TokenBrowser.php
+++ b/src/Plugin/CKEditorPlugin/TokenBrowser.php
@@ -3,10 +3,12 @@
 namespace Drupal\token_filter\Plugin\CKEditorPlugin;
 
 use Drupal\Component\Serialization\Json;
+use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Url;
+use Drupal\Core\Access\CsrfTokenGenerator;
 use Drupal\ckeditor\CKEditorPluginBase;
 use Drupal\editor\Entity\Editor;
-
+use Symfony\Component\DependencyInjection\ContainerInterface;
 
 /**
  * Defines the "tokenbrowser" plugin.
@@ -20,7 +22,34 @@
  *   label = @Translation("Token browser")
  * )
  */
-class TokenBrowser extends CKEditorPluginBase {
+class TokenBrowser extends CKEditorPluginBase implements ContainerFactoryPluginInterface {
+
+  /**
+   * The CSRF token manager service.
+   *
+   * @var Drupal\Core\Access\CsrfTokenGenerator
+   */
+  protected $csrfTokenService;
+
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
+    return new static(
+      $configuration,
+      $plugin_id,
+      $plugin_definition,
+      $container->get('csrf_token')
+    );
+  }
+
+  /**
+   * {@inheritdoc}
+   *
+   * @param Drupal\Core\Access\CsrfTokenGenerator $csrf_token_service
+   */
+  public function __construct(array $configuration, $plugin_id, $plugin_definition, CsrfTokenGenerator $csrf_token_service) {
+    parent::__construct($configuration, $plugin_id, $plugin_definition);
+
+    $this->csrfTokenService = $csrf_token_service;
+  }
 
   /**
    * {@inheritdoc}
@@ -30,30 +59,53 @@
    * editor.ui.addRichCombo() functions in the plugin.js file.
    */
   public function getButtons() {
-    $url = Url::fromRoute('token.tree');
-    $options['query'] = [
-      'options' => Json::encode([
-        'token_types' => [],
-        'global_types' => TRUE,
-        'click_insert' => TRUE,
-        'show_restricted' => FALSE,
-        'show_nested' => FALSE,
-        'recursion_limit' => 3,
-      ]),
-      'token' => \Drupal::csrfToken()->get($url->getInternalPath()),
-    ];
-    $url->setOptions($options);
-
     return [
       'tokenbrowser' => [
         'id' => 'tokenbrowser',
         'label' => t('Token browser'),
         'image' => file_create_url($this->getImage()),
-        'link' =>  $url->toString(),
+        'link' => $this->getUrl()->toString(),
       ],
     ];
   }
 
+  /**
+   * Fetches the URL.
+   *
+   * @return Drupal\Core\Url
+   *   The URL.
+   *
+   * @see TokenTreeController::outputTree().
+   */
+  protected function getUrl() {
+    $url = Url::fromRoute('token.tree');
+    $options['query'] = [
+      'options' => Json::encode($this->getQueryOptions()),
+      'token' => $this->csrfTokenService->get($url->getInternalPath()),
+    ];
+    $url->setOptions($options);
+    return $url;
+  }
+
+  /**
+   * Fetches the list of query options.
+   *
+   * @return array
+   *   The list of query options.
+   *
+   * @see TreeBuilderInterface::buildRenderable() for option definitions.
+   */
+  protected function getQueryOptions() {
+    return [
+      'token_types' => 'all',
+      'global_types' => FALSE,
+      'click_insert' => TRUE,
+      'show_restricted' => FALSE,
+      'show_nested' => FALSE,
+      'recursion_limit' => 3,
+    ];
+  }
+
   /**
    * Fetches the path to the image.
    *