gitlab-org--gitlab-foss/doc/user/profile/personal_access_tokens.md

11 KiB

type stage group info
concepts, howto Manage Authentication and Authorization To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments

Personal access tokens (FREE)

  • Notifications for expiring tokens introduced in GitLab 12.6.
  • Token lifetime limits introduced in GitLab 12.6.
  • Additional notifications for expiring tokens introduced in GitLab 13.3.
  • Prefill for token name and scopes introduced in GitLab 14.1.

Personal access tokens can be an alternative to OAuth2 and used to:

  • Authenticate with the GitLab API.
  • Authenticate with Git using HTTP Basic Authentication.

In both cases, you authenticate with a personal access token in place of your password.

WARNING: The ability to create personal access tokens without expiry was deprecated in GitLab 15.4 and is planned for removal in GitLab 16.0. When this ability is removed, existing personal access tokens without an expiry are planned to have an expiry added. The automatic adding of an expiry occurs on GitLab.com during the 16.0 milestone. The automatic adding of an expiry occurs on self-managed instances when they are upgraded to GitLab 16.0. This change is a breaking change.

Personal access tokens are:

NOTE: Though required, GitLab usernames are ignored when authenticating with a personal access token. There is an issue for tracking to make GitLab use the username.

For examples of how you can use a personal access token to authenticate with the API, see the API documentation.

Alternately, GitLab administrators can use the API to create impersonation tokens. Use impersonation tokens to automate authentication as a specific user.

NOTE: Personal access tokens are not FIPS compliant and creation and use are disabled when FIPS mode is enabled.

Create a personal access token

Introduced in GitLab 15.3, default expiration of 30 days is populated in the UI.

You can create as many personal access tokens as you like.

  1. In the top-right corner, select your avatar.
  2. Select Edit profile.
  3. On the left sidebar, select Access Tokens.
  4. Enter a name and optional expiry date for the token.
  5. Select the desired scopes.
  6. Select Create personal access token.

Save the personal access token somewhere safe. After you leave the page, you no longer have access to the token.

Prefill personal access token name and scopes

You can link directly to the Personal Access Token page and have the form prefilled with a name and list of scopes. To do this, you can append a name parameter and a list of comma-separated scopes to the URL. For example:

https://gitlab.example.com/-/profile/personal_access_tokens?name=Example+Access+token&scopes=api,read_user,read_registry

WARNING: Personal access tokens must be treated carefully. Read our token security considerations for guidance on managing personal access tokens (for example, setting a short expiry and using minimal scopes).

Revoke a personal access token

At any time, you can revoke a personal access token.

  1. In the top-right corner, select your avatar.
  2. Select Edit profile.
  3. On the left sidebar, select Access Tokens.
  4. In the Active personal access tokens area, next to the key, select Revoke.

View the last time a token was used

Token usage information is updated every 24 hours. GitLab considers a token used when the token is used to:

  • Authenticate with the REST or GraphQL APIs.
  • Perform a Git operation.

To view the last time a token was used:

  1. In the top-right corner, select your avatar.
  2. Select Edit profile.
  3. On the left sidebar, select Access Tokens.
  4. In the Active personal access tokens area, next to the key, view the Last Used date.

Personal access token scopes

A personal access token can perform actions based on the assigned scopes.

Scope Access
api Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
read_user Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
read_api Grants read access to the API, including all groups and projects, the container registry, and the package registry. (Introduced in GitLab 12.10.)
read_repository Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API.
write_repository Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API).
read_registry Grants read-only (pull) access to a Container Registry images if a project is private and authorization is required. Available only when the Container Registry is enabled.
write_registry Grants read-write (push) access to a Container Registry images if a project is private and authorization is required. Available only when the Container Registry is enabled. (Introduced in GitLab 12.10.)
sudo Grants permission to perform API actions as any user in the system, when authenticated as an administrator.

When personal access tokens expire

Personal access tokens expire on the date you define, at midnight UTC.

  • GitLab runs a check at 01:00 AM UTC every day to identify personal access tokens that expire in the next seven days. The owners of these tokens are notified by email.
  • GitLab runs a check at 02:00 AM UTC every day to identify personal access tokens that expire on the current date. The owners of these tokens are notified by email.
  • In GitLab Ultimate, administrators can limit the lifetime of access tokens.

Create a personal access token programmatically (FREE SELF)

You can create a predetermined personal access token as part of your tests or automation.

Prerequisite:

To create a personal access token programmatically:

  1. Open a Rails console:

    sudo gitlab-rails console
    
  2. Run the following commands to reference the username, the token, and the scopes.

    The token must be 20 characters long. The scopes must be valid and are visible in the source code.

    For example, to create a token that belongs to a user with username automation-bot:

    user = User.find_by_username('automation-bot')
    token = user.personal_access_tokens.create(scopes: [:read_user, :read_repository], name: 'Automation token')
    token.set_token('token-string-here123')
    token.save!
    

This code can be shortened into a single-line shell command by using the Rails runner:

sudo gitlab-rails runner "token = User.find_by_username('automation-bot').personal_access_tokens.create(scopes: [:read_user, :read_repository], name: 'Automation token'); token.set_token('token-string-here123'); token.save!"

Revoke a personal access token programmatically (FREE SELF)

You can programmatically revoke a personal access token as part of your tests or automation.

Prerequisite:

To revoke a token programmatically:

  1. Open a Rails console:

    sudo gitlab-rails console
    
  2. To revoke a token of token-string-here123, run the following commands:

    token = PersonalAccessToken.find_by_token('token-string-here123')
    token.revoke!
    

This code can be shortened into a single-line shell command using the Rails runner:

sudo gitlab-rails runner "PersonalAccessToken.find_by_token('token-string-here123').revoke!"

Alternatives to personal access tokens

For Git over HTTPS, an alternative to personal access tokens is Git Credential Manager, which securely authenticates using OAuth.