- List group access tokens
- Get a group access token
- Create a group access token
- Rotate a group access token
- Revoke a group access token
Group access tokens API
Use this API to interact with group access tokens. For more information, see Group access tokens.
List group access tokens
-
state
attribute introduced in GitLab 17.2.
Get a list of group access tokens.
In GitLab 17.2 and later, you can use the state
attribute to limit the response to group access tokens with a specified state.
GET /groups/:id/access_tokens
GET /groups/:id/access_tokens?state=inactive
Attribute | Type | required | Description |
---|---|---|---|
id
| integer or string | yes | ID or URL-encoded path of the group |
state
| string | No | Limit results to tokens with specified state. Valid values are active and inactive . By default both states are returned.
|
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens"
[
{
"user_id" : 141,
"scopes" : [
"api"
],
"name" : "token",
"expires_at" : "2021-01-31",
"id" : 42,
"active" : true,
"created_at" : "2021-01-20T22:11:48.151Z",
"revoked" : false,
"last_used_at": null,
"access_level": 40
},
{
"user_id" : 141,
"scopes" : [
"read_api"
],
"name" : "token-2",
"expires_at" : "2021-01-31",
"id" : 43,
"active" : false,
"created_at" : "2021-01-21T12:12:38.123Z",
"revoked" : true,
"last_used_at": "2021-02-13T10:34:57.178Z",
"access_level": 40
}
]
Get a group access token
Get a group access token by ID.
GET /groups/:id/access_tokens/:token_id
Attribute | Type | required | Description |
---|---|---|---|
id
| integer or string | yes | ID or URL-encoded path of the group |
token_id
| integer | yes | ID of the group access token |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>"
{
"user_id" : 141,
"scopes" : [
"api"
],
"name" : "token",
"expires_at" : "2021-01-31",
"id" : 42,
"active" : true,
"created_at" : "2021-01-20T22:11:48.151Z",
"revoked" : false,
"access_level": 40
}
Create a group access token
- The
expires_at
attribute default was introduced in GitLab 16.0.
Create a group access token. You must have the Owner role for the group to create group access tokens.
POST /groups/:id/access_tokens
Attribute | Type | required | Description |
---|---|---|---|
id
| integer or string | yes | ID or URL-encoded path of the group |
name
| String | yes | Name of the group access token |
scopes
| Array[String]
| yes | List of scopes |
access_level
| Integer | no | Access level. Valid values are 10 (Guest), 15 (Planner), 20 (Reporter), 30 (Developer), 40 (Maintainer), and 50 (Owner).
|
expires_at
| Date | yes | Expiration date of the access token in ISO format (YYYY-MM-DD ). If undefined, the date is set to the maximum allowable lifetime limit.
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
--header "Content-Type:application/json" \
--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":"2021-01-31", "access_level": 30 }' \
"https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens"
{
"scopes" : [
"api",
"read_repository"
],
"active" : true,
"name" : "test",
"revoked" : false,
"created_at" : "2021-01-21T19:35:37.921Z",
"user_id" : 166,
"id" : 58,
"expires_at" : "2021-01-31",
"token" : "D4y...Wzr",
"access_level": 30
}
Rotate a group access token
- Introduced in GitLab 16.0
Prerequisites:
- You must have a personal access token with the
api
scope.
Rotate a group access token. Revokes the previous token and creates a new token that expires in one week.
In GitLab 16.6 and later, you can use the expires_at
parameter to set a different expiry date. This non-default expiry date can be up to a maximum of one year from the rotation date.
POST /groups/:id/access_tokens/:token_id/rotate
Attribute | Type | required | Description |
---|---|---|---|
id
| integer or string | yes | ID or URL-encoded path of the group |
token_id
| integer | yes | ID of the access token |
expires_at
| date | no | Expiration date of the access token in ISO format (YYYY-MM-DD ). Introduced in GitLab 16.6. If undefined, the token expires after one week.
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>/rotate"
Example response:
{
"id": 42,
"name": "Rotated Token",
"revoked": false,
"created_at": "2023-08-01T15:00:00.000Z",
"scopes": ["api"],
"user_id": 1337,
"last_used_at": null,
"active": true,
"expires_at": "2023-08-15",
"access_level": 30,
"token": "s3cr3t"
}
Responses
-
200: OK
if existing token is successfully revoked and the new token is created. -
400: Bad Request
if not rotated successfully. -
401: Unauthorized
if either the:- User does not have access to the token with the specified ID.
- Token with the specified ID does not exist.
-
404: Not Found
if the user is an administrator but the token with the specified ID does not exist.
Automatic reuse detection
Refer to automatic reuse detection for personal access tokens for more information.
Revoke a group access token
Revoke a group access token.
DELETE /groups/:id/access_tokens/:token_id
Attribute | Type | required | Description |
---|---|---|---|
id
| integer or string | yes | ID or URL-encoded path of the group |
token_id
| integer | yes | ID of the group access token |
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>"
Responses
-
204: No Content
if successfully revoked. -
400 Bad Request
or404 Not Found
if not revoked successfully.