Personal access tokens
Offering: GitLab.com, Self-managed, GitLab Dedicated
- Notifications for expiring tokens introduced in GitLab 12.6.
- Token lifetime limits introduced in GitLab 12.6.
- Additional notifications for expiring tokens introduced in GitLab 13.3.
- Prefill for token name and scopes introduced in GitLab 14.1.
Personal access tokens can be an alternative to OAuth2 and used to:
- Authenticate with the GitLab API.
- Authenticate with Git using HTTP Basic Authentication.
In both cases, you authenticate with a personal access token in place of your password.
Personal access tokens are:
- Required when two-factor authentication (2FA) or SAML is enabled.
- Used with a GitLab username to authenticate with GitLab features that require usernames. For example, GitLab-managed Terraform state backend and Docker container registry,
- Similar to project access tokens and group access tokens, but are attached to a user rather than a project or group.
For examples of how you can use a personal access token to authenticate with the API, see the API documentation.
Alternately, GitLab administrators can use the API to create impersonation tokens. Use impersonation tokens to automate authentication as a specific user.
Create a personal access token
- Introduced in GitLab 15.3, default expiration of 30 days is populated in the UI.
- Ability to create non-expiring personal access tokens removed in GitLab 16.0.
You can create as many personal access tokens as you like.
- On the left sidebar, select your avatar.
- Select Edit profile.
- On the left sidebar, select Access Tokens.
- Select Add new token.
- Enter a name and expiry date for the token.
- The token expires on that date at midnight UTC.
- If you do not enter an expiry date, the expiry date is automatically set to 365 days later than the current date.
- By default, this date can be a maximum of 365 days later than the current date.
- Select the desired scopes.
- Select Create personal access token.
Save the personal access token somewhere safe. After you leave the page, you no longer have access to the token.
Prefill personal access token name and scopes
You can link directly to the Personal Access Token page and have the form prefilled with a name and
list of scopes. To do this, you can append a name
parameter and a list of comma-separated scopes
to the URL. For example:
https://gitlab.example.com/-/user_settings/personal_access_tokens?name=Example+Access+token&scopes=api,read_user,read_registry
Revoke a personal access token
At any time, you can revoke a personal access token.
- On the left sidebar, select your avatar.
- Select Edit profile.
- On the left sidebar, select Access Tokens.
- In the Active personal access tokens area, select Revoke for the relevant token.
- On the confirmation dialog, select Revoke.
Disable personal access tokens
Offering: Self-managed, GitLab Dedicated
Prerequisites:
- You must be an administrator.
In GitLab 15.7 and later, you can use the application settings API to disable personal access tokens.
Disable personal access tokens for enterprise users
-
Introduced in GitLab 16.11 with a flag named
enterprise_disable_personal_access_tokens
. Disabled by default.
Prerequisites:
- You must have the Owner role in the group that the enterprise user belongs to.
Disabling the personal access tokens of a group’s enterprise users:
- Stops the enterprise users from creating new personal access tokens. This behavior applies even if an enterprise user is also an administrator of the group.
- Disables the existing personal access tokens of the enterprise users.
To disable the enterprise users’ personal access tokens:
- On the left sidebar, select Search or go to and find your group or subgroup.
- Select Settings > General.
- Expand Permissions and group features.
- Under Personal access tokens, select Disable personal access tokens.
- Select Save changes.
View the last time a token was used
- Introduced in GitLab 13.2. Token usage information is updated every 24 hours.
- The frequency of token usage information updates changed in GitLab 16.1 from 24 hours to 10 minutes.
Token usage information is updated every 10 minutes. GitLab considers a token used when the token is used to:
To view the last time a token was used:
- On the left sidebar, select your avatar.
- Select Edit profile.
- On the left sidebar, select Access Tokens.
- In the Active personal access tokens area, view the Last Used date for the relevant token.
Personal access token scopes
- Personal access tokens no longer being able to access container or package registries introduced in GitLab 16.0.
-
k8s_proxy
introduced in GitLab 16.4 with a flag namedk8s_proxy_pat
. Enabled by default. - Feature flag
k8s_proxy_pat
removed in GitLab 16.5.
A personal access token can perform actions based on the assigned scopes.
Scope | Access |
---|---|
api
| Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. Also grants complete read/write access to the registry and repository using Git over HTTP. |
read_user
| Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users .
|
read_api
| Grants read access to the API, including all groups and projects, the container registry, and the package registry. (Introduced in GitLab 12.10.) |
read_repository
| Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API. |
write_repository
| Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
read_registry
| Grants read-only (pull) access to container registry images if a project is private and authorization is required. Available only when the container registry is enabled. |
write_registry
| Grants read-write (push) access to container registry images if a project is private and authorization is required. Available only when the container registry is enabled. (Introduced in GitLab 12.10.) |
sudo
| Grants permission to perform API actions as any user in the system, when authenticated as an administrator. |
admin_mode
| Grants permission to perform API actions as an administrator, when Admin Mode is enabled. (Introduced in GitLab 15.8.) |
create_runner
| Grants permission to create runners. |
ai_features
| Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. |
k8s_proxy
| Grants permission to perform Kubernetes API calls using the agent for Kubernetes. |
read_service_ping
| Grant access to download Service Ping payload via API when authenticated as an admin use. (Introduced in GitLab 16.8. |
When personal access tokens expire
Personal access tokens expire on the date you define, at midnight, 00:00 AM UTC.
- GitLab runs a check at 01:00 AM UTC every day to identify personal access tokens that expire in the next seven days. The owners of these tokens are notified by email.
- GitLab runs a check at 02:00 AM UTC every day to identify personal access tokens that expire on the current date. The owners of these tokens are notified by email.
- In GitLab Ultimate, administrators can limit the allowable lifetime of access tokens. If not set, the maximum allowable lifetime of a personal access token is 365 days.
- In GitLab Free and Premium, the maximum allowable lifetime of a personal access token is 365 days.
- If you do not set an expiry date when creating a personal access token, the expiry date is set to the maximum allowed lifetime for the token. If the maximum allowed lifetime is not set, the default expiry date is 365 days from the date of creation.
Create a service account personal access token with no expiry date
You can create a personal access token for a service account with no expiry date. These personal access tokens never expire, unlike non-service account personal access tokens.
GitLab.com
Prerequisites:
- You must have the Owner role in the top-level group.
- On the left sidebar, select Search or go to and find your group.
- Select Settings > General > Permissions and group features.
- Clear the Service account token expiration checkbox.
You can now create personal access tokens for a service account user with no expiry date.
Self-managed GitLab
Prerequisites:
- You must be an administrator for your self-managed instance.
- On the left sidebar, at the bottom, select Admin Area.
- Select Settings > General.
- Expand Account and limit.
- Clear the Service account token expiration checkbox.
You can now create personal access tokens for a service account user with no expiry date.
Create a personal access token programmatically
Offering: Self-managed, GitLab Dedicated
You can create a predetermined personal access token as part of your tests or automation.
Prerequisites:
- You need sufficient access to run a Rails console session for your GitLab instance.
To create a personal access token programmatically:
-
Open a Rails console:
sudo gitlab-rails console
-
Run the following commands to reference the username, the token, and the scopes.
The token must be 20 characters long. The scopes must be valid and are visible in the source code.
For example, to create a token that belongs to a user with username
automation-bot
and expires in a year:user = User.find_by_username('automation-bot') token = user.personal_access_tokens.create(scopes: ['read_user', 'read_repository'], name: 'Automation token', expires_at: 365.days.from_now) token.set_token('token-string-here123') token.save!
This code can be shortened into a single-line shell command by using the Rails runner:
sudo gitlab-rails runner "token = User.find_by_username('automation-bot').personal_access_tokens.create(scopes: ['read_user', 'read_repository'], name: 'Automation token', expires_at: 365.days.from_now); token.set_token('token-string-here123'); token.save!"
Revoke a personal access token programmatically
Offering: Self-managed, GitLab Dedicated
You can programmatically revoke a personal access token as part of your tests or automation.
Prerequisites:
- You need sufficient access to run a Rails console session for your GitLab instance.
To revoke a token programmatically:
-
Open a Rails console:
sudo gitlab-rails console
-
To revoke a token of
token-string-here123
, run the following commands:token = PersonalAccessToken.find_by_token('token-string-here123') token.revoke!
This code can be shortened into a single-line shell command using the Rails runner:
sudo gitlab-rails runner "PersonalAccessToken.find_by_token('token-string-here123').revoke!"
Clone repository using personal access token
Offering: Self-managed, GitLab Dedicated
To clone a repository when SSH is disabled, clone it using a personal access token by running the following command:
git clone https://<username>:<personal_token>@gitlab.com/gitlab-org/gitlab.git
This method saves your personal access token in your bash history. To avoid this, run the following command:
git clone https://<username>@gitlab.com/gitlab-org/gitlab.git
When asked for your password for https://gitlab.com
, enter your personal access token.
The username
in the clone
command:
- Can be any string value.
- Must not be an empty string.
Remember this if you set up an automation pipeline that depends on authentication.
Troubleshooting
Unrevoke a personal access token
Offering: Self-managed, GitLab Dedicated
If a personal access token is revoked accidentally by any method, administrators can unrevoke that token. By default, a daily job deletes revoked tokens at 1:00 AM system time.
- Open a Rails console.
-
Unrevoke the token:
token = PersonalAccessToken.find_by_token('<token_string>') token.update!(revoked:false)
For example, to unrevoke a token of
token-string-here123
:token = PersonalAccessToken.find_by_token('token-string-here123') token.update!(revoked:false)
Alternatives to personal access tokens
For Git over HTTPS, an alternative to personal access tokens is to use an OAuth credential helper.