Admin Token API: Revoke token
Problem to solve
As an instance administrator, I want to be able to revoke tokens
using a unified API. Instead of first identifying the type of the token
, this API should allow revocation regardless of the type.
As such, it goes further as the existing Token Revocation API that is scoped to Groups
.
Proposal
We could add a DELETE
method to the existing Token Information API:
DELETE /api/v4/admin/token
Attribute | Type | Required | Description |
---|---|---|---|
token |
string | Yes | Token that should be revoked. |
In a first iteration, we should start with the token types that are currently handled by the Token Information API i.e. PersonalAccessToken
, and DeployTokens
.
Supported Tokens
Token Type | Status | MR |
---|---|---|
Personal access token | !170421 | |
OAuth Application Secret | ||
Impersonation token | ||
Project access token | ||
Group access token | ||
Deploy token | !170421 | |
Runner authentication token | ||
CI/CD Job token | ||
Trigger token | ||
Feed token | !170421 | |
Incoming mail token | ||
GitLab agent for Kubernetes token | ||
GitLab session cookies | ||
SCIM Tokens | ||
Feature Flags Client token |
See #460778 (closed) for an in-depth analysis of existing support for token revocation.
We should reuse the existing feature flag for this feature (admin_agnostic_token_finder
).
Intended users
Does this feature require an audit event?
Yes, we should add an audit event to understand when/by whom a Token
has been revoked.