Check scopes of personal access token from GitLab

Question

How can I check the scopes (permissions) of a personal access token from GitLab? Given a personal access token, get all the scopes permitted to this token.

Answer 1

As of 2022, it is not exactly possible to check the scopes of a given PAT (personal access token). It is however possible to list the scopes of all PATs of the user behind the given token.

In other words, if the user behind the given token G has tokens T1 and T2, it is possible to check the scopes of T1 and T2, but it cannot reliably be determined whether G == T1 or G == T2, etc.

To print the scopes of the first non-revoked token using curl and jq:

$ GITLAB_TOKEN="glpat-DefineYourOwn"
$ curl -sS -f -H "PRIVATE-TOKEN: ${GITLAB_TOKEN}" -H "Content-Type:application/json" "https://gitlab.com/api/v4/personal_access_tokens" | jq -j "map(select(.revoked == false)) | .[0].scopes | join(\" \")"

Sample output:

read_user read_api

Alas, the above command doesn't know the supplied token from the user's other tokens. It is possible to limit the choices further by also filtering on the name of a token:

"map(select((.revoked == false) and (.name == \"${EXPECTED_TOKEN_NAME_VAR}\"))) 

Answer 2

Unfortunately this feature is not available at the moment with GitLab. If this is self managed instance you can still find that from backend/console but for GitLab.com this feature is not available. The best you can do here is to try the current defined scopes like read_user, API,read_registry,sudo GitLab 10.2 Allows performing API actions as any user in the system (if the authenticated user is an admin).read_repository, write_repository with your existing token.

Also this sounds like a fair request. Please consider creating a feature proposal for this here

Answer 3

You can now get all the permission of a specific token with the help of api

---

GET /personal_access_tokens/self

---

mentioned in the gitlab docs

GitLab Docs