Sender constraining access tokens
The blueprint captures the specification and implementation details in rolling out the Demonstrating-proof-of-possession (DPoP) mechanism for Personal Access Tokens (PATs). There is a section at the end that talks about the mTLS solution as well and describes why we chose DPoP over mTLS.
The suggestion is to add the DPoP feature as a setting under the User profile section, perhaps in the Personal Access Tokens page, that interested users can enable to protect all API access through their PAT.
Related to gitlab-org/gitlab#425130 and https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/509.
Edited by Rohit Shambhuni