HTTPS based deploy keys (deploy tokens)

Zendesk: https://gitlab.zendesk.com/agent/tickets/31606

We have a client service that needs to clone a repository. It cannot use ssh, and thus cannot use a regular ssh-based deploy key. Is it possible to create a HTTP(S)-based deploy key, so that we can configure the client to access https://SECRETKEY@gitlaburl.com/repo.git?

The repo can be accessed like this:

git clone https://gitlab-ci-token:<YOUR_TOKEN>@<GITLAB_INSTANCE_URL>/<USERNAME_OR_GROUPNAME/<REPO_NAME>.git

However this presents the following worries:

• There is only one such token to be shared for all clients of a project. This makes it harder to revoke access, without having to revisit all client setups.
• The ci-token is unique to each project. If the client will need access to multiple projects, you will need to configure a unique token for each.
• It "feels wrong" to use a token that is specifically named "gitlab-ci-token" for something else.

Customer Proposal

Would it not be smart to extend the "deploy keys" concept with HTTPS-based keys, like this:

• Create the deploy key directly in the user interface (no need to run ssh-keygen locally)
• Works like the ssh-based deploy key, but for https
• Share it between projects, for easy managability (?)
• Create multiple keys for multiple clients, and revoke the ones you need

I would love to hear your thoughts: @DouweM @ayufan @JobV