Allow tokens with any scope to use the self-revocation API
Proposal
A new API was introduced in #350240 (closed) to allow personal access tokens to revoke themselves via a DELETE
request to /api/v4/personal_access_tokens/self
.
Because it's a DELETE
request it requires the api
scope, however it would be a great security (incident response) benefit to allow tokens with any scope to call this API.