Skip to content

Allow tokens with any scope to use the self-revocation API

Proposal

A new API was introduced in #350240 (closed) to allow personal access tokens to revoke themselves via a DELETE request to /api/v4/personal_access_tokens/self.

Because it's a DELETE request it requires the api scope, however it would be a great security (incident response) benefit to allow tokens with any scope to call this API.