API requests made by non-admin user token still logs "Bypassing session in admin mode for" line in application.log

While debugging an unrelated issue, I noticed that application.log regularly logs entries like this:

Bypassing session in admin mode for: xx

In this case, xx is the user id of a non-admin user. I can see that the log is probably generated in this source file:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/auth/current_user_mode.rb

However, I am not familiar enough with ruby or GitLab internals to evaluate if there is a valid reason that a non-admin user would ever get processed by that code section.

The requests that trigger the log entries are API requests that use a personal access token for authentication. The scope of this token is reported as read_api. I have not checked exactly which endpoints cause the log entries, but the token only accesses: /api/v4/projects/ and /api/v4/groups/, so it is probably either one of these. The requests themselves are legitimate, they are done by cron job on another machine that collects some information through the API.

Not sure if this matters, but the token itself was created by an admin while impersonating this non-admin user. The "is_admin" property of user xx is false when I query the API for it.

This whole situation looks odd to me, hence this issue: does this token have more permissions than it is actually supposed to have?

So in summary:

Personal access token for a user that is not an admin
token scope is read_api
generates log messages that suggest the user / token is in admin mode in application.log
On version 15.3.1-ee (omnibus / docker)

Edited Jan 05, 2023 by Sven Goossens