Provide mechanism to delete revoked access tokens (Group, Project, Personal)
Problem to solve
We recently introduced an API endpoint to rotate Group, Project, and Personal access tokens in 16.0. With the current behavior, if a token is rotated, the same token name/object will be kept in the UI however if you use the list API endpoints for Group, Project, and Personal, you will see that the older entries are still kept but are tagged as revoked:true
.
This information can help users manage and review the tokens being created but in the long run, the number of tokens will grow and there is no way to clean them up.
Proposal
Provide some mechanism to delete older revoked tokens. We can consider either:
- Adding an additional API endpoint to delete revoked tokens.
- Have a configurable lifetime for revoked tokens that would automatically delete them after the specific period has lapsed.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Alex (Security Operations Engineer)
- Cameron (Compliance Manager)
Feature Usage Metrics
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.