Admin Token API: Impersonation Tokens

Proposal

The Admin Token API allows getting information about arbitrary tokens. It can be used e.g. in the context of leaked tokens, to identify what a token does.

The API already supports reading impersonation tokens, since they share a prefix with personal access tokens. However, they are missing from the documentation and the specs.

This already works for impersonation tokens:

POST /api/v4/admin/token

Result:

{
	"id": 41,
	"name": "impersonation-token",
	"revoked": false,
	"created_at": "2024-11-27T09:58:50.186Z",
	"scopes": [
		"read_api"
	],
	"user_id": 83,
	"last_used_at": null,
	"active": true,
	"expires_at": "2024-12-27"
}

We should update the documentation and add a spec for this to the API.

In a second step, once !170421 (merged) has been merged, we should add support for revocation.

References

&15777
#443597 (closed)

Edited Nov 27, 2024 by Nicholas Wittstruck