Admin Token API: Identify CI/CD Job Tokens

Proposal

The Admin Token API allows getting information about arbitrary tokens. It can be used e.g. in the context of leaked tokens, to identify what a token does.

It currently lacks support for CI/CD Job Tokens for identification, as well as revocation. See the current implementation status.

POST /api/v4/admin/token

Should return information about the job that the token is associated with:

{
	"id": 385,
	"status": "pending",
	"stage": "deploy",
	"name": "helm:download",
	"ref": "refs/merge-requests/2/head",
	"tag": false,
	"coverage": null,
	"allow_failure": false,
	"created_at": "2024-11-27T14:16:55.229Z",
	"started_at": null,
	"finished_at": null,
	"erased_at": null,
	"duration": null,
	"queued_duration": 163859.170102,
	"user": {
		...
	},
	"commit": {
		...
	},
	"pipeline": {
		...
	},
	"web_url": "http://gdk.test:3000/toolbox/gitlab-smoke-tests/-/jobs/385",
	"project": {
		"ci_job_token_scope_enabled": false
	},
	"artifacts": [],
	"runner": null,
	"runner_manager": null,
	"artifacts_expire_at": null,
	"archived": false,
	"tag_list": []
}

References

• &15777
• #443597 (closed)