Admin Token API: Reset OAuth Application Secrets

Proposal

The Admin Token API allows revoking about arbitrary tokens. It can be used in to identify what a token does, e.g. in the context of leaked tokens, and revoke it.

It currently lacks support to reset OAuth application secrets. See the current implementation status.

Since OAuth application secrets can not be revoked yet, we'll have to reset it.

DELETE /api/v4/admin/token

{"token": "gloas-..."}

Should renew the secret and return a 204.

We should not return the new token to stay consistent with the other token types that support revocation.

References

&15777
https://docs.gitlab.com/ee/api/admin/token.html

Edited Jan 24, 2025 by Nicholas Wittstruck