Scope filter for access tokens (new feature)

Proposal

This issue is to discuss the usefulness of a proposed new filter to display access tokens that contain certain scopes.

This would apply to the following APIs:

GET /api/v4/personal_access_tokens https://docs.gitlab.com/api/personal_access_tokens/#list-all-personal-access-tokens
GET /api/v4/groups/:group_id/access_tokens https://docs.gitlab.com/api/group_access_tokens/#list-all-project-access-tokens
GET /api/v4/projects/:project_id/access_tokens https://docs.gitlab.com/api/project_access_tokens/#list-all-project-access-tokens
GET '/api/v4/groups/4/service_accounts/:id/personal_access_tokens` https://docs.gitlab.com/api/group_service_accounts/#list-all-personal-access-tokens-for-a-service-account-user

In addition to the API this new filter could be shown in the following UIs:

Credential inventory
Service account PATs

It could look something like this:

Rational

Scopes grant very different levels of access (read) and activity (write). As an admin or a group owner, I would like to list tokens that could action dangerous activities, for example, api, sudo, admin_mode.

/cc @adil.farrukh @hsutor @dblessing

Edited Jun 30, 2025 by Eduardo Sanz García