Skip to content

last_used_ips missing in PAT self-inform API response

Summary

With !161076 (merged), the GET personal_access_tokens/:id API response includes a new last_used_ips field (array of recently seen client IP using the token). But this field is missing in the response from GET personal_access_tokens/self.

These responses are otherwise perfectly identical (for the same token).

This has been mentioned by @jurgenhaas in #524327 (comment 2424062698), but is not the main focus of #524327 (closed), so I think it deserves it's own separate issue. Also, I've checked it's not fixed in the current version of !187403 (merged) (the fix for #524327 (closed)).

Steps to reproduce

  • create a PAT with read_api scope ($TOKEN in following steps)
  • use it, for instance to call the self-inform API:
% curl -sSf -H "PRIVATE-TOKEN: $TOKEN" \
  https://gitlab.com/api/v4/personal_access_tokens/self \
  | jq '{id,last_used_ips}'
{
  "id": 13789747,
  "last_used_ips": null
}
  • call the by-id GET PAT API - last_used_ips is present:
% curl -sSf -H "PRIVATE-TOKEN: $TOKEN" \
  https://gitlab.com/api/v4/personal_access_tokens/13789747 \
  | jq '{id,last_used_ips}'
{
  "id": 13789747,
  "last_used_ips": [
    "193.x.x.x"
  ]
}
  • call the self-inform GET PAT API again, just to be sure - last_used_ips is missing:
% curl -sSf -H "PRIVATE-TOKEN: $TOKEN" \
  https://gitlab.com/api/v4/personal_access_tokens/self \
  | jq '{id,last_used_ips}'
{
  "id": 13789747,
  "last_used_ips": null
}

Note: I've redacted my IP address.

What is the current bug behavior?

No last_used_ips in the response of the self-inform variant of the API, where as all other fields are perfectly matching the by-id response for the same token.

What is the expected correct behavior?

The two responses for the same token, retrieved by id or by self-inform variant, should be identical.

Relevant logs and/or screenshots

full response from by-id PAT API 
% curl -sSf -H "PRIVATE-TOKEN: $TOKEN" \
  https://gitlab.com/api/v4/personal_access_tokens/13789747 \
  | jq .
{
  "id": 13789747,
  "name": "tmp-last_used_ips",
  "revoked": false,
  "created_at": "2025-04-09T21:14:37.169Z",
  "description": "",
  "scopes": [
    "read_api"
  ],
  "user_id": 2178476,
  "last_used_at": "2025-04-09T21:30:22.630Z",
  "active": true,
  "expires_at": "2025-05-09",
  "last_used_ips": [
    "193.x.x.x"
  ]
}
full response from self-inform PAT API 
% curl -sSf -H "PRIVATE-TOKEN: $TOKEN" \
  https://gitlab.com/api/v4/personal_access_tokens/self \
  | jq .
{
  "id": 13789747,
  "name": "tmp-last_used_ips",
  "revoked": false,
  "created_at": "2025-04-09T21:14:37.169Z",
  "description": "",
  "scopes": [
    "read_api"
  ],
  "user_id": 2178476,
  "last_used_at": "2025-04-09T21:30:22.630Z",
  "active": true,
  "expires_at": "2025-05-09"
}

Output of checks

This bug happens on GitLab.com

Possible fixes

I think the issue is PersonalAccessTokens::SelfInformation.personal_access_tokens not returning an Entities::PersonalAccessTokenWithLastUsedIps.

I will soon open a merge-request fixing this.