Skip to content

Admin Token API: Revoke token

  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.

What does this MR do and why?

This commit adds an admin API for token revocation.

Adds a REST API that allows the following:

DELETE /api/v4/admin/token

Attribute Type Required Description
token string Yes Token that should be revoked.

Issue: #499958 (closed)

🛠️ with ❤️ at Siemens

MR acceptance checklist

MR Checklist ( @nwittstruck)

How to set up and validate locally

  1. Enable both feature flags via rails c:
Feature.enable(:admin_agnostic_token_finder)
Feature.enable(:api_admin_token_revoke)
  1. You'll need to create two new personal access tokens: https://gdk.test:3443/-/user_settings/personal_access_tokens

    1. A personal access token with admin capabilities.
    2. A personal access token with limited capabilities that you want to revoke. You can also revoke the admin token if you'd like, however for testing I prefer to use separate tokens.
  2. Now you can revoke a token:

curl -k --request DELETE \
--url 'https://gdk.test:3443/api/v4/admin/token \       
--header 'Authorization: Bearer <Admin Token from Step 1.>' \
--header 'Content-Type: application/json' \
--data '{"token": "glpat-<example-token-from-step-2>"}'

Related to #499958 (closed)

Edited by Nicholas Wittstruck

Merge request reports

Loading