Add GraphQL mutation for personal access token rotation (!216089) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Similar to the REST API endpoint to rotate a personal access token, this MR adds personalAccessTokenRotate mutation to enable rotating personal access tokens through the GraphQL API.

References

[BE] Graphql mutation to rotate fine-grained PAT (#583545).

Screenshots or screen recordings

Before	After

How to set up and validate locally

Enable granular_personal_access_tokens feature flag
Login with any user
Create a personal access token

Get the global ID of the created personal access token

$ rails c
> PersonalAccessToken.last.to_global_id.to_s
=> "gid://gitlab/PersonalAccessToken/<id>"

Go to http://localhost:3000/-/graphql-explorer and run the following mutation

mutation {
  personalAccessTokenRotate(input: { id: "gid://gitlab/PersonalAccessToken/<id>" }) {
    token {
      name
    }
    errors
  }
}

Verify that errors is empty
Verify that token contains data of the newly created token

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Dec 11, 2025 by Eugie Limpin

Add GraphQL mutation for personal access token rotation

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports