### Proposal Currently if I want to rotate a token, I will need to use a token with `api` scope. So, for example, if I want to automatize rotation of `write_repository` scoped token, I will need either - to give also an `api` scope to my token and then self rotate the token, which is somehow against the *Least Privilege Principle* - to have a second token, `api` scoped, and use it to rotate the first one (note that I will also need to rotate the second token). Thus, the need to renew tokens could lead to a multiplication of `api` scoped tokens, which, in my opinion, is not a safe option. The proposal here, is to add a `rotate_self` scope to allow one token to rotate itself. The token with `rotate_self` scope would not have access to the entire api, but only, for example, to the `https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate` endpoint in order to allow the token to to self-rotate. This would lead to a simpler and safer token rotation procedure than the current one, which requires a second `api` scoped token to rotate a token (and even a third one `api` scoped token to enable automatic mutual rotation of the `api` scoped tokens). Related issues: - #426779+ - #428256+ - #414600+