### Proposal At Security Operations, we developed our own in-house tool, [Token Scoper](https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/automation/toolbox/-/tree/main/gitlab/gitlab_token_scoper), to analyse token associations (group and project memberships) in order to speed up the response to leaked PATs incidents and assess impact more efficiently. As part of our [dogfooding efforts](https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/5876/ "Draft: Formalize the Security Division's dogfooding program") within the division, we want to integrate the Token Scoper within the product. This can be done by creating a new API endpoint that would return the same information the Token Scoper would for a given personal / project / group access token. The new endpoint would live at `/personal_access_tokens/self/associations` and would return something like that: ```json { "projects" : [ { "name" : "aaaa", "id": 123, "namespace" : "aaag", "web_url" : "https://aaaa" }, { "name" : "bbbb", "id": 234, "namespace" : "bbbg", "web_url" : "https://bbbb" } ], "groups" : [ { "name" : "cccc", "id": 345, "parent" : "cccg", "organization" : "ccco", "web_url" : "https://ccc" } ] } ``` We also want to include some sort of filter on permission levels, so that it only returns entries above a certain permission level.