diff options
Diffstat (limited to 'doc/api/personal_access_tokens.md')
-rw-r--r-- | doc/api/personal_access_tokens.md | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/doc/api/personal_access_tokens.md b/doc/api/personal_access_tokens.md index 691c094f9eb..901f99caee7 100644 --- a/doc/api/personal_access_tokens.md +++ b/doc/api/personal_access_tokens.md @@ -4,9 +4,9 @@ group: Compliance info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# Personal access tokens API **(FREE)** +# Personal access tokens API **(FREE ALL)** -You can read more about [personal access tokens](../user/profile/personal_access_tokens.md#personal-access-tokens). +You can read more about [personal access tokens](../user/profile/personal_access_tokens.md). ## List personal access tokens @@ -235,6 +235,21 @@ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitla - Token with the specified ID does not exist. - `404: Not Found` if the user is an administrator but the token with the specified ID does not exist. +### Automatic reuse detection + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/395352) in GitLab 16.3 + +For each rotated token, the previous and now revoked token is referenced. This +chain of references defines a token family. In a token family, only the latest +token is active, and all other tokens in that family are revoked. + +When a revoked token from a token family is used in an authentication attempt, +that attempt fails and the active token from the token family gets revoked. +This mechanism helps to prevent compromise when a personal access token is +leaked. + +Automatic reuse detection is enabled for API requests. + ## Revoke a personal access token Revoke a personal access token by either: |