Represents a GitLab personal access token (PAT) belonging to a user account. PATs are API credentials that authenticate as the owning user and carry a subset of that user's permissions, scoped to the API scopes listed on the token. A PAT with api scope grants the same access as the user for all API operations.
The GL_HasPrivilegeOf edge from a PAT to its owning user captures this privilege equivalence: an attacker who obtains a PAT effectively has the same group/project access as the user.
PAT values may be discovered via CI/CD variables (GL_IsToken from variable nodes), secret scanning (GL_IsToken from Secret nodes), or collected directly from the GitLab API (when the token was created and the value was captured).
Each node carries GL_PersonalAccessToken as its primary kind and GL_AccessToken as a base kind, allowing queries that target all token types generically.
| Property Name | Data Type | Description |
|---|---|---|
| name | string | Token name (user-defined label) |
| active | bool | Whether the token is currently active (not revoked and not expired) |
| revoked | bool | Whether the token has been explicitly revoked |
| scopes | string[] | API scopes granted to this token (e.g., api, read_repository, write_registry) |
| created_at | datetime | When the token was created |
| last_used | datetime | When the token was last used for authentication |
| expires_at | datetime | Token expiration date (never if no expiration) |
flowchart TD
GL_User[fa:fa-user GL_User]
GL_PersonalAccessToken[fa:fa-key GL_PersonalAccessToken]
GL_User -.->|GL_HasToken| GL_PersonalAccessToken
GL_PersonalAccessToken -->|GL_HasPrivilegeOf| GL_User