OAuth and Personal Access Token scopes are undocumented

We mention read_user and api scopes in documentation, but never describe what these scopes actually mean.

/cc @axil

added ~17488 oauth labels

added docs-fix label

@timothyandrew I remember you worked on PAT, can you shed a little light here and add a few words so that I can add in docs? Check also the discussion and questions from this comment onward https://gitlab.com/gitlab-org/gitlab-ce/issues/19219#note_30046757. Thanks!

We have two references of PAT scattered in docs and I'd like to create a dedicated page for them and then link to it from various places.

• https://docs.gitlab.com/ce/api/README.html#personal-access-tokens
• https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#personal-access-tokens

@axil: We have two scopes at the moment:

• read_user: Allows access to the read-only endpoints under /users. Essentially, any of the GET requests in the Users API are allowed.
• api: Complete access to the API.

---

Is there anything else you want me to elaborate on?

@timothyandrew that's perfect thanks!

changed milestone to %9.3

mentioned in merge request !11845 (merged)

mentioned in issue #33261 (closed)

assigned to @axil

marked the checklist item api/oauth2.md:94:2. These users can access the API using [personal access tokens] instead. as completed

marked the checklist item api/oauth2.md:104:Never store the users credentials and only use this grant type when your client is deployed to a trusted environment, in 99% of cases [personal access tokens] are a better choice. as completed

changed the description

marked the checklist item api/oauth2.md:137:[personal access tokens]: ./README.md#personal-access-tokens as completed

marked the checklist item api/README.md:83:access tokens. as completed

marked the checklist item api/README.md:124:You can create as many personal access tokens as you like from your GitLab as completed

marked the checklist item api/session.md:6:2. These users can access the API using [personal access tokens] instead. as completed

marked the checklist item api/session.md:55:[personal access tokens]: ./README.md#personal-access-tokens as completed

changed the description

marked the checklist item user/project/container_registry.md:118:The preferred way to do this, is by using personal access tokens, which can be as completed

changed the description

marked the checklist item ci/docker/using_docker_build.md:286: to pass a personal access token instead of your password in order to login to as completed

changed the description

marked the checklist item user/project/new_ci_build_permissions_model.md:216: to pass a personal access token instead of your password in order to login to as completed

marked the checklist item user/profile/account/two_factor_authentication.md:136:1. Save the personal access token somewhere safe. as completed

marked the checklist item user/profile/account/two_factor_authentication.md:138:When using Git over HTTPS on the command line, enter the personal access token as completed

changed the description

marked the checklist item user/profile/account/two_factor_authentication.md:125:## Personal access tokens as completed

We still have the issue where nothing happens if no scope is provided https://gitlab.com/gitlab-org/gitlab-ce/issues/26412.

changed the description

mentioned in merge request !12128 (merged)

added personal access tokens label

closed via merge request !12128 (merged)

mentioned in commit e207bc20

mentioned in commit afa807d4