Document how to identify expired access tokens from the logs

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157277 added the `meta.auth_fail_reason` and `meta.auth_fail_token_id` log fields to identify expired access tokens. This commit documents these fields. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/464652 Update for failing docs-lint

Document how to identify expired access tokens from the logs
7942ee16 · Stan Hu · Smriti Garg · 6500e40c · 7942ee16
Unverified Commit 7942ee16 authored 7 months ago by Stan Hu Committed by Smriti Garg 7 months ago
--- a/doc/security/token_overview.md
+++ b/doc/security/token_overview.md
@@ -293,6 +293,47 @@ result in `403 Forbidden` responses from GitLab.com.
  
 For more information on authentication request limits, see [Git and container registry failed authentication ban](../user/gitlab_com/index.md#git-and-container-registry-failed-authentication-ban).
  
+### Identify expired access tokens from logs
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/464652) in GitLab 17.2.
+
+Prerequisites:
+
+You must:
+
+- Be an administrator.
+- Have access to the [`api_json.log`](../administration/logs/index.md#api_jsonlog) file.
+
+To identify which `401 Unauthorized` requests are failing due to
+expired access tokens, use the following fields in the `api_json.log` file:
+
+|Field name|Description|
+|----------|-----------|
+|`meta.auth_fail_reason`|The reason the request was rejected. Possible values: `token_expired`, `token_revoked`, `insufficient_scope`, and `impersonation_disabled`.|
+|`meta.auth_fail_token_id`|A string describing the type and ID of the attempted token.|
+
+When a user attempts to use an expired token, the `meta.auth_fail_reason`
+is `token_expired`. The following shows an excerpt from a log
+entry:
+
+```json
+{
+  "status": 401,
+  "method": "GET",
+  "path": "/api/v4/user",
+  ...
+  "meta.auth_fail_reason": "token_expired",
+  "meta.auth_fail_token_id": "PersonalAccessToken/12",
+}
+```
+
+`meta.auth_fail_token_id` indicates that an access token of ID 12 was used.
+
+To find more information about this token, use the [personal access token API](../api/personal_access_tokens.md#get-single-personal-access-token).
+You can also use the API to [rotate the token](../api/personal_access_tokens.md#rotate-a-personal-access-token).
+
+### Replace expired access tokens
+
 To replace the token:
  
 1. Check where this token may have been used previously, and remove it from any