GitLab Launches Fine-Grained Personal Access Tokens in Beta
A leaked token that exposes every project a developer can reach is a serious risk. GitLab is tackling this head-on. The company has released fine-grained personal access tokens (PATs) in beta, giving teams precise control over what each token can access and do.
Until now, a maintainer working across 20 projects might hold a single token scoped to api or read_api. That token, if stolen, could expose source code, pipelines, container registries, and CI/CD variables across every project the user touches. The scope follows the user, not the task.
GitLab fine-grained personal access tokens change that. Each token now carries only the privileges the specific job requires. Teams can define a token along two dimensions: where it can reach, and what it can do there.
On the “where” side, a token can cover personal projects only, all projects and groups the user belongs to, or a specific hand-picked selection. On the “what” side, permissions go down to the resource level. Issues, Merge Requests, Pipelines, Repositories, and the Container Registry each get independent Create, Read, Update, and Delete settings. A pipeline that pushes container images, for instance, gets a token scoped to the Container Registry on one project, with Create and Read only. Nothing else.
The benefit is containment. If that token leaks, the blast radius is one registry on one project. Investigation and remediation start and end there. This approach builds on existing safeguards like token lifetime limits and automatic revocation, which already restrict how long a stolen token stays useful.
GitLab has also updated the tokens table to make auditing easier. Every token, whether traditional or fine-grained, now displays its exact scopes and per-resource permissions at a glance. Over-privileged tokens are therefore easier to spot during routine security reviews.
The feature is currently in beta. GitLab advises against using fine-grained PATs in production workloads until general availability. As of now, fine-grained PATs cover roughly 75% of REST API endpoints. GitLab plans to add support for the remaining REST endpoints and expand GraphQL coverage in the months ahead.
To try the feature, navigate to User Settings → Personal Access Tokens, choose Fine-grained token from the generate token dropdown, and define the scope. Full details are in the fine-grained personal access tokens documentation. Teams can also share feedback directly in the roadmap epic to help shape upcoming iterations.
Traditional PATs continue to work as before. During the beta, both token types can exist side by side.
