Group access tokens

With group access tokens, you can use a single token to:

Perform actions for groups.
Manage the projects within the group.

You can use a group access token to authenticate:

With the GitLab API.
In GitLab 14.2 and later, authenticate with Git over HTTPS. Use:
- Any non-blank value as a username.
- The group access token as the password.

Group access tokens are similar to project access tokens and personal access tokens, except they are associated with a group rather than a project or user.

In self-managed instances, group access tokens are subject to the same maximum lifetime limits as personal access tokens if the limit is set.

You can use group access tokens:

On GitLab SaaS if you have the Premium license tier or higher. Group access tokens are not available with a trial license.
On self-managed instances of GitLab, with any license tier. If you have the Free tier:
- Review your security and compliance policies around user self-enrollment.
- Consider disabling group access tokens to lower potential abuse.

You cannot use group access tokens to create other access tokens.

Group access tokens inherit the default prefix setting configured for personal access tokens.

Create a group access token using UI

Introduced in GitLab 14.7.

To create a group access token:

On the top bar, select Menu > Groups and find your group.
On the left sidebar, select Settings > Access Tokens.
Enter a name. The token name is visible to any user with permissions to view the group.
Optional. Enter an expiry date for the token. The token will expire on that date at midnight UTC. An instance-wide maximum lifetime setting can limit the maximum allowable lifetime in self-managed instances.
Select a role for the token.
Select the desired scopes.
Select Create group access token.

A group access token is displayed. Save the group access token somewhere safe. After you leave or refresh the page, you can't view it again.

Create a group access token using Rails console

GitLab 14.6 and earlier doesn't support creating group access tokens using the UI or API. However, administrators can use a workaround:

Run the following commands in a Rails console:

# Set the GitLab administration user to use. If user ID 1 is not available or is not an administrator, use 'admin = User.admins.first' instead to select an administrator.
admin = User.find(1)

# Set the group group you want to create a token for. For example, group with ID 109.
group = Group.find(109)

# Create the group bot user. For further group access tokens, the username should be group_#{group.id}_bot#{bot_count}. For example, group_109_bot2 and email address group_109_bot2@example.com.
bot = Users::CreateService.new(admin, { name: 'group_token', username: "group_#{group.id}_bot", email: "group_#{group.id}_bot@example.com", user_type: :project_bot }).execute

# Confirm the group bot.
bot.confirm

# Add the bot to the group with the required role.
group.add_user(bot, :maintainer)

# Give the bot a personal access token.
token = bot.personal_access_tokens.create(scopes:[:api, :write_repository], name: 'group_token')

# Get the token value.
gtoken = token.token

Test if the generated group access token works:
1. Use the group access token in the PRIVATE-TOKEN header with GitLab REST APIs. For example:
  - Create an epic in the group.
  - Create a project pipeline in one of the group's projects.
  - Create an issue in one of the group's projects.
2. Use the group token to clone a group's project using HTTPS.

Revoke a group access token using the UI

Introduced in GitLab 14.7.

To revoke a group access token:

On the top bar, select Menu > Groups and find your group.
On the left sidebar, select Settings > Access Tokens.
Next to the group access token to revoke, select Revoke.

Revoke a group access token using Rails console

GitLab 14.6 and earlier doesn't support revoking group access tokens using the UI or API. However, administrators can use a workaround.

To revoke a group access token, run the following command in a Rails console:

bot = User.find_by(username: 'group_109_bot') # the owner of the token you want to revoke
token = bot.personal_access_tokens.last # the token you want to revoke
token.revoke!

Scopes for a group access token

The scope determines the actions you can perform when you authenticate with a group access token.

Scope	Description
`api`	Grants complete read and write access to the scoped group and related project API, including the Package Registry.
`read_api`	Grants read access to the scoped group and related project API, including the Package Registry.
`read_registry`	Allows read access (pull) to the Container Registry images if any project within a group is private and authorization is required.
`write_registry`	Allows write access (push) to the Container Registry.
`read_repository`	Allows read access (pull) to all repositories within a group.
`write_repository`	Allows read and write access (pull and push) to all repositories within a group.

Enable or disable group access token creation

To enable or disable group access token creation for all sub-groups in a top-level group:

On the top bar, select Menu > Groups and find your group.
On the left sidebar, select Settings > General.
Expand Permissions and group features.
Under Permissions, turn on or off Allow project and group access token creation.

Even when creation is disabled, you can still use and revoke existing group access tokens.

Bot users for groups

Each time you create a group access token, a bot user is created and added to the group. These bot users are similar to bot users for projects, except they are added to groups instead of projects. These bot users do not count as licensed seats.

For more information, see Bot users for projects.