| name | glab-token |
| description | Manage GitLab access tokens using the glab CLI. Use this skill whenever the user wants to create, list, revoke, or rotate personal access tokens, project access tokens, or group access tokens. Trigger on phrases like "create an access token", "generate a GitLab token", "revoke a token", "rotate expired token", "list my tokens", or any GitLab token management task. |
GitLab Access Token Management
Use glab token to create and manage Personal, Project, and Group access tokens.
Create a Token
glab token create <name>
glab token create ci-bot -S api -S read_registry
glab token create deploy-key -D 90d
glab token create deploy-key -E 2025-12-31
glab token create <name> -g <group-path> -S api -A developer
glab token create <name> -U <username> -S api
Key flags:
-S / --scope permission scope (repeatable, default: read_repository)
-D / --duration validity period: Nd days, Nw weeks, Nh hours
-E / --expires-at exact expiry date YYYY-MM-DD
-A / --access-level role for project/group tokens: guest|reporter|developer|maintainer|owner
-g / --group create group token instead of project token
-U / --user create user token (admin only)
--description token description
Note: -D and -E are mutually exclusive.
Common Scopes
| Scope | Description |
|---|
api | Full API access (read + write everything) |
read_api | Read-only API access |
read_repository | Read repository contents |
write_repository | Push to repository |
read_registry | Pull from container registry |
write_registry | Push to container registry |
read_user | Read user info |
List Tokens
glab token list
glab token list --active
glab token list -g <group>
glab token list -O json
Revoke a Token
glab token revoke <name> <id>
Get the token ID from glab token list.
Rotate a Token
Rotates the token secret (revokes current, generates new secret with same settings):
glab token rotate <name> <id>
The new token value is printed — save it immediately.
Behavior Guidelines
- Minimal scopes: Always suggest the minimum required scopes. A CI bot reading artifacts only needs
read_repository, not api.
- Expiry: Recommend setting an expiry date for all tokens — tokens without expiry are a security risk.
- Save immediately: Warn the user that the token value is only shown once at creation time — they must save it before leaving.
- Rotation: After rotating, the user must update all places that use the old token (CI variables, scripts, etc.).
- Project vs Personal: Project tokens are scoped to one project and don't require a user account — prefer them for CI/CD automation.