GitLab has launched fine-grained personal access tokens (PATs) in beta, allowing teams to scope tokens to specific projects and permissions rather than granting broad access across all projects a user can reach. Instead of one token with wide privileges, you can issue per-job tokens with only the exact permissions needed — for example, a token scoped only to Container Registry Create/Read on a single project. This limits blast radius if a token leaks. The tokens table now shows all scopes and per-resource permissions for easier auditing. Currently covering ~75% of REST API endpoints, with GraphQL and remaining endpoints coming before GA. Traditional PATs continue to work alongside fine-grained ones during the beta.
Table of contents
The case for narrowing PAT privilegesWhat’s newToday’s coverage and future roadmapLearn more and share feedbackSort: