Admin Token API: Revoke token

Problem to solve

As an instance administrator, I want to be able to revoke tokens using a unified API. Instead of first identifying the type of the token, this API should allow revocation regardless of the type.

As such, it goes further as the existing Token Revocation API that is scoped to Groups.

Proposal

We could add a DELETE method to the existing Token Information API:

DELETE /api/v4/admin/token

Attribute	Type	Required	Description
`token`	string	Yes	Token that should be revoked.

In a first iteration, we should start with the token types that are currently handled by the Token Information API i.e. PersonalAccessToken, and DeployTokens.

Supported Tokens

Status: &15777 (comment 2300542220)

See #460778 (closed) for an in-depth analysis of existing support for token revocation.

We should reuse the existing feature flag for this feature (admin_agnostic_token_finder).

Intended users

Sidney (Systems Administrator)
Isaac (Infrastructure Engineer)
Alex (Security Operations Engineer)

Edited Feb 06, 2025 by Nicholas Wittstruck