[go: up one dir, main page]
Skip to content

Improve error message of API for creating tokens

Checklist

  • I'm using the latest version of the extension (Run glab --version)
  • Operating system and version: macOs 15.6 (24G84)
  • Gitlab.com or self-managed instance? gtilab.com
  • GitLab version (if self-managed) N/A
  • I have performed glab auth status to check for authentication issues
  • Run the command in debug mode (like DEBUG=true glab mr list) and attach any useful output

Summary

Trying to create a PAT using glab token create --user @me results in the following error regardless of provided scopes:

ERROR: POST https://gitlab.com/api/v4/user/personal_access_tokens: 400 {error: scopes does not have a valid value}

Environment

  • OS: Darwin 24.6.0 arm64
  • SHELL: /opt/homebrew/bin/zsh
  • TERM: xterm-256color
  • GLAB: glab 1.72.0 (cli@294f0726)%

Steps to reproduce

  • ensure glab logged in - glab auth login (used WEB and HTTPS for this)
  • run the following, with or without explicitly defined scopes:
glab token create --user @me --scope api,write_repository my-personal-token-3

What is the current bug behavior?

Every permutation of supplied scopes results in:

ERROR: POST https://gitlab.com/api/v4/user/personal_access_tokens: 400 {error: scopes does not have a valid value}

What is the expected correct behavior?

A PAT is created for the current user.

Relevant logs and/or screenshots

zsh ❯ pwd
/Users/c.mayne
~ 
zsh ❯ export GLAB_DEBUG_HTTP=true
~ 
zsh ❯ glab token create --user @me --scope api,write_repository my-personal-token-3

REQUEST:
GET /api/v4/user HTTP/1.1
Host: gitlab.com
User-Agent: glab/v1.72.0 (darwin, arm64)
Accept: application/json
Authorization: [REDACTED]
Accept-Encoding: gzip



RESPONSE:
HTTP/2.0 200 OK
Cache-Control: max-age=0, private, must-revalidate
Cf-Cache-Status: MISS
Cf-Ray: 98453a41dfa4911c-LHR
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Date: Wed, 24 Sep 2025 21:03:16 GMT
Etag: W/"ab6b7a0b481caa7fd8ef456c0ba2bfef"
Gitlab-Lb: haproxy-main-33-lb-gprd
Gitlab-Sv: api-gke-us-east1-d
Nel: {"max_age": 0}
Referrer-Policy: strict-origin-when-cross-origin
Server: cloudflare
Set-Cookie: [REDACTED]
Strict-Transport-Security: max-age=31536000
Vary: Origin, Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"bfc041cebeb4e386c0935d977025980e","version":"1"}
X-Request-Id: bfc041cebeb4e386c0935d977025980e
X-Runtime: 0.059507

{"id":23535502,"username":"c.mayne",...

REQUEST:
GET /api/v4/personal_access_tokens?per_page=100&user_id=23535502 HTTP/1.1
Host: gitlab.com
User-Agent: glab/v1.72.0 (darwin, arm64)
Accept: application/json
Authorization: [REDACTED]
Accept-Encoding: gzip



RESPONSE:
HTTP/2.0 200 OK
Cache-Control: max-age=0, private, must-revalidate
Cf-Cache-Status: MISS
Cf-Ray: 98453a439b4b911c-LHR
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Date: Wed, 24 Sep 2025 21:03:17 GMT
Etag: W/"954f71ba8f08e74795ac381f82bcc74e"
Gitlab-Lb: haproxy-main-05-lb-gprd
Gitlab-Sv: api-gke-us-east1-c
Link: <https://gitlab.com/api/v4/personal_access_tokens?page=1&per_page=100&user_id=23535502>; rel="first", <https://gitlab.com/api/v4/personal_access_tokens?page=1&per_page=100&user_id=23535502>; rel="last"
Nel: {"max_age": 0}
Referrer-Policy: strict-origin-when-cross-origin
Server: cloudflare
Set-Cookie: [REDACTED]
Strict-Transport-Security: max-age=31536000
Vary: Origin, Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"a5c86d30fa31cad664b7f402ae70abaa","version":"1"}
X-Next-Page: 
X-Page: 1
X-Per-Page: 100
X-Prev-Page: 
X-Request-Id: a5c86d30fa31cad664b7f402ae70abaa
X-Runtime: 0.201444
X-Total: 7
X-Total-Pages: 1

[{"id":12211295,"name":"...

REQUEST:
POST /api/v4/user/personal_access_tokens HTTP/1.1
Host: gitlab.com
User-Agent: glab/v1.72.0 (darwin, arm64)
Content-Length: 92
Accept: application/json
Authorization: [REDACTED]
Content-Type: application/json
Accept-Encoding: gzip

{"name":"my-personal-token-3","scopes":["api","write_repository"],"expires_at":"2025-10-24"}

RESPONSE:
HTTP/2.0 400 Bad Request
Content-Length: 46
Cache-Control: no-cache
Cf-Cache-Status: DYNAMIC
Cf-Ray: 98453a467b12911c-LHR
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Date: Wed, 24 Sep 2025 21:03:17 GMT
Gitlab-Lb: haproxy-main-17-lb-gprd
Gitlab-Sv: api-gke-us-east1-c
Nel: {"max_age": 0}
Referrer-Policy: strict-origin-when-cross-origin
Server: cloudflare
Set-Cookie: [REDACTED]
Strict-Transport-Security: max-age=31536000
Vary: Origin, Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"83227dc8f3782c0ff3e74982e813c514","version":"1"}
X-Request-Id: 83227dc8f3782c0ff3e74982e813c514
X-Runtime: 0.045027

{"error":"scopes does not have a valid value"}

ERROR: POST https://gitlab.com/api/v4/user/personal_access_tokens: 400 {error: scopes does not have a valid value}

Possible fixes

No idea - appears to be a server side validation or non-obvious, state-based validation issue

Edited by Chris Mayne