diff --git a/doc/api/repositories.md b/doc/api/repositories.md
index fa1d3884b4820283b4be30b296d9c1b62f7cdf0d..0148971c1d7ec72bd517f847a841608550a4aacb 100644
--- a/doc/api/repositories.md
+++ b/doc/api/repositories.md
@@ -446,6 +446,8 @@ curl --request POST --header "PRIVATE-TOKEN: token" \
 
 ## Generate changelog data
 
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172842) authentiation through [CI/CD job token](../ci/jobs/ci_job_token.md) in GitLab 17.7.
+
 Generate changelog data based on commits in a repository, without committing
 them to a changelog file.
 
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 69b6326c7a9f1bf2eee8c0f65c8be29da1ed46b4..2a15e06dbd561dccb903fc33a972f908fac83a28 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -47,6 +47,7 @@ The CI/CD job token can only access the following features and API endpoints:
 | [Update pipeline metadata API endpoint](../../api/pipelines.md#update-pipeline-metadata)              | To update pipeline metadata. |
 | [Release links API](../../api/releases/links.md)                                                      |         |
 | [Releases API](../../api/releases/index.md)                                                           | `GET` requests are public by default. |
+| [Repositories API](../../api/repositories.md#generate-changelog-data)                                 | Generates changelog data based on commits in a repository. |
 | [Secure files](../secure_files/index.md#use-secure-files-in-cicd-jobs)                                | The `download-secure-files` tool authenticates with a CI/CD job token by default. |
 | [Terraform plan](../../user/infrastructure/index.md)                                                  |         |
 
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 2d3e13edcdffc08d87f6b95bcb9f799d895c6a53..e0f331d1c81c345b28c1d565dfc47b477755a293 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -290,6 +290,7 @@ def rescue_not_found?
           documentation: { example: '.gitlab/changelog_config.yml' },
           desc: "The file path to the configuration file as stored in the project's Git repository. Defaults to '.gitlab/changelog_config.yml'"
       end
+      route_setting :authentication, job_token_allowed: true
       get ':id/repository/changelog' do
         service = ::Repositories::ChangelogService.new(
           user_project,
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 70313d834704483fcb06bde4e3bc8f019971e88f..eeec669ee80bc84aa92d09b6b1ac6798b48d06ad 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -878,6 +878,41 @@ def commit_messages(response)
       expect(json_response['notes']).to eq(release_notes)
     end
 
+    it 'returns generated changelog when using JOB-TOKEN auth' do
+      spy = instance_spy(Repositories::ChangelogService)
+      release_notes = 'Release notes'
+
+      allow(Repositories::ChangelogService)
+        .to receive(:new)
+        .with(
+          project,
+          user,
+          version: '1.0.0',
+          from: 'foo',
+          to: 'bar',
+          date: DateTime.new(2020, 1, 1),
+          trailer: 'Foo'
+        )
+        .and_return(spy)
+
+      expect(spy).to receive(:execute).with(commit_to_changelog: false).and_return(release_notes)
+
+      job = create(:ci_build, :running, project: project, user: user)
+
+      get api("/projects/#{project.id}/repository/changelog"),
+        params: {
+          job_token: job.token,
+          version: '1.0.0',
+          from: 'foo',
+          to: 'bar',
+          date: '2020-01-01',
+          trailer: 'Foo'
+        }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['notes']).to eq(release_notes)
+    end
+
     it 'supports leaving out the from and to attribute' do
       spy = instance_spy(Repositories::ChangelogService)