diff --git a/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/create.yml b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/create.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1207d1d598096700d31f5ccd7492c735b2db5d29
--- /dev/null
+++ b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/create.yml
@@ -0,0 +1,8 @@
+---
+name: create_protected_tag
+description: Grants the ability to create protected tags
+feature_category: source_code_management
+permissions:
+  - create_protected_tag
+boundaries:
+  - project
diff --git a/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/delete.yml b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/delete.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f291e9e9ad662bec1a9e76e2afafd299416ffa83
--- /dev/null
+++ b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/delete.yml
@@ -0,0 +1,8 @@
+---
+name: delete_protected_tag
+description: Grants the ability to delete protected tags
+feature_category: source_code_management
+permissions:
+  - delete_protected_tag
+boundaries:
+  - project
diff --git a/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/read.yml b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/read.yml
new file mode 100644
index 0000000000000000000000000000000000000000..eddda1623c2797f3e73d7acfc9e6af2b8ef7a787
--- /dev/null
+++ b/config/authz/permission_groups/assignable_permissions/repositories/protected_tag/read.yml
@@ -0,0 +1,8 @@
+---
+name: read_protected_tag
+description: Grants the ability to read protected tags
+feature_category: source_code_management
+permissions:
+  - read_protected_tag
+boundaries:
+  - project
diff --git a/config/authz/permissions/protected_tag/_metadata.yml b/config/authz/permissions/protected_tag/_metadata.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8fe5b8de7a2906f1681460ec55e851b6b1d81ba1
--- /dev/null
+++ b/config/authz/permissions/protected_tag/_metadata.yml
@@ -0,0 +1 @@
+feature_category: source_code_management
diff --git a/config/authz/permissions/protected_tag/create.yml b/config/authz/permissions/protected_tag/create.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c4ee2379855ca1f43eff91f56c4a8b71c59d91a8
--- /dev/null
+++ b/config/authz/permissions/protected_tag/create.yml
@@ -0,0 +1,6 @@
+---
+name: create_protected_tag
+description: Grants the ability to create protected tags
+feature_category: source_code_management
+boundaries:
+  - project
diff --git a/config/authz/permissions/protected_tag/delete.yml b/config/authz/permissions/protected_tag/delete.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4e7e8858e6175edeed8a3cb5e796eb6b1f58a188
--- /dev/null
+++ b/config/authz/permissions/protected_tag/delete.yml
@@ -0,0 +1,6 @@
+---
+name: delete_protected_tag
+description: Grants the ability to delete protected tags
+feature_category: source_code_management
+boundaries:
+  - project
diff --git a/config/authz/permissions/protected_tag/read.yml b/config/authz/permissions/protected_tag/read.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c94300a2b25d0134d6f9708199f28cc64e1913b1
--- /dev/null
+++ b/config/authz/permissions/protected_tag/read.yml
@@ -0,0 +1,6 @@
+---
+name: read_protected_tag
+description: Grants the ability to read protected tags
+feature_category: source_code_management
+boundaries:
+  - project
diff --git a/lib/api/protected_tags.rb b/lib/api/protected_tags.rb
index 7f9f0259d9a115539c17264fe27284694f3c2ab4..01092953e094aaee5eebda8478f7ee26dcf22e7b 100644
--- a/lib/api/protected_tags.rb
+++ b/lib/api/protected_tags.rb
@@ -28,6 +28,7 @@ class ProtectedTags < ::API::Base
         use :pagination
       end
       # rubocop: disable CodeReuse/ActiveRecord
+      route_setting :authorization, permissions: :read_protected_tag, boundary_type: :project
       get ':id/protected_tags' do
         authorize!(:read_protected_tags, user_project)
         protected_tags = user_project.protected_tags.preload(:create_access_levels)
@@ -49,6 +50,7 @@ class ProtectedTags < ::API::Base
         requires :name, type: String, desc: 'The name of the tag or wildcard', documentation: { example: 'release*' }
       end
       # rubocop: disable CodeReuse/ActiveRecord
+      route_setting :authorization, permissions: :read_protected_tag, boundary_type: :project
       get ':id/protected_tags/:name', requirements: TAG_ENDPOINT_REQUIREMENTS do
         authorize!(:read_protected_tags, user_project)
         protected_tag = user_project.protected_tags.find_by!(name: params[:name])
@@ -76,6 +78,7 @@ class ProtectedTags < ::API::Base
           documentation: { example: 30 }
         use :optional_params_ee
       end
+      route_setting :authorization, permissions: :create_protected_tag, boundary_type: :project
       post ':id/protected_tags' do
         authorize!(:create_protected_tags, user_project)
         protected_tags_params = {
@@ -108,6 +111,7 @@ class ProtectedTags < ::API::Base
         requires :name, type: String, desc: 'The name of the protected tag', documentation: { example: 'release-1-0' }
       end
       # rubocop: disable CodeReuse/ActiveRecord
+      route_setting :authorization, permissions: :delete_protected_tag, boundary_type: :project
       delete ':id/protected_tags/:name', requirements: TAG_ENDPOINT_REQUIREMENTS do
         authorize!(:destroy_protected_tags, user_project)
 
diff --git a/spec/requests/api/protected_tags_spec.rb b/spec/requests/api/protected_tags_spec.rb
index e939f14cb6acdd9e344765cff513c27e898bd66a..cde99dc19844ebc6c602d5910e76952cce25ba48 100644
--- a/spec/requests/api/protected_tags_spec.rb
+++ b/spec/requests/api/protected_tags_spec.rb
@@ -36,6 +36,11 @@
       end
 
       it_behaves_like 'protected tags'
+
+      it_behaves_like 'authorizing granular token permissions', :read_protected_tag do
+        let(:boundary_object) { project }
+        let(:request) { get api(route, personal_access_token: pat), params: { per_page: 100 } }
+      end
     end
 
     context 'when authenticated as a guest' do
@@ -115,6 +120,11 @@
           )
         end
       end
+
+      it_behaves_like 'authorizing granular token permissions', :read_protected_tag do
+        let(:boundary_object) { project }
+        let(:request) { get api(route, personal_access_token: pat) }
+      end
     end
 
     context 'when authenticated as a guest' do
@@ -193,6 +203,14 @@
           expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
         end
       end
+
+      it_behaves_like 'authorizing granular token permissions', :create_protected_tag do
+        let(:boundary_object) { project }
+        let(:request) do
+          post api("/projects/#{project.id}/protected_tags", personal_access_token: pat),
+            params: { name: 'new_protected_tag' }
+        end
+      end
     end
 
     context 'when authenticated as a guest' do
@@ -259,6 +277,11 @@
           expect(response).to have_gitlab_http_status(:no_content)
         end
       end
+
+      it_behaves_like 'authorizing granular token permissions', :delete_protected_tag do
+        let(:boundary_object) { project }
+        let(:request) { delete api("/projects/#{project.id}/protected_tags/#{tag_name}", personal_access_token: pat) }
+      end
     end
   end
 end