Learn how AI coding assistants can introduce security risks—register for the webinar

TRUFFLEHOG

CUSTOMERS

COMPANY

RESOURCES

LOG IN

Get Started

How Do I Find the Owner of a GitLab Personal Access Token?

tl;dr  Use the GitLab API to retrieve the user_id associated with a Personal Access Token (PAT). To get the actual username, you need additional scopes (read_user, api, or read_api). Alternatively, TruffleHog automates this process by extracting all available user information from the token.

Automating Token Owner Discovery with TruffleHog

Manually making API requests is inefficient when analyzing leaked GitLab tokens at scale. TruffleHog automates this process by analyzing GitLab PATs and extracting all available user data.

To retrieve the username linked to a token, run:

trufflehog analyze gitlab

You'll be prompted to enter your token.

TruffleHog will attempt to fetch the user details automatically, returning what’s available based on the token’s permissions.

  • If permissions are limited, TruffleHog may only return a user_id.

  • With broader permissions, it will return the user's full name and username.

Identifying the Owner via the GitLab API

If you prefer a manual approach, you’ll need to make one or two GitLab API requests.

Step 1: Retrieve the User ID

The GitLab API provides an endpoint to query PAT details. Run:

Get https://gitlab.com/api/v4/personal_access_tokens/self

This returns a JSON response with a user_id, but not the username. Example response:

{
  "id": 123456,
  "name": "My API Token",
  "revoked": false,
  "scopes": ["read_api"],
  "user_id": 78910,
  "created_at": "2024-02-01T12:34:56Z",
  "expires_at": null
}

Step 2: Retrieve the Username (If Permitted)

To get the actual username, query:

GET https://gitlab.com/api/v4/users/<USER_ID>

⚠️ This only works if the PAT has at least one of these scopes: read_user, api, or read_api.

Example response:

{ "id": 78910, "username": "gitlab_user", "name": "GitLab User" }

If the required scopes are missing, the request will fail.

🔹 Note: If you're working with a self-hosted GitLab instance, replace gitlab.com with your organization’s GitLab domain.

Why This Matters

Exposed GitLab Personal Access Tokens pose a security risk, allowing attackers to access repositories, projects, and sensitive user data. Security teams should:

Immediately revoke leaked PATs.

Audit the associated user account for suspicious activity.

Enforce scoped and short-lived tokens to reduce exposure risk.

TruffleHog streamlines the identification process, making it easy to determine the impact of a leaked token.

🔍 Check out the TruffleHog GitHub repository for more details:TruffleHog GitHub


STAY STRONG

DIG DEEP

TRUFFLEHOG

Open-source

Enterprise

Analyze

NEW!

Forager

Security

Integrations

Pricing

CUSTOMERS

COMPANY

About

Careers

Press

FAQ

Contact us

RESOURCES

Blog

Newsletter

Library

Events

Videos

GitHub

Enterprise docs

Open-source docs

How to rotate

Brand assets

NEW!

DOING IT THE RIGHT WAY

SINCE 2021

#trufflehog-community

#Secret Scanning

© 2025 Truffle Security Co.

Privacy policy

Terms and conditions

Data processing agreement

Acceptable use policy