How Do I Find the Owner of a GitLab Personal Access Token?

tl;dr  Use the GitLab API to retrieve the user_id associated with a Personal Access Token (PAT). To get the actual username, you need additional scopes (read_user, api, or read_api). Alternatively, TruffleHog automates this process by extracting all available user information from the token.

Automating Token Owner Discovery with TruffleHog

Manually making API requests is inefficient when analyzing leaked GitLab tokens at scale. TruffleHog automates this process by analyzing GitLab PATs and extracting all available user data.

To retrieve the username linked to a token, run:

trufflehog analyze gitlab

You'll be prompted to enter your token.

TruffleHog will attempt to fetch the user details automatically, returning what’s available based on the token’s permissions.

  • If permissions are limited, TruffleHog may only return a user_id.

  • With broader permissions, it will return the user's full name and username.

Identifying the Owner via the GitLab API

If you prefer a manual approach, you’ll need to make one or two GitLab API requests.

Step 1: Retrieve the User ID

The GitLab API provides an endpoint to query PAT details. Run:

Get https://gitlab.com/api/v4/personal_access_tokens/self

This returns a JSON response with a user_id, but not the username. Example response:

{
  "id": 123456,
  "name": "My API Token",
  "revoked": false,
  "scopes": ["read_api"],
  "user_id": 78910,
  "created_at": "2024-02-01T12:34:56Z",
  "expires_at": null
}

Step 2: Retrieve the Username (If Permitted)

To get the actual username, query:

GET https://gitlab.com/api/v4/users/<USER_ID>

⚠️ This only works if the PAT has at least one of these scopes: read_user, api, or read_api.

Example response:

{ "id": 78910, "username": "gitlab_user", "name": "GitLab User" }

If the required scopes are missing, the request will fail.

🔹 Note: If you're working with a self-hosted GitLab instance, replace gitlab.com with your organization’s GitLab domain.

Why This Matters

Exposed GitLab Personal Access Tokens pose a security risk, allowing attackers to access repositories, projects, and sensitive user data. Security teams should:

Immediately revoke leaked PATs.

Audit the associated user account for suspicious activity.

Enforce scoped and short-lived tokens to reduce exposure risk.

TruffleHog streamlines the identification process, making it easy to determine the impact of a leaked token.

🔍 Check out the TruffleHog GitHub repository for more details:TruffleHog GitHub