How Do I Find the Owner of a GitLab Personal Access Token?
tl;dr Use the GitLab API to retrieve the user_id
associated with a Personal Access Token (PAT). To get the actual username, you need additional scopes (read_user
, api
, or read_api
). Alternatively, TruffleHog automates this process by extracting all available user information from the token.
Automating Token Owner Discovery with TruffleHog
Manually making API requests is inefficient when analyzing leaked GitLab tokens at scale. TruffleHog automates this process by analyzing GitLab PATs and extracting all available user data.
To retrieve the username linked to a token, run:
You'll be prompted to enter your token.

TruffleHog will attempt to fetch the user details automatically, returning what’s available based on the token’s permissions.

If permissions are limited, TruffleHog may only return a
user_id
.With broader permissions, it will return the user's full name and username.
Identifying the Owner via the GitLab API
If you prefer a manual approach, you’ll need to make one or two GitLab API requests.
Step 1: Retrieve the User ID
The GitLab API provides an endpoint to query PAT details. Run:
This returns a JSON response with a user_id
, but not the username. Example response:
Step 2: Retrieve the Username (If Permitted)
To get the actual username, query:
⚠️ This only works if the PAT has at least one of these scopes: read_user
, api
, or read_api
.
Example response:
If the required scopes are missing, the request will fail.
🔹 Note: If you're working with a self-hosted GitLab instance, replace gitlab.com with your organization’s GitLab domain.
Why This Matters
Exposed GitLab Personal Access Tokens pose a security risk, allowing attackers to access repositories, projects, and sensitive user data. Security teams should:
✔ Immediately revoke leaked PATs.
✔ Audit the associated user account for suspicious activity.
✔ Enforce scoped and short-lived tokens to reduce exposure risk.
TruffleHog streamlines the identification process, making it easy to determine the impact of a leaked token.
🔍 Check out the TruffleHog GitHub repository for more details:TruffleHog GitHub
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.