For admins who want to authenticate with the API as a specific user, or who want to build applications or scripts that do so, two options are available:
1.[Impersonation tokens](#impersonation-tokens)
2.[Sudo](#sudo)
If authentication information is invalid or omitted, an error message will be
If authentication information is invalid or omitted, an error message will be
returned with status code `401`:
returned with status code `401`:
...
@@ -133,74 +121,84 @@ returned with status code `401`:
...
@@ -133,74 +121,84 @@ returned with status code `401`:
}
}
```
```
### Session cookie
### OAuth2 tokens
When signing in to GitLab as an ordinary user, a `_gitlab_session` cookie is
You can use an [OAuth2 token](oauth2.md) to authenticate with the API by passing it in either the
set. The API will use this cookie for authentication if it is present, but using
`access_token` parameter or the `Authorization` header.
the API to generate a new session cookie is currently not supported.
### OAuth2 tokens
Example of using the OAuth2 token in a parameter:
You can use an OAuth 2 token to authenticate with the API by passing it either in the
```shell
`access_token` parameter or in the `Authorization` header.
You can also use them to authenticate against Git over HTTP. They are the only
You can also use them to authenticate against Git over HTTP. They are the only
accepted method of authentication when you have
accepted method of authentication when you have
[Two-Factor Authentication (2FA)][2fa] enabled.
[Two-Factor Authentication (2FA)][2fa] enabled.
Once you have your token, [pass it to the API][usage] using either the
Once you have your token, [pass it to the API][usage] using either the
`private_token` parameter or the `PRIVATE-TOKEN` header.
`private_token` parameter or the `Private-Token` header.
The expiration of personal access tokens happens on the date you define,
The expiration of personal access tokens happens on the date you define,
at midnight UTC.
at midnight UTC.
...
@@ -49,12 +47,14 @@ the following table.
...
@@ -49,12 +47,14 @@ the following table.
|`read_user` | Allows access to the read-only endpoints under `/users`. Essentially, any of the `GET` requests in the [Users API][users] are allowed ([introduced][ce-5951] in GitLab 8.15). |
|`read_user` | Allows access to the read-only endpoints under `/users`. Essentially, any of the `GET` requests in the [Users API][users] are allowed ([introduced][ce-5951] in GitLab 8.15). |
| `api` | Grants complete access to the API (read/write) ([introduced][ce-5951] in GitLab 8.15). Required for accessing Git repositories over HTTP when 2FA is enabled. |
| `api` | Grants complete access to the API (read/write) ([introduced][ce-5951] in GitLab 8.15). Required for accessing Git repositories over HTTP when 2FA is enabled. |
| `read_registry` | Allows to read [container registry] images if a project is private and authorization is required ([introduced][ce-11845] in GitLab 9.3). |
| `read_registry` | Allows to read [container registry] images if a project is private and authorization is required ([introduced][ce-11845] in GitLab 9.3). |
| `sudo` | Allows performing API actions as any user in the system (if the authenticated user is an admin) ([introduced][ce-14838] in GitLab 10.2). |