GitLab API — access_tokens

naftiko: 1.0.0-alpha2
info:
  label: GitLab API — access_tokens
  description: 'GitLab API — access_tokens. 10 operations. Lead operation: Rotate a resource access token. Self-contained
    Naftiko capability covering one Gitlab Ci business surface.'
  tags:
  - Gitlab Ci
  - access_tokens
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    GITLAB_CI_API_KEY: GITLAB_CI_API_KEY
capability:
  consumes:
  - type: http
    namespace: gitlab-ci-access-tokens
    baseUri: https://gitlab.com
    description: GitLab API — access_tokens business capability. Self-contained, no shared references.
    resources:
    - name: api-v4-groups-id-access_tokens-self-rotate
      path: /api/v4/groups/{id}/access_tokens/self/rotate
      operations:
      - name: postapiv4groupsidaccesstokensselfrotate
        method: POST
        description: Rotate a resource access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The group ID
          required: true
        - name: postApiV4GroupsIdAccessTokensSelfRotate
          in: body
          type: string
          required: true
    - name: api-v4-personal_access_tokens
      path: /api/v4/personal_access_tokens
      operations:
      - name: getapiv4personalaccesstokens
        method: GET
        description: List personal access tokens
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: user_id
          in: query
          type: integer
          description: Filter PATs by User ID
        - name: revoked
          in: query
          type: boolean
          description: Filter tokens where revoked state matches parameter
        - name: state
          in: query
          type: string
          description: Filter tokens which are either active or not
        - name: created_before
          in: query
          type: string
          description: Filter tokens which were created before given datetime
        - name: created_after
          in: query
          type: string
          description: Filter tokens which were created after given datetime
        - name: last_used_before
          in: query
          type: string
          description: Filter tokens which were used before given datetime
        - name: last_used_after
          in: query
          type: string
          description: Filter tokens which were used after given datetime
        - name: expires_before
          in: query
          type: string
          description: Filter tokens which expire before given datetime
        - name: expires_after
          in: query
          type: string
          description: Filter tokens which expire after given datetime
        - name: search
          in: query
          type: string
          description: Filters tokens by name
        - name: sort
          in: query
          type: string
          description: Sort tokens
        - name: page
          in: query
          type: integer
          description: Current page number
        - name: per_page
          in: query
          type: integer
          description: Number of items per page
    - name: api-v4-personal_access_tokens-self
      path: /api/v4/personal_access_tokens/self
      operations:
      - name: getapiv4personalaccesstokensself
        method: GET
        description: Get single personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteapiv4personalaccesstokensself
        method: DELETE
        description: Revoke a personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-v4-personal_access_tokens-self-associations
      path: /api/v4/personal_access_tokens/self/associations
      operations:
      - name: getapiv4personalaccesstokensselfassociations
        method: GET
        description: Return personal access token associations
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: min_access_level
          in: query
          type: integer
          description: Limit by minimum access level of authenticated user
        - name: page
          in: query
          type: integer
          description: Current page number
        - name: per_page
          in: query
          type: integer
          description: Number of items per page
    - name: api-v4-personal_access_tokens-self-rotate
      path: /api/v4/personal_access_tokens/self/rotate
      operations:
      - name: postapiv4personalaccesstokensselfrotate
        method: POST
        description: Rotate a personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: postApiV4PersonalAccessTokensSelfRotate
          in: body
          type: string
          required: true
    - name: api-v4-personal_access_tokens-id
      path: /api/v4/personal_access_tokens/{id}
      operations:
      - name: getapiv4personalaccesstokensid
        method: GET
        description: Get single personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
      - name: deleteapiv4personalaccesstokensid
        method: DELETE
        description: Revoke a personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
    - name: api-v4-personal_access_tokens-id-rotate
      path: /api/v4/personal_access_tokens/{id}/rotate
      operations:
      - name: postapiv4personalaccesstokensidrotate
        method: POST
        description: Rotate personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
        - name: postApiV4PersonalAccessTokensIdRotate
          in: body
          type: string
          required: true
    - name: api-v4-projects-id-access_tokens-self-rotate
      path: /api/v4/projects/{id}/access_tokens/self/rotate
      operations:
      - name: postapiv4projectsidaccesstokensselfrotate
        method: POST
        description: Rotate a resource access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The project ID
          required: true
        - name: postApiV4ProjectsIdAccessTokensSelfRotate
          in: body
          type: string
          required: true
  exposes:
  - type: rest
    namespace: gitlab-ci-access-tokens-rest
    port: 8080
    description: REST adapter for GitLab API — access_tokens. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/api/v4/groups/{id}/access-tokens/self/rotate
      name: api-v4-groups-id-access-tokens-self-rotate
      description: REST surface for api-v4-groups-id-access_tokens-self-rotate.
      operations:
      - method: POST
        name: postapiv4groupsidaccesstokensselfrotate
        description: Rotate a resource access token
        call: gitlab-ci-access-tokens.postapiv4groupsidaccesstokensselfrotate
        with:
          id: rest.id
          postApiV4GroupsIdAccessTokensSelfRotate: rest.postApiV4GroupsIdAccessTokensSelfRotate
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens
      name: api-v4-personal-access-tokens
      description: REST surface for api-v4-personal_access_tokens.
      operations:
      - method: GET
        name: getapiv4personalaccesstokens
        description: List personal access tokens
        call: gitlab-ci-access-tokens.getapiv4personalaccesstokens
        with:
          user_id: rest.user_id
          revoked: rest.revoked
          state: rest.state
          created_before: rest.created_before
          created_after: rest.created_after
          last_used_before: rest.last_used_before
          last_used_after: rest.last_used_after
          expires_before: rest.expires_before
          expires_after: rest.expires_after
          search: rest.search
          sort: rest.sort
          page: rest.page
          per_page: rest.per_page
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens/self
      name: api-v4-personal-access-tokens-self
      description: REST surface for api-v4-personal_access_tokens-self.
      operations:
      - method: GET
        name: getapiv4personalaccesstokensself
        description: Get single personal access token
        call: gitlab-ci-access-tokens.getapiv4personalaccesstokensself
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteapiv4personalaccesstokensself
        description: Revoke a personal access token
        call: gitlab-ci-access-tokens.deleteapiv4personalaccesstokensself
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens/self/associations
      name: api-v4-personal-access-tokens-self-associations
      description: REST surface for api-v4-personal_access_tokens-self-associations.
      operations:
      - method: GET
        name: getapiv4personalaccesstokensselfassociations
        description: Return personal access token associations
        call: gitlab-ci-access-tokens.getapiv4personalaccesstokensselfassociations
        with:
          min_access_level: rest.min_access_level
          page: rest.page
          per_page: rest.per_page
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens/self/rotate
      name: api-v4-personal-access-tokens-self-rotate
      description: REST surface for api-v4-personal_access_tokens-self-rotate.
      operations:
      - method: POST
        name: postapiv4personalaccesstokensselfrotate
        description: Rotate a personal access token
        call: gitlab-ci-access-tokens.postapiv4personalaccesstokensselfrotate
        with:
          postApiV4PersonalAccessTokensSelfRotate: rest.postApiV4PersonalAccessTokensSelfRotate
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens/{id}
      name: api-v4-personal-access-tokens-id
      description: REST surface for api-v4-personal_access_tokens-id.
      operations:
      - method: GET
        name: getapiv4personalaccesstokensid
        description: Get single personal access token
        call: gitlab-ci-access-tokens.getapiv4personalaccesstokensid
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteapiv4personalaccesstokensid
        description: Revoke a personal access token
        call: gitlab-ci-access-tokens.deleteapiv4personalaccesstokensid
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/personal-access-tokens/{id}/rotate
      name: api-v4-personal-access-tokens-id-rotate
      description: REST surface for api-v4-personal_access_tokens-id-rotate.
      operations:
      - method: POST
        name: postapiv4personalaccesstokensidrotate
        description: Rotate personal access token
        call: gitlab-ci-access-tokens.postapiv4personalaccesstokensidrotate
        with:
          id: rest.id
          postApiV4PersonalAccessTokensIdRotate: rest.postApiV4PersonalAccessTokensIdRotate
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v4/projects/{id}/access-tokens/self/rotate
      name: api-v4-projects-id-access-tokens-self-rotate
      description: REST surface for api-v4-projects-id-access_tokens-self-rotate.
      operations:
      - method: POST
        name: postapiv4projectsidaccesstokensselfrotate
        description: Rotate a resource access token
        call: gitlab-ci-access-tokens.postapiv4projectsidaccesstokensselfrotate
        with:
          id: rest.id
          postApiV4ProjectsIdAccessTokensSelfRotate: rest.postApiV4ProjectsIdAccessTokensSelfRotate
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: gitlab-ci-access-tokens-mcp
    port: 9090
    transport: http
    description: MCP adapter for GitLab API — access_tokens. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: rotate-resource-access-token
      description: Rotate a resource access token
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: gitlab-ci-access-tokens.postapiv4groupsidaccesstokensselfrotate
      with:
        id: tools.id
        postApiV4GroupsIdAccessTokensSelfRotate: tools.postApiV4GroupsIdAccessTokensSelfRotate
      outputParameters:
      - type: object
        mapping: $.
    - name: list-personal-access-tokens
      description: List personal access tokens
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: gitlab-ci-access-tokens.getapiv4personalaccesstokens
      with:
        user_id: tools.user_id
        revoked: tools.revoked
        state: tools.state
        created_before: tools.created_before
        created_after: tools.created_after
        last_used_before: tools.last_used_before
        last_used_after: tools.last_used_after
        expires_before: tools.expires_before
        expires_after: tools.expires_after
        search: tools.search
        sort: tools.sort
        page: tools.page
        per_page: tools.per_page
      outputParameters:
      - type: object
        mapping: $.
    - name: get-single-personal-access-token
      description: Get single personal access token
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: gitlab-ci-access-tokens.getapiv4personalaccesstokensself
      outputParameters:
      - type: object
        mapping: $.
    - name: revoke-personal-access-token
      description: Revoke a personal access token
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: gitlab-ci-access-tokens.deleteapiv4personalaccesstokensself
      outputParameters:
      - type: object
        mapping: $.
    - name: return-personal-access-token-associations
      description: Return personal access token associations
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: gitlab-ci-access-tokens.getapiv4personalaccesstokensselfassociations
      with:
        min_access_level: tools.min_access_level
        page: tools.page
        per_page: tools.per_page
      outputParameters:
      - type: object
        mapping: $.
    - name: rotate-personal-access-token
      description: Rotate a personal access token
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: gitlab-ci-access-tokens.postapiv4personalaccesstokensselfrotate
      with:
        postApiV4PersonalAccessTokensSelfRotate: tools.postApiV4PersonalAccessTokensSelfRotate
      outputParameters:
      - type: object
        mapping: $.
    - name: get-single-personal-access-token-2
      description: Get single personal access token
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: gitlab-ci-access-tokens.getapiv4personalaccesstokensid
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: revoke-personal-access-token-2
      description: Revoke a personal access token
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: gitlab-ci-access-tokens.deleteapiv4personalaccesstokensid
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: rotate-personal-access-token-2
      description: Rotate personal access token
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: gitlab-ci-access-tokens.postapiv4personalaccesstokensidrotate
      with:
        id: tools.id
        postApiV4PersonalAccessTokensIdRotate: tools.postApiV4PersonalAccessTokensIdRotate
      outputParameters:
      - type: object
        mapping: $.
    - name: rotate-resource-access-token-2
      description: Rotate a resource access token
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: gitlab-ci-access-tokens.postapiv4projectsidaccesstokensselfrotate
      with:
        id: tools.id
        postApiV4ProjectsIdAccessTokensSelfRotate: tools.postApiV4ProjectsIdAccessTokensSelfRotate
      outputParameters:
      - type: object
        mapping: $.