The GitLab OAuth 2.0 API enables third-party services to access GitLab resources on behalf of users using the OAuth 2.0 protocol. It supports authorization code with PKCE, device authorization grant, and resource owner password credentials flows, allowing secure delegation of access to GitLab resources.
openapi: 3.1.0
info:
title: GitLab OAuth 2.0 API
description: >-
The GitLab OAuth 2.0 API enables third-party services to access GitLab
resources on behalf of users using the OAuth 2.0 protocol. It supports
authorization code with PKCE, device authorization grant, and resource
owner password credentials flows. Applications must first be registered
in GitLab user settings before using these endpoints.
version: '4'
contact:
name: GitLab Support
url: https://about.gitlab.com/support/
termsOfService: https://about.gitlab.com/terms/
externalDocs:
description: GitLab OAuth 2.0 API Documentation
url: https://docs.gitlab.com/api/oauth2/
servers:
- url: https://gitlab.com
description: GitLab.com Production Server
tags:
- name: Authorization
description: Endpoints for initiating OAuth authorization flows.
- name: Tokens
description: Endpoints for exchanging, refreshing, and revoking OAuth tokens.
- name: User Info
description: Endpoints for retrieving authenticated user information via OAuth.
paths:
/oauth/authorize:
get:
operationId: authorizeOAuth
summary: GitLab Authorize OAuth Application
description: >-
Initiates the OAuth 2.0 authorization code flow. Redirects the user to
the GitLab authorization page where they can grant access to the
application. Supports PKCE for public clients by including the
code_challenge and code_challenge_method parameters.
tags:
- Authorization
parameters:
- name: client_id
in: query
required: true
description: The application ID registered in GitLab.
schema:
type: string
example: '123456'
- name: redirect_uri
in: query
required: true
description: The URI to redirect to after authorization.
schema:
type: string
format: uri
example: example_value
- name: response_type
in: query
required: true
description: Must be set to code for the authorization code flow.
schema:
type: string
enum:
- code
example: code
- name: state
in: query
required: true
description: >-
A random, unguessable string used to protect against CSRF attacks.
Must be returned unchanged in the redirect response.
schema:
type: string
example: '2026-04-17T12:00:00Z'
- name: scope
in: query
required: false
description: >-
Space-separated list of scopes to request. Available scopes include
api, read_api, read_user, read_repository, write_repository, and others.
schema:
type: string
example: example_value
- name: code_challenge
in: query
required: false
description: >-
A Base64 URL-encoded SHA-256 hash of the code_verifier. Required
when using PKCE for public clients.
schema:
type: string
example: example_value
- name: code_challenge_method
in: query
required: false
description: The method used to generate the code_challenge. Must be S256.
schema:
type: string
enum:
- S256
example: S256
- name: root_namespace_id
in: query
required: false
description: >-
Optional. Limits group access token creation to a specific namespace.
schema:
type: integer
example: 42
responses:
'302':
description: Redirect to the specified redirect_uri with the authorization code.
'400':
description: Bad request due to missing or invalid parameters.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/oauth/authorize_device:
post:
operationId: authorizeDevice
summary: GitLab Initiate Device Authorization Grant
description: >-
Initiates the OAuth 2.0 device authorization grant flow for
input-constrained devices. Returns a device code and user code
that the user enters on a secondary device to authorize access.
tags:
- Authorization
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/DeviceAuthorizationRequest'
responses:
'200':
description: Device authorization initiated successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceAuthorizationResponse'
'400':
description: Bad request due to invalid client credentials.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/oauth/token:
post:
operationId: exchangeToken
summary: GitLab Exchange Code for Access Token
description: >-
Exchanges an authorization code, device code, or refresh token for an
OAuth 2.0 access token. Supports authorization_code, refresh_token,
device_code, and password grant types. Access tokens are valid for
two hours. Includes CORS support for browser-based applications.
tags:
- Tokens
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/TokenRequest'
responses:
'200':
description: Token issued successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
description: Invalid grant or request parameters.
'401':
description: Invalid client credentials.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/oauth/revoke:
post:
operationId: revokeToken
summary: GitLab Revoke an OAuth Token
description: >-
Revokes an existing OAuth access token or refresh token. After
revocation the token can no longer be used to access GitLab resources.
Supports CORS for browser-based applications.
tags:
- Tokens
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/RevokeTokenRequest'
responses:
'200':
description: Token revoked successfully.
'401':
description: Invalid or expired token.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/oauth/token/info:
get:
operationId: getTokenInfo
summary: GitLab Get Token Information
description: >-
Returns information about the current OAuth access token, including
the scopes it was granted and its expiration time. Useful for
validating that a token is still active.
tags:
- Tokens
security:
- oauthToken: []
responses:
'200':
description: Token information returned successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/TokenInfo'
'401':
description: Invalid or expired token.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/oauth/userinfo:
get:
operationId: getUserInfo
summary: GitLab Get Authenticated User Information
description: >-
Returns profile information about the currently authenticated user
based on the OAuth token's scopes. Implements the OpenID Connect
UserInfo endpoint. Supports CORS for browser-based applications.
tags:
- User Info
security:
- oauthToken: []
responses:
'200':
description: User information returned successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/UserInfo'
'401':
description: Invalid or expired token.
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
components:
securitySchemes:
oauthToken:
type: http
scheme: bearer
description: OAuth 2.0 access token obtained via the authorization flow.
schemas:
DeviceAuthorizationRequest:
type: object
required:
- client_id
properties:
client_id:
type: string
description: The application ID registered in GitLab.
example: '123456'
scope:
type: string
description: Space-separated list of requested scopes.
example: example_value
DeviceAuthorizationResponse:
type: object
properties:
device_code:
type: string
description: The device verification code used to poll for the access token.
example: example_value
user_code:
type: string
description: The end-user verification code to enter on the authorization page.
example: example_value
verification_uri:
type: string
format: uri
description: The end-user verification URI on the authorization server.
example: '2026-04-17T12:00:00Z'
verification_uri_complete:
type: string
format: uri
description: The verification URI that includes the user_code.
example: '2026-04-17T12:00:00Z'
expires_in:
type: integer
description: The lifetime in seconds of the device_code and user_code.
example: 42
interval:
type: integer
description: Minimum number of seconds between polling requests.
example: 42
TokenRequest:
type: object
required:
- grant_type
- client_id
properties:
grant_type:
type: string
enum:
- authorization_code
- refresh_token
- device_code
- password
description: The grant type for the token request.
example: authorization_code
client_id:
type: string
description: The application ID registered in GitLab.
example: '123456'
client_secret:
type: string
description: >-
The application secret. Required for confidential clients using
authorization_code or refresh_token grant types.
example: example_value
code:
type: string
description: The authorization code received from the authorize endpoint.
example: example_value
redirect_uri:
type: string
format: uri
description: The redirect URI used in the original authorization request.
example: example_value
code_verifier:
type: string
description: The PKCE code verifier corresponding to the code_challenge.
example: example_value
refresh_token:
type: string
description: The refresh token to exchange for a new access token.
example: main
device_code:
type: string
description: The device code from the device authorization response.
example: example_value
username:
type: string
description: Resource owner username. Only for password grant type.
example: Example Project
password:
type: string
description: Resource owner password. Only for password grant type.
example: example_value
TokenResponse:
type: object
properties:
access_token:
type: string
description: The OAuth 2.0 access token.
example: glpat-example-token
token_type:
type: string
description: The type of token. Always Bearer.
example: glpat-example-token
expires_in:
type: integer
description: Token lifetime in seconds. Typically 7200 (2 hours).
example: 42
refresh_token:
type: string
description: The refresh token for obtaining new access tokens.
example: main
scope:
type: string
description: Space-separated list of granted scopes.
example: example_value
created_at:
type: integer
description: Unix timestamp of when the token was created.
example: 42
RevokeTokenRequest:
type: object
required:
- client_id
- client_secret
- token
properties:
client_id:
type: string
description: The application ID registered in GitLab.
example: '123456'
client_secret:
type: string
description: The application secret.
example: example_value
token:
type: string
description: The access token or refresh token to revoke.
example: glpat-example-token
TokenInfo:
type: object
properties:
resource_owner_id:
type: integer
description: The ID of the user who authorized the token.
example: 42
application:
type: object
description: Information about the OAuth application.
properties:
uid:
type: string
description: The application client ID.
scope:
type: array
description: List of scopes the token has been granted.
items:
type: string
expires_in_seconds:
type: integer
description: Remaining lifetime of the token in seconds.
example: 42
created_at:
type: number
description: Unix timestamp of when the token was created.
example: 42.5
UserInfo:
type: object
properties:
sub:
type: string
description: Subject identifier. Unique to the user within the provider.
example: example_value
name:
type: string
description: Full name of the user.
example: Example Project
nickname:
type: string
description: The user's GitLab username.
example: Example Project
email:
type: string
format: email
description: The user's email address. Requires the email scope.
example: [email protected]
email_verified:
type: boolean
description: Whether the user's email address has been verified.
example: true
profile:
type: string
format: uri
description: URL to the user's GitLab profile page.
example: example_value
picture:
type: string
format: uri
description: URL to the user's avatar image.
example: example_value
groups:
type: array
description: List of groups the user belongs to.
items:
type: string