Feedback Issue: Gitpod Public API (and Access Tokens)

[loujaybee]

Objective

Issue for feedback related to our upcoming Public API.

Related roadmap items:

• Epic: Private beta of initial public APIs #10798
• Epic: Personal Access Tokens #14280
• Epic: Create external workspace dashboards or clients (e.g. CLI or IdP) via Public API #10427
• Epic: Automate off + onboarding via Public API (users, teams & projects) #10799
• Epic: Resource Usage (Billing) Public APIs #11335
• Epic: Prebuild Public APIs #15213
• Epic: Service accounts (Auth tokens not tied to users) #15419

Related links

• https://www.gitpod.io/docs/configure/user-settings/access-tokens
• Early Access form

[mbrevoort]

Some feedback annoted:

It is useless to offer an API token with "no access". We shouldn't allow it. Consider providing an identity scope and basic API method to return information about the identity of the token including the tokens ID and name and scopes. Because once you copy it, there isn't another way to correlate the token you have back to the list of tokens in the UI. If I had 10 tokens and one was compromised, but all I had was the value, how do I know which one to invalidate?

If we are going to have names for tokens, we shouldn't allow duplicates.

[mbrevoort]

Additional annotated comments:

[mbrevoort]

This seems daftly redundant. How many times do we need to say "access token"? 🤪

[mbrevoort]

The empty state is an opportunity to educate users about the API so don't waste the space. What can I do with the API? Why would I want to? Why would I want to create an access token? If I'm less savvy and don't know what access tokens are, how do I learn?

[ghuntley]

As a general rule of thumb: the design of tokens should be matchable via Regex expression and include a checksum that external parties can use to validate offline that the token was issued by Gitpod.

[Siddhant-K-code]

@ghuntley As a general rule of thumb: the design of tokens should be matchable via Regex expression and include a checksum that external parties can use to validate offline that the token was issued by Gitpod.

Yeah, our API PAT Tokens contain gitpod_pat_ as a starting slug. They can match this pattern for any token validation.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.