API auth as application

I have a cloud-based code scanning tool that is currently integrated with GitHub and Bitbucket. I am now trying to integration with GitLab. It’s https://codereview.doctor

For context how it works: upon getting a webhhook event of a merge request, the tool will clone the repo, checkout the PR branch, scans code for common Python and Django mistakes, then comment on the MR suggestions for improving.

I am having trouble working out how to auth with the API.

I made a application Applications API | GitLab and have a applicationId and a secret. The application has “api” and “read_repository” scopes.

I cannot find documentation for using the applicationId and secret to generate a token that can then be used for authentication during API requests.

If this was GitHub and Bitbucket I would use the application secret and applicationId to generate a JWT, then use the JWT to retrieve an access token I include as a bearer token authorization header.

So I want to do “machine-to-machine” auth, but I can only find GitLab docs related to “human-to-machine” (using oauth to create a access token requiring the user to click a button in browser).