Best practice to using private tokens for the API?

Currently, I’m using my private token within my gitlab-ci.yml to pull information from a project using the API to store data for many projects. This is because I administer our gitlab and have access to all the projects. In the event that I leave my job location for whatever reason, I would expect my account to be shut down. Doing so, I would suspect my private token will no longer be valid and all the projects will fail to build.

For example, the command is in my gitlab-ci.yml job like this:

token=`curl --header “PRIVATE-TOKEN: xxxxxx-xxxxxx-xxx” “https://ourgitlabserver/api/v4/projects/$CI_PROJECT_ID/triggers

I would like to know if there is a better way to extract data from a project without using my private token through the API.

I thought about creating a dummy account to do this, but I don’t know if that dummy account will need permissions for all those projects or what. I feel like there should be a better way of doing this than what I’m doing now.

I’m not too familiar with the way the API works and I just happen to figure this method out from another developer. Also, I’m not a developer. I’m an SA. Any suggestions would be greatly appreciated.

EDIT: I think what I’m really looking for is a way to pull the trigger token for a project through the ci.yml without using my private token, which is what I do with that command (I parse the output to grab the project’s trigger token).

I’m not sure if it gives you API access, but there’s the CI_JOB_TOKEN variable, I know it gives access to the repo, subrepos, and the container registry. I’d be surprised if you didn’t get API access too.

A full list of available variables is at

There is also work in progress that will help you out in the long run, see and