Browser-based upload to repo

I would like some users of my website to upload files to my private repo.

I know I can do this using the API, but since Private Tokens grant access to MY WHOLE GITLAB.COM ACCOUNT, I’d rather not share this token with the entire world… so here is what I imagined so far:

  • create a Docker container
  • run a minimal nginX server on it
  • identify user and give them a private token generated on the spot
  • proxy subsequent PUT /upload with user token, to corresponding gitlab API at PUT /projects/:id/repository/files/:file_path using my private token (but not leaked)

Apart from adding more moving parts to my stack, I find it quite “radical” for just not leaking one token… In fact, a more integrated solution would be to simply generate a token from with a scope reduced to that specific project. Then users would query against but without being able to hack my account.

So, is there another way I didn’t oversee ? or can this be accomplished by upgrading to other gitlab products ?