Question

I'm working on a script that determines whether PAT has full scope or not.

In Microsoft Docs, I discovered the following information:

GET https://vssps.dev.azure.com/{organization}/_apis/tokenadmin/personalaccesstokens/{subjectDescriptor}?api-version=6.0-preview.1

I can find all the PATS and their names, as well as the scope and other details for a specific user, using this API.

I don't want to pass the PAT name into the script and then have to figure out what the scope is for it.

I'd like to utilise a PAT token and return the scope for that token.

Is there a way to do this with an API?

Answer 1

At this time, there is no way to return PAT scope using a PAT token rather than a PAT name.

Personal Access Tokens - List: The same as the REST API Personal Access Tokens - List:

{
        "clientId": "00000000-0000-0000-0000-000000000000",
        "accessId": "439729fa-be4e-49b2-8530-263cf053d786",
        "authorizationId": "a451306e-621d-4a6c-8c54-9096493a40f9",
        "hostAuthorizationId": "00000000-0000-0000-0000-000000000000",
        "userId": "c1b9603c-da3a-410e-9e59-074dcee61dcc",
        "validFrom": "2021-01-07T00:00:00",
        "validTo": "2021-02-06T00:00:00",
        "displayName": "TestPATA1",
        "scope": "app_token",
        "targetAccounts": [
            "c519b80d-5d71-46b3-a8e0-3edf8c026ea2"
        ],
        "token": null,
        "alternateToken": null,
        "isValid": true,
        "isPublic": false,
        "publicData": null,
        "source": null,
        "claims": null
    },

We could correlate the value of the PAT token with each PAT because the response body does not contain the value of the PAT token.