Overview
To connect GitLab to Ingest you need a Personal Access Token with read-only API access. GitLab.com accounts are free; the token belongs to a specific user and inherits that user's project, group, and instance visibility. Tokens can be set to expire (default 365 days) and can be revoked at any time from the same page where they are issued.
Setup guide
Create a Personal Access Token
- Sign in at gitlab.com and click your avatar in the upper-right corner, then Edit profile.
- In the left sidebar, expand Access and select Personal access tokens.
- Click Generate token → Legacy token.
- Enter a Token name (for example,
ingest) and an Expiration date (leave blank to use the maximum allowed lifetime). - Under Select scopes, tick
read_api. Do not grantapi— this connector only reads. - Click Generate token.
- Copy the token immediately. GitLab displays it once and will not show it again. It begins with
glpat-.
Add it to Ingest
In the Ingest UI under Connectors → GitLab, paste the token into the Token field and save. Ingest stores it in AWS Secrets Manager and never sends it back to your browser.
Mind the limits
- Authenticated API: 2,000 requests per minute per user on gitlab.com. Ingest starts at 5 requests per second and scales up automatically based on response latency.
- Per-endpoint caps: A few endpoints have tighter limits —
GET /users/:idis capped at 300 requests per 10 minutes,GET /projects/:idat 400 per minute. Ingest backs off on429responses and retries with exponential delay. - Fatal vs. retryable:
401(bad token),403(insufficient scope), and404(resource not visible to your token) are treated as fatal — the request is dropped, not retried.429and5xxresponses are retried up to five times. - Token visibility scope: The token only sees what its owning user can see. Private projects you are not a member of will not appear in
projects; subgroups you cannot access will not appear under their parent group.
Pick endpoints
The most commonly enabled endpoints, roughly in the order you will want them:
projectsandgroups— the catalogue of everything else. Required if you want any per-project or per-group data downstream.users— your contributor directory. Useful for joiningassignee_id/author_idcolumns to a person.project_issuesandproject_merge_requests— the two work-item streams most engineering analytics start with.pipelinesandjobs— CI/CD activity, pipeline duration, success rates.commits,branches,tags— git-level activity per project.deployments,environments,releases— release-engineering view.issue_notes,mr_notes,mr_discussions— comment threads, useful for response-time and review-depth analyses.
Endpoints listed under untested/ (epics, epic_issues, iterations burndown, group SAML users, instance audit events) require GitLab Premium or Ultimate. Activate them only on accounts with the matching license.
Supported streams
91 endpoints are available out of the box. Each endpoint syncs into its own Iceberg table in Snowflake.
| Endpoint | Description | Reference |
|---|---|---|
| branches branches | Branches in each project — name, the commit SHA the branch points to, whether it is the default, protected, or merged. | – |
| broadcast_messages broadcast_messages | Banner messages an admin has scheduled across the instance — the text, color, font, target path, start and end times. | – |
| commit_statuses commit_statuses | External and internal status checks reported against each commit — context, state (pending/success/failed), description, target URL, ref. | – |
| commits commits | Commits in each project's repository — SHA, author, committer, message, parent SHAs, and short stats. | – |
| current_user current_user | The profile of the user the token belongs to — id, username, email, public profile fields, and account settings. | – |
| deployment_merge_requests deployment_merge_requests | Merge requests included in each deployment — useful for tying production releases back to the work that shipped in them. | – |
| deployments deployments | Deployments per project — environment, deployable job, status, ref, SHA, created/updated/finished times. | – |
| descendant_groups descendant_groups | All groups under each group, including indirect descendants. | – |
| environments environments | Deployment targets per project — name, slug, external URL, state, tier (production/staging/etc.), and last deployment summary. | – |
| events events | Activity feed across everything your token can see — pushes, issue/MR creation, comments, joinings, with the actor and target object IDs. | – |
| feature_flags feature_flags | Feature flags defined per project — name, description, active flag, and per-environment rollout strategies. | – |
| freeze_periods freeze_periods | Deployment freeze windows per project — start/end cron expressions, timezone, and which environments they apply to. | – |
| group_access_requests group_access_requests | Pending group membership requests — requesting user, requested access level, request date. | – |
| group_approval_rules group_approval_rules | Default approval rules applied at group level — name, approvals required, eligible users and groups. | – |
| group_audit_events group_audit_events | Group-scoped audit log — security-relevant changes (subgroup created, project transferred, member changes) with actor and target. | – |
| group_badges group_badges | Badges shown on each group's overview page — name, link URL, image URL. | – |
| group_billable_members group_billable_members | Members of each group who count toward the seat-based license — user id, name, last activity, public email. | – |
| group_board_lists group_board_lists | Columns within each group issue board — title, position, the label or milestone that defines the column. | – |
| group_boards group_boards | Issue boards configured at group level — name, milestone scope, label filters. | – |
| group_deploy_tokens group_deploy_tokens | Long-lived tokens granting per-group read access — name, scopes, username, expiration. | – |
| group_issues group_issues | Issues across every project in each group — convenient when you want a group-rollup without joining `project_issues` to `groups`. | – |
| group_iterations group_iterations | Iterations defined at group level — title, start/due dates, state, parent cadence. | – |
| group_labels group_labels | Labels defined at group level — name, color, description, available to every project in the group. | – |
| group_members group_members | Members of each group including those inherited from parent groups — user id, access level, expiration. | – |
| group_merge_requests group_merge_requests | Merge requests across every project in each group — convenient for group-rollup merge analytics. | – |
| group_milestone_issues group_milestone_issues | Issues attached to each group-level milestone — spans every project under the group. | – |
| group_milestone_merge_requests group_milestone_merge_requests | Merge requests attached to each group-level milestone — spans every project under the group. | – |
| group_milestones group_milestones | Milestones defined at group level — visible to every project in the group hierarchy. | – |
| group_pending_members group_pending_members | Members awaiting administrator approval before they can use seats — user id, group, request time. | – |
| group_projects group_projects | Projects belonging to each group — full project metadata scoped to the group's namespace. | – |
| group_provisioned_users group_provisioned_users | Users provisioned via SCIM or SAML for each group — useful for IdP reconciliation. | – |
| group_releases group_releases | Releases across every project in each group — name, tag, description, release date, and originating project. | – |
| group_runners group_runners | CI runners available in each group and its ancestors — type, status, tags, contact time. | – |
| group_wikis group_wikis | Wiki page index for each group — slug, title, format. | – |
| groups groups | Every group visible to your token — name, path, parent group, visibility, and Premium/Ultimate license metadata. | – |
| issue_discussions issue_discussions | Threaded comments on each issue — discussion id with the list of notes that belong to that thread, plus resolved/resolvable flags. | – |
| issue_label_events issue_label_events | Label add/remove events on each issue — actor, label id, action (add/remove), timestamp. | – |
| issue_links issue_links | Issue-to-issue relationships — link type (relates_to, blocks, is_blocked_by), source and target issue references. | – |
| issue_notes issue_notes | Comments on each issue — author, body, system flag (true for state-change comments), created/updated time. | – |
| issue_participants issue_participants | Users who have participated on each issue (commented, been assigned, mentioned). | – |
| issues issues | All issues visible to your token across every project — title, description, state, labels, assignees, milestone, due date, and time-tracking estimates. | – |
| jobs jobs | Individual CI jobs per project — stage, name, status, runner, queued/started/finished times, duration, and the pipeline they belong to. | – |
| merge_requests merge_requests | All merge requests visible to your token across every project — source/target branches, author, reviewers, state, merge commit, draft flag, and approval status. | – |
| merge_trains merge_trains | Merge trains per project — the queue of merge requests waiting to be merged in order, with status and target branch. | – |
| milestone_issues milestone_issues | Issues attached to each project milestone — full issue payload scoped to the milestone. | – |
| milestone_merge_requests milestone_merge_requests | Merge requests attached to each project milestone — full MR payload scoped to the milestone. | – |
| mr_approval_rules mr_approval_rules | Approval rules attached specifically to each merge request — name, approvals required, eligible users and groups, approver-rules-source (project default vs. | – |
| mr_approval_state mr_approval_state | The detailed approval state for each merge request — which approval rules are satisfied, how many of the required approvals are in, who can still approve. | – |
| mr_approvals mr_approvals | Summary approval state for each merge request — number of approvals received, required count, list of approvers. | – |
| mr_discussions mr_discussions | Threaded comments on each merge request — discussion id with the list of notes, plus resolved/resolvable flags. | – |
| mr_label_events mr_label_events | Label add/remove events on each merge request — actor, label id, action, timestamp. | – |
| mr_notes mr_notes | Comments on each merge request — author, body, system flag, position (for diff comments), resolvable state, created/updated time. | – |
| mr_participants mr_participants | Users who have participated on each merge request (commented, been requested as reviewer, mentioned). | – |
| mr_reviewers mr_reviewers | Users assigned as reviewers on each merge request — name, username, current review state (unreviewed, reviewed, approved). | – |
| namespaces namespaces | Personal and group namespaces — the parent scope under which projects live. | – |
| personal_access_tokens personal_access_tokens | All access tokens belonging to the authenticated user — token name, scopes, creation date, expiration, last used time, and revoked status. | – |
| pipeline_jobs pipeline_jobs | Jobs in each pipeline — stage, name, status, runner, timing fields. | – |
| pipeline_schedules pipeline_schedules | Scheduled pipelines per project — cron expression, ref, owner, last and next run times, and active flag. | – |
| pipeline_test_report pipeline_test_report | JUnit-style test report aggregated across each pipeline's test jobs — total/success/failure/skipped counts plus per-suite breakdown. | – |
| pipeline_triggers pipeline_triggers | Manual pipeline trigger tokens per project — description, owner, last used time. | – |
| pipelines pipelines | CI/CD pipeline runs per project — status, source (push, schedule, web, etc.), ref, SHA, started/finished times, and duration. | – |
| project_access_requests project_access_requests | Pending project membership requests — requesting user, requested access level, request date. | – |
| project_approval_rules project_approval_rules | Default approval rules applied to all merge requests in a project — name, approvals required, eligible users and groups. | – |
| project_approvals project_approvals | Per-project approval configuration — number of approvals required, reset-on-push behaviour, self-approval allowance. | – |
| project_audit_events project_audit_events | Project-scoped audit log — security-relevant changes (member added/removed, settings changed, hooks created) with actor, target, and timestamp. | – |
| project_badges project_badges | Badges shown on the project overview page — name, link URL, image URL, and rendered values. | – |
| project_deploy_keys project_deploy_keys | SSH deploy keys with read or write access to one project's repository — title, key fingerprint, can-push flag. | – |
| project_deploy_tokens project_deploy_tokens | Long-lived tokens granting per-project read access to the repository, registry, or packages — name, scopes, username, expiration. | – |
| project_events project_events | Activity feed scoped to one project — pushes, issue/MR creation, comments, with the actor and target object IDs. | – |
| project_issues project_issues | Issues scoped to one project — title, description, state, labels, assignees, milestone, due date, and time-tracking. | – |
| project_iterations project_iterations | Iterations defined or inherited per project — title, start/due dates, state, and parent cadence. | – |
| project_labels project_labels | Labels defined in each project — name, color, description, priority, and counts of open issues/MRs using the label. | – |
| project_members project_members | Members of each project including those inherited from parent groups — user id, access level, expiration date, and how the membership was granted. | – |
| project_merge_requests project_merge_requests | Merge requests scoped to one project — source/target branches, author, reviewers, state, draft flag, merge SHA, and approval state. | – |
| project_milestones project_milestones | Milestones defined in each project — title, description, due date, start date, state, and expired flag. | – |
| project_runners project_runners | CI runners attached to a project — type, status, tags, contact time, and locked-to-project flag. | – |
| project_snippets project_snippets | Code snippets attached to one project — title, description, file name, language, visibility. | – |
| project_wikis project_wikis | Wiki page index for each project — slug, title, format, and front matter (page bodies are returned by the per-page endpoint). | – |
| projects projects | Every project visible to your token — repository metadata, namespace, default branch, visibility, star/fork counts, and a per-project statistics block. | – |
| protected_branches protected_branches | Branch protection rules per project — the protected pattern, who can push, who can merge, and whether force-push is allowed. | – |
| protected_tags protected_tags | Tag protection rules per project — the protected pattern and who can create matching tags. | – |
| releases releases | Tagged releases per project — name, tag, description, release date, milestones, evidence, and asset links. | – |
| repository_contributors repository_contributors | Per-project contributor stats — name, email, commit count, additions, deletions. | – |
| repository_tree repository_tree | Top-level repository contents per project — file/folder names, types, modes, SHAs. | – |
| runners runners | CI/CD runners your token has access to — type, status, online state, IP address, tags, and the last contact time. | – |
| snippets snippets | Code snippets owned by the authenticated user — title, description, file name, language, and visibility. | – |
| subgroups subgroups | Direct child subgroups of each group — name, path, visibility, project counts. | – |
| tags tags | Git tags in each project — tag name, the commit it points to, optional release notes, and any signature. | – |
| todos todos | The authenticated user's pending to-do items — issues, merge requests, and mentions awaiting their action. | – |
| topics topics | Public topics on the instance — the tagging system for discoverability. | – |
| users users | User profiles your token can see — username, name, email when permitted, avatar URL, sign-up date, and last activity. | – |
Authentication
- Auth type
- API Key
- Sent as header
PRIVATE-TOKEN- Provider docs
- docs.gitlab.com ↗
Performance & limits
- Rate limit
- 2,000 requests per minute per user (gitlab.com authenticated API; some endpoints have stricter per-endpoint caps — see GitLab's gitlab.com user docs)
Automatic backoff
Ingest throttles requests to the published rate limit and retries with exponential backoff on transient errors. You don't need to handle 429s, retries, or pagination yourself.