Merge branch 'revoked-token-view' into 'master'

Documentation for viewing inactive (expired or revoked) access tokens See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158239 Merged-by: Ashraf Khamis <akhamis@gitlab.com> Approved-by: Nick Malcolm <nmalcolm@gitlab.com> Approved-by: Ashraf Khamis <akhamis@gitlab.com> Co-authored-by: Jonathan Glassman <jglassman@gitlab.com>

Merge branch 'revoked-token-view' into 'master'
211b18d9 · Ashraf Khamis · GitLab · 9e31c01e · 7bdbe5d1 · 211b18d9
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -112,18 +112,43 @@ If you are an administrator, you can create group access tokens in the Rails con
   1. Use the group token to [clone a group's project](../../../topics/git/clone.md#clone-with-https)
      using HTTPS.

-## Revoke a group access token using the UI
+## Revoke a group access token
+
+> - Ability to view revoked tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/462217) in GitLab 17.3 [with a flag](../../../administration/feature_flags.md) named `retain_resource_access_token_user_after_revoke`. Disabled by default.
+
+You can use either the UI or the Rails console to revoke a group access token.
+
+In GitLab 17.3 and later, if you enable the `retain_resource_access_token_user_after_revoke`
+feature flag, you can view both active and inactive revoked group access tokens
+on the access tokens page. If you do not enable the feature flag, you can only view
+the active tokens. The inactive group access tokens table:
+
+- Contains:
+  - Existing tokens that have been revoked but have not yet expired. After these
+    tokens expire, they are no longer in the table.
+  - Tokens created after the feature flag was enabled that have been revoked.
+    These tokens remain in the table even after they have expired.
+
+- Does not contain:
+  - Tokens that have already expired or been revoked.
+  - Existing tokens that expire in the future or have not been revoked.
+
+### Use the UI

 To revoke a group access token:

 1. On the left sidebar, select **Search or go to** and find your group.
 1. Select **Settings > Access Tokens**.
-1. Next to the group access token to revoke, select **Revoke**  (**{remove}**).
+1. Next to the group access token to revoke, select **Revoke** (**{remove}**).
+
+### Use the Rails console
+
+Prerequisites:

-## Revoke a group access token using Rails console
+- You must be an administrator.

-If you are a GitLab administrator, you can revoke a group access token.
-Run this command in a [Rails console](../../../administration/operations/rails_console.md):
+To revoke a group access token, run the following command in a
+[Rails console](../../../administration/operations/rails_console.md):

 ```ruby
 bot = User.find_by(username: 'group_109_bot') # the owner of the token you want to revoke

--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -67,12 +67,29 @@ A project access token is displayed. Save the project access token somewhere saf

 ## Revoke a project access token

+> - Ability to view revoked tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/462217) in GitLab 17.3 [with a flag](../../../administration/feature_flags.md) named `retain_resource_access_token_user_after_revoke`. Disabled by default.
+
 To revoke a project access token:

 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > Access Tokens**.
 1. Next to the project access token to revoke, select **Revoke** (**{remove}**).

+In GitLab 17.3 and later, if you enable the `retain_resource_access_token_user_after_revoke`
+feature flag, you can view both active and inactive revoked project access tokens
+on the access tokens page. If you do not enable the feature flag, you can only view
+the active tokens. The inactive project access tokens table:
+
+- Contains:
+  - Existing tokens that have been revoked but have not yet expired. After these
+    tokens expire, they are no longer in the table.
+  - Tokens created after the feature flag was enabled that have been revoked.
+    These tokens remain in the table even after they have expired.
+
+- Does not contain:
+  - Tokens that have already expired or been revoked.
+  - Existing tokens that expire in the future or have not been revoked.
+
 ## Scopes for a project access token

 > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.