feat(api): add token introspection and self-deletion endpoint (#37995)

Adds a /api/v1/token endpoint that allows tokens to introspect and
delete themselves.
partially fixes: https://github.com/go-gitea/gitea/issues/33583

Assisted-by: Mistral Vibe:mistral-medium-3.5

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

tests/integration/api_token_self_test.go

@@ -0,0 +1,98 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	auth_model "gitea.dev/models/auth"
+	"gitea.dev/models/unittest"
+	user_model "gitea.dev/models/user"
+	api "gitea.dev/modules/structs"
+	"gitea.dev/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestAPIGetCurrentToken tests getting metadata of the currently authenticated token
+func TestAPIGetCurrentToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("Success with all scopes", func(t *testing.T) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-get-current-token-all", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
+
+		req := NewRequest(t, "GET", "/api/v1/token").
+			AddTokenAuth(accessToken.Token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		currentToken := DecodeJSON(t, resp, &api.CurrentAccessToken{})
+		assert.Equal(t, accessToken.ID, currentToken.ID)
+		assert.Equal(t, accessToken.Name, currentToken.Name)
+		assert.Equal(t, user.ID, currentToken.User.ID)
+		assert.Equal(t, user.Name, currentToken.User.Login)
+	})
+
+	t.Run("Success with limited scopes", func(t *testing.T) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-get-current-token-limited", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadRepository})
+
+		req := NewRequest(t, "GET", "/api/v1/token").
+			AddTokenAuth(accessToken.Token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		currentToken := DecodeJSON(t, resp, &api.CurrentAccessToken{})
+		assert.Equal(t, accessToken.ID, currentToken.ID)
+		assert.Equal(t, accessToken.Name, currentToken.Name)
+		assert.Equal(t, user.ID, currentToken.User.ID)
+		assert.Equal(t, user.Name, currentToken.User.Login)
+	})
+
+	t.Run("Bad token", func(t *testing.T) {
+		req := NewRequest(t, "GET", "/api/v1/token").
+			AddTokenAuth("this does not exist")
+		MakeRequest(t, req, http.StatusUnauthorized)
+
+		req = NewRequest(t, "GET", "/api/v1/token")
+		MakeRequest(t, req, http.StatusUnauthorized)
+	})
+}
+
+// TestAPITokenSelfService tests delete operations on token
+func TestAPITokenSelfService(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("Success then verify deleted", func(t *testing.T) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-delete-current-token", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
+
+		// Delete the token via the endpoint
+		req := NewRequest(t, "DELETE", "/api/v1/token").
+			AddTokenAuth(accessToken.Token)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		// Verify the token is deleted
+		unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: accessToken.ID})
+
+		// Verify the token can no longer be used for GET
+		req = NewRequest(t, "GET", "/api/v1/token").
+			AddTokenAuth(accessToken.Token)
+		MakeRequest(t, req, http.StatusUnauthorized)
+
+		// Verify the token can no longer be used for DELETE
+		req = NewRequest(t, "DELETE", "/api/v1/token").
+			AddTokenAuth(accessToken.Token)
+		MakeRequest(t, req, http.StatusUnauthorized)
+	})
+
+	t.Run("Bad token", func(t *testing.T) {
+		req := NewRequest(t, "DELETE", "/api/v1/token").
+			AddTokenAuth("this does not exist")
+		MakeRequest(t, req, http.StatusUnauthorized)
+
+		req = NewRequest(t, "DELETE", "/api/v1/token")
+		MakeRequest(t, req, http.StatusUnauthorized)
+	})
+}