gitpod-io
diff --git a/‎components/public-api-server/pkg/apiv1/tokens.go
Lines changed: 22 additions & 3 deletions b/‎components/public-api-server/pkg/apiv1/tokens.go
Lines changed: 22 additions & 3 deletions
diff --git a/‎components/public-api-server/pkg/apiv1/tokens_test.go
Lines changed: 16 additions & 0 deletions b/‎components/public-api-server/pkg/apiv1/tokens_test.go
Lines changed: 16 additions & 0 deletions
diff --git a/‎components/public-api/gitpod/experimental/v1/tokens.proto
Lines changed: 2 additions & 1 deletion b/‎components/public-api/gitpod/experimental/v1/tokens.proto
Lines changed: 2 additions & 1 deletion
diff --git a/‎components/public-api/go/experimental/v1/tokens.pb.go
Lines changed: 2 additions & 1 deletion b/‎components/public-api/go/experimental/v1/tokens.pb.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎components/public-api/typescript/src/gitpod/experimental/v1/tokens_pb.ts
Lines changed: 2 additions & 1 deletion b/‎components/public-api/typescript/src/gitpod/experimental/v1/tokens_pb.ts
Lines changed: 2 additions & 1 deletion
@@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 
 	connect "github.com/bufbuild/connect-go"
@@ -45,9 +46,9 @@ type TokensService struct {
 func (s *TokensService) CreatePersonalAccessToken(ctx context.Context, req *connect.Request[v1.CreatePersonalAccessTokenRequest]) (*connect.Response[v1.CreatePersonalAccessTokenResponse], error) {
 	tokenReq := req.Msg.GetToken()
 
-	name := strings.TrimSpace(tokenReq.GetName())
-	if name == "" {
-		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("Token Name is a required parameter."))
+	name, err := validatePersonalAccessTokenName(tokenReq.GetName())
+	if err != nil {
+		return nil, err
 	}
 
 	expiry := tokenReq.GetExpirationTime()
@@ -328,3 +329,21 @@ func personalAccessTokenToAPI(t db.PersonalAccessToken, value string) *v1.Person
 		CreatedAt:      timestamppb.New(t.CreatedAt),
 	}
 }
+
+var (
+	// alpha-numeric characters, dashes, underscore, spaces, between 3 and 63 chars
+	personalAccessTokenNameRegex = regexp.MustCompile(`^[a-zA-Z0-9-_ ]{3,63}$`)
+)
+
+func validatePersonalAccessTokenName(name string) (string, error) {
+	trimmed := strings.TrimSpace(name)
+	if trimmed == "" {
+		return "", connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Token Name is a required parameter, but got empty."))
+	}
+
+	if !personalAccessTokenNameRegex.MatchString(trimmed) {
+		return "", connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Token Name is required to match regexp %s.", personalAccessTokenNameRegex.String()))
+	}
+
+	return trimmed, nil
+}
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
@@ -74,6 +75,21 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
 		require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
 	})
 
+	t.Run("invalid argument when name does not match required regex", func(t *testing.T) {
+		_, _, client := setupTokensService(t, withTokenFeatureDisabled)
+
+		names := []string{"a", "ab", strings.Repeat("a", 64), "!#$!%"}
+
+		for _, name := range names {
+			_, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
+				Token: &v1.PersonalAccessToken{
+					Name: name,
+				},
+			}))
+			require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
+		}
+	})
+
 	t.Run("invalid argument when expiration time is unspecified", func(t *testing.T) {
 		_, _, client := setupTokensService(t, withTokenFeatureDisabled)
 
 
@@ -19,7 +19,8 @@ message PersonalAccessToken {
     // Read only.
     string value = 2;
 
-    // name is the name of the token for humans, set by the user
+    // name is the name of the token for humans, set by the user.
+    // Must match regexp ^[a-zA-Z0-9-_ ]{3,63}$
     string name = 3;
 
     // expiration_time is the time when the token expires