In Gitlab, what are the differences between Personal Access Tokens and Impersonation Tokens? When would we rather use one over the other?
A personal access token (PAT) is tied to your own account and anything done in the API is logged under your user.
PATs are used basically anytime you need to use the API for information that isn't public. As a regular user, that includes accessing private repositories you have access to. As an admin, that might be anything within the system.
Impersonation tokens are used by admins when they need to pose as another existing user.
They're used anytime an admin wants to take action on behalf of another user. One of the key differences is that it will display as that user taking an action.
For example, an admin moves an issue from one project to another while impersonating userA. When viewing that issue, it will say userA moved the issue. If an admin used their own PAT to move the issue, it would instead say the admin moved it.
Impersonation tokens are useful for troubleshooting, since an issue might not affect an admin but does affect the user. Taking the previous example, if a user wanted to move an issue to another project but can't, then assuming it's a permission issue (user does not have the rights to create an issue to the project they're trying to move it to), an admin would be able to do it with their own account, but not while using the impersonation token.