For an overview, see GitLab's documentation of the types of tokens.
Use a Personal Access token to connect from your workstation to GitLab. The token is unique to you and can provide access to the same resources you can access in the web interface. Personal Access tokens are a user credential, just like a password.
See DoIT Shared Tools - GitLab - Setting up remote repositories for how to set up your Personal Access token.
Deploy tokens and Project Access tokens are best suited for tasks that need to connect to GitLab but should not be associated with an individual staff member. Frequently, this would be an automated task, like performing a scheduled git pull of changes from a remote repository in GitLab. Deploy and Project Access tokens are similar to a shared login or machine login credential.
All tokens should be scoped to only the access level they need, and they should have an expiration date. The expiration date you select depends on what interval you feel won't be too disruptive.
Wherever possible, tokens should not be stored in plain text but integrated into the local machine's encrypted credential storage.
Project Access and Deploy tokens can be useful in automated processes run with GitLabCI. However, tokens should never be hard-coded into a script or committed to a GitLab repository. To securely use a token as part of a GitLabCI process, store the token as a GitLab variable, and mask the variable, so that the token value isn't displayed in logs. Then write your .gitlab-ci.yml file, so that GitLab injects the token value into the process when it's needed.
You can access your project repositories in GitLab via SSH key, which can be very useful (for setup instructions, see DoIT Shared Tools - GitLab - Setting up remote repositories). However, SSH key access has limitations that tokens do not have. You cannot access the GitLab API or registry via SSH key. In addition you can only connect via SSH to a project in DoIT's GitLab instance from an on-campus IP address. Users working off-campus must log into the WiscVPN (WiscVPN (uwmadison.vpn.wisc.edu) - Getting Started) before they can connect with SSH.
GitLab also provides Deploy keys, which serve a similar purpose to Deploy tokens but are SSH key-based. Like personal workstation SSH keys, Deploy keys have the same limitations as personal workstation SSH keys mentioned above.
