diff --git a/raystack/frontier/v1beta1/frontier.proto b/raystack/frontier/v1beta1/frontier.proto
index e2f26dca..40f88c6b 100644
--- a/raystack/frontier/v1beta1/frontier.proto
+++ b/raystack/frontier/v1beta1/frontier.proto
@@ -1887,6 +1887,9 @@ service FrontierService {
 
   // Audit Records
   rpc CreateAuditRecord(CreateAuditRecordRequest) returns (CreateAuditRecordResponse) {}
+
+  // Personal Access Token
+  rpc CreateCurrentUserPAT(CreateCurrentUserPATRequest) returns (CreateCurrentUserPATResponse) {}
 }
 
 // Billing
@@ -4256,3 +4259,29 @@ message CreateAuditRecordRequest {
 message CreateAuditRecordResponse {
   AuditRecord audit_record = 1;
 }
+
+message CreateCurrentUserPATRequest {
+  // Human-friendly display name, unique per user per org
+  string title = 1 [
+    (validate.rules).string.min_len = 1,
+    (google.api.field_behavior) = REQUIRED
+  ];
+  string org_id = 2 [
+    (validate.rules).string.uuid = true,
+    (google.api.field_behavior) = REQUIRED
+  ];
+  // Role ids to scope the PAT to
+  repeated string role_ids = 3 [
+    (google.api.field_behavior) = REQUIRED,
+    (validate.rules).repeated = {min_items: 1},
+    (validate.rules).repeated.items.string.uuid = true
+  ];
+  // For project-scoped roles: empty = all projects, non-empty = specific projects
+  repeated string project_ids = 4 [(validate.rules).repeated.items.string.uuid = true];
+  google.protobuf.Timestamp expires_at = 5 [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.Struct metadata = 6;
+}
+
+message CreateCurrentUserPATResponse {
+  PAT pat = 1;
+}
diff --git a/raystack/frontier/v1beta1/models.proto b/raystack/frontier/v1beta1/models.proto
index 53b146d8..bdd6b89d 100644
--- a/raystack/frontier/v1beta1/models.proto
+++ b/raystack/frontier/v1beta1/models.proto
@@ -439,6 +439,48 @@ message ServiceUserToken {
   }];
 }
 
+message PAT {
+  string id = 1;
+  string title = 2;
+  string user_id = 3;
+  string org_id = 4;
+
+  // token will only be returned once as part of the create process
+  // this value is never persisted in the system so if lost, can't be recovered
+  string token = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  google.protobuf.Timestamp expires_at = 10 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+    description: "The time when the PAT expires.",
+    example: "\"2024-06-07T05:39:56.961Z\""
+  }];
+
+  google.protobuf.Timestamp last_used_at = 11 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The time when the PAT was last used.",
+      example: "\"2024-06-07T05:39:56.961Z\""
+    },
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
+
+  google.protobuf.Timestamp created_at = 12 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The time when the PAT was created.",
+      example: "\"2023-06-07T05:39:56.961Z\""
+    },
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
+
+  google.protobuf.Timestamp updated_at = 13 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The time when the PAT was last updated.",
+      example: "\"2023-06-07T05:39:56.961Z\""
+    },
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
+
+  google.protobuf.Struct metadata = 20;
+}
+
 // JSON Web Key as specified in RFC 7517
 message JSONWebKey {
   // Key Type.