IAM & Access

Service Accounts

Understand API-managed service-account principals.

Service-account principals are machine identities for backend services, scripts, and integrations.

The current tenant console exposes API-key principals under Access > API Keys. Service-account principals and service-account secrets are managed through the IAM API.

Use service-account principals only when your integration is built for that principal type. For dashboard-managed machine access, use API Tokens.

API-Managed Lifecycle

The IAM API supports service-account principals as a principal type:

POST /iam/principals

Set the principal type to ServiceAccount when creating the principal.

Service-account secrets can be rotated through:

POST /iam/principals/{principalId}/service-account-secrets/rotate

The rotation request can create a new secret and optionally revoke the previous secret.

Secrets can be revoked through:

DELETE /iam/principals/{principalId}/service-account-secrets/{secretId}

Access Model

Service-account principals use IAM assignments like other principals. Assign only the roles or permissions required for the integration.

Keep service-account secret material server-side. Do not expose it in browser code, mobile apps, public repositories, or customer-visible examples.

Permissions

Understand role permissions and the IAM permissions catalogue.

API Tokens

Create API-key principals and issue credentials for backend integrations.