Service accounts

When to use a service account

Create and configure

1. 1

   Create the account

   Settings → Service accounts → + New service account. Give it a clear name like "support-bot-prod" and a description that names the owning team.
2. 2

   Assign a role

   Pick a built-in or custom role. Least privilege wins — most service accounts need execute and read only, not write or delete.
3. 3

   Generate an API key

   From the service account page, click + New key. Copy the value once. Each service account can own multiple keys so you can rotate without downtime.

Rotate and revoke

1. 1

   Rotate a key

   Generate a second key, deploy it to the consumer, verify traffic on the new key, then revoke the old key from the same page.
2. 2

   Revoke the entire service account

   Open the service account menu and click Revoke. Every key it owns stops working instantly, and the principal is marked inactive in audit logs.

Frequently asked questions

How is a service account different from an API key tied to a user?

Service accounts are independent principals. They appear in audit logs as themselves, survive user removal, and can own multiple keys. User-owned keys disappear when the user is removed.

Can a service account have multiple keys?

Yes. Multiple keys per service account make rotation seamless — issue a new key, switch consumers, revoke the old one without downtime.

What role should I give a service account?

Least privilege. A typical backend integration only needs execute and read. Avoid Admin-level service accounts unless the workload genuinely requires settings changes.

Do service accounts count toward seat limits?

No. Only human users count toward seats. You can create as many service accounts as your workspace needs.

Related