Service accounts
Prelude
A Service account is a special type of API key intended to represent a non-human user that needs to authenticate and be authorized for scenarios such as secrets scanning in CI pipelines or batch processing open incidents.
Please note that service accounts are only available for workspaces under our Business plan.
Creating a service account
Only workspace Managers are allowed to manage service accounts.
- Go to the Service accounts page in the API section of your workspace. Click on
Create service account. - Name your service account according to its use-case (for example
<Service Name>-<Environment>) - Set an expiry date for your token (in 1 week, 1 month, 3 months, 6 months, 1 year, or never). If an expiry date is set, all the Managers of the workspace will receive an email notification 5 days before expiration.
- Choose one or several scopes for your service account.
- Click on
Create service account
Make sure you copy the service account, it will no longer be visible to you in the future.

The service accounts of your workspace are visible and can be managed here by workspace Managers of workspaces under our Business plan.

Revoking a service account
A service account token can be revoked from the Service accounts page by a workspace Manager, or through the Public API by another token holding the api_tokens:write scope.
A service account token cannot revoke itself. Since a service account token can be shared across several deployments, letting it self-revoke would break every deployment using it. Attempting to do so (for example via ggshield auth logout) is refused with a 403 error.