Skip to main content

Service accounts

Prelude

A Service account is a special type of API key intended to represent a non-human user that needs to authenticate and be authorized for scenarios such as secrets scanning in CI pipelines or batch processing open incidents.

Please note that service accounts are only available for workspaces under our Business plan.

Creating a service account

Only workspace Managers are allowed to manage service accounts.

  1. Go to the Service accounts page in the API section of your workspace. Click on Create service account.
  2. Name your service account according to its use-case (for example <Service Name>-<Environment>)
  3. Set an expiry date for your token (in 1 week, 1 month, 3 months, 6 months, 1 year, or never). If an expiry date is set, all the Managers of the workspace will receive an email notification 5 days before expiration.
  4. Choose one or several scopes for your service account.
  5. Click on Create service account

Make sure you copy the service account, it will no longer be visible to you in the future.

Service accounts modal

The service accounts of your workspace are visible and can be managed here by workspace Managers of workspaces under our Business plan.

Service accounts table

Revoking a service account

A service account token can be revoked from the Service accounts page by a workspace Manager, or through the Public API by another token holding the api_tokens:write scope.

A service account token cannot revoke itself. Since a service account token can be shared across several deployments, letting it self-revoke would break every deployment using it. Attempting to do so (for example via ggshield auth logout) is refused with a 403 error.